Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


TrojanDropper:Win32\Sirefef.b Rootkit

  • This topic is locked This topic is locked
3 replies to this topic

#1 platypus11


  • Members
  • 6 posts
  • Local time:05:05 AM

Posted 09 February 2012 - 07:46 AM

Tried dealing with this problem in the following thread.

Was advised to post here.

As per rules, DDS log, with Attachment. GMER Log will follow the DDS log.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by lthomas at 23:46:44 on 2012-02-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.2968.1817 [GMT -6:00]
AV: Microsoft Forefront Client Security *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Forefront Client Security *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\LanSchool\Student.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMART Technologies\SMART Response\ResponseHardwareService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\LanSchool\Student.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\desksware\Desktop iCalendar Lite\Desktop iCalendar Lite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://mcs.gssd.ca/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: lsk_WebBlk Class: {1935e690-1ac1-4aa5-ba23-3d9d0ceb3a00} - c:\windows\system32\Lsk_iBlk.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [CAHeadless] c:\program files\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
uRun: [Desktop iCalendar Lite.exe] "c:\program files\desksware\desktop icalendar lite\Desktop iCalendar Lite.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SMART SNMP Agent] c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe -e
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [ScrewDrivers RDP Plugin] c:\program files\tricerat\simplify printing\screwdrivers client v4\install_rdp.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\lthomas\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSecurityTab = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: ConnectHomeDirToRoot = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxp://mail.gssd.ca/dwa85W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{98EBB0EB-D80B-4785-B1D4-2B389C739283} : DhcpNameServer =
TCP: Interfaces\{9E71BE29-117E-48DC-B1C3-C5FB4149DC77} : DhcpNameServer =
TCP: Interfaces\{9E71BE29-117E-48DC-B1C3-C5FB4149DC77}\25F616D696E67635359444 : DhcpNameServer =
TCP: Interfaces\{9E71BE29-117E-48DC-B1C3-C5FB4149DC77}\35563657275635359444 : DhcpNameServer =
TCP: Interfaces\{9E71BE29-117E-48DC-B1C3-C5FB4149DC77}\7416C6C61676865627055524C49434 : DhcpNameServer =
TCP: Interfaces\{9E71BE29-117E-48DC-B1C3-C5FB4149DC77}\74575637471405 : DhcpNameServer =
================= FIREFOX ===================
FF - ProfilePath - c:\users\lthomas\appdata\roaming\mozilla\firefox\profiles\ace2h9rx.default\
FF - prefs.js: browser.startup.homepage - hxxp://gssd.ca/pages/index.asp|http://mcs.gssd.ca/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
============= SERVICES / DRIVERS ===============
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-6-22 13480]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-7-20 16896]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 LanSchoolStudent;LanSchool Student Service;c:\program files\lanschool\Student.exe [2010-4-7 976176]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-7 652360]
R2 Response Hardware;Response Hardware;c:\program files\smart technologies\smart response\ResponseHardwareService.exe [2010-1-5 30504]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-6-22 63928]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-4-6 1590216]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 lsmirror;lsmirror;c:\windows\system32\drivers\lsmirror.sys [2010-4-7 5632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-7 20464]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-5-19 71424]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-5-20 1006624]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\drivers\SMARTMouseFilterx86.sys [2009-12-15 11048]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\drivers\SMARTVHidMini2000x86.sys [2009-12-15 14120]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\drivers\SMARTVTabletPCx86.sys [2009-12-15 13440]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-6-22 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-8 40776]
S3 STI2303X;SMART Board cable;c:\windows\system32\drivers\STI2303X.sys [2009-12-15 13440]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-11 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-31 1343400]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S4 ApRunSvc;Alps Application Launcher Service;c:\program files\apoint2k\aprunsvc.exe --> c:\program files\apoint2k\ApRunSvc.exe [?]
=============== Created Last 30 ================
2012-02-09 05:43:27 56200 ----a-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{0b009a19-68c0-49f4-bd45-bfcf00dc92ba}\offreg.dll
2012-02-09 05:36:30 -------- d-----w- C:\$RECYCLE.BIN
2012-02-09 05:34:01 -------- d-----w- c:\users\lthomas\appdata\local\temp
2012-02-09 05:33:56 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-09 05:21:39 164864 ----a-w- c:\windows\system32\drivers\1394ohci.sys
2012-02-09 05:10:18 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-09 05:10:16 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-09 05:10:14 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 04:59:09 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-09 03:42:16 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-08 21:43:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-08 06:39:08 41680 ----a-w- c:\windows\system32\drivers\gjdarkdd.sys
2012-02-08 06:23:14 98816 ----a-w- c:\windows\sed.exe
2012-02-08 06:23:14 518144 ----a-w- c:\windows\SWREG.exe
2012-02-08 06:23:14 256000 ----a-w- c:\windows\PEV.exe
2012-02-08 06:23:14 208896 ----a-w- c:\windows\MBR.exe
2012-02-08 05:58:50 739052 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-02-08 05:53:16 -------- d-----w- c:\users\lthomas\appdata\roaming\Malwarebytes
2012-02-08 05:52:54 -------- d--h--w- c:\programdata\Malwarebytes
2012-02-08 05:52:51 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2012-02-08 05:52:51 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-02-08 03:07:48 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-07 16:02:24 6557240 ---ha-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{0b009a19-68c0-49f4-bd45-bfcf00dc92ba}\mpengine.dll
2012-02-03 15:44:44 303104 ---ha-w- c:\windows\system32\eST3snm.dll
2012-01-27 02:09:17 -------- d--h--w- c:\program files\Free PDF to Word Doc Converter
2012-01-24 14:36:30 -------- d-----w- c:\users\lthomas\TOSHIBA
2012-01-12 22:21:07 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-12 22:21:03 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-12 22:20:56 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-12 22:20:56 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-12 22:20:44 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-12 22:20:44 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-12 22:20:44 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 22:20:44 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-12 22:20:44 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-12 22:20:44 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 22:20:44 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-12 22:20:44 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-12 22:20:43 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-12 22:20:43 1038848 ----a-w- c:\windows\system32\lsasrv.dll
==================== Find3M ====================
2012-01-31 12:44:05 237072 ---h--w- c:\windows\system32\MpSigStub.exe
2011-11-25 16:56:43 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 23:47:03.34 ===============


GMER - http://www.gmer.net
Rootkit scan 2012-02-09 06:53:07
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HITACHI_HTS545016B9A300 rev.PBBZC61H
Running: ulmsv0k7.exe; Driver: C:\Users\lthomas\AppData\Local\Temp\kxrdrkod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 8305D369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83096D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\DRIVERS\netbt.sys The system cannot find the path specified. !
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BF22D000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BF22D123 629 Bytes [85, 22, BF, FE, 05, 34, 85, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 BF22D399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F BF22D3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B BF22D4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Users\lthomas\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[3664] ntdll.dll!LdrLoadDll 7722223E 5 Bytes JMP 00AD1410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\00001227 \GLOBAL??\4b584d4e netbt.sys

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB1558$\1264078158 0 bytes
File C:\Windows\$NtUninstallKB1558$\1264078158\L 0 bytes
File C:\Windows\$NtUninstallKB1558$\1264078158\U 0 bytes
File C:\Windows\$NtUninstallKB1558$\895843659 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)


#2 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,773 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:05 AM

Posted 10 February 2012 - 02:21 AM

looks like we cross posted so go ahead sweettech it is all yours


Edited by gringo_pr, 10 February 2012 - 02:48 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 SweetTech


    Agent ST

  • Members
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 AM

Posted 10 February 2012 - 02:24 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.


It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Please let me know how the above scans go.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#4 SweetTech


    Agent ST

  • Members
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica
  • Local time:06:05 AM

Posted 17 February 2012 - 02:53 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users