Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.AH with automatic reboots after 1 minute (part 2)


  • This topic is locked This topic is locked
63 replies to this topic

#1 kebarzivo

kebarzivo

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 10 June 2012 - 08:36 PM

Hi, folks. I'm from Brazil and I had the same problem as kesposito. I was searching for a solution on the web and I found this site and read this topic.

I noticed there was a successful, but complex and long procedure which I coudn't follow, and the instructions were given to that specific case, so I decided to join BleepingComputer and create this topic. I'd like to receive instructions to have a removal of the virus (sirefef.AH).

Just a question: I'm using my desktop computer to write this post; the infected computer is a laptop. Master Surgeon General said that a USB Flash drive would be needed. Mine was connected to the laptop after it was infected. Is it OK if I use that flash drive?

Thank you in advance for help.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 10 June 2012 - 11:47 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 12 June 2012 - 08:53 PM

Hi, Gringo. First of all, thank you very much for your attention.

I've downloaded all the files you mentioned, but in my desktop computer. This was supposed to be done on the infected computer, right? I tried, but I couldn't, since I just had one minute to open the browser - that is too slow, probably because of the virus - come to this page and download the files to run the scripts. What should I do? Is there any risk if I use my pendrive? As I said, it was connected to my laptop after it got infected. Is it OK?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 12 June 2012 - 09:17 PM

greetings


you can run this on the usb to make it safer - http://www.pandasecurity.com/homeusers/downloads/usbvaccine/


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 12 June 2012 - 10:52 PM

Hi, Gringo.

I would like to ask a question: you said I need to disable any anti-malware program that will block scripts from running before I run DDS. Does that include MSE? If it does, how can I disable it? It runs automatically as soon as Windows starts, right?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 12 June 2012 - 11:10 PM

for DDS mse is ok to leave running


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 14 June 2012 - 09:49 PM

Hi, Gringo. I ran the script, but before it finished, the computer rebooted. I coudn't get the log from DDS. What should I do?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 14 June 2012 - 09:55 PM

explain to me what is going on with the computer



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 14 June 2012 - 10:57 PM

As soon as Windows starts, a message appears saying that Windows encountered a problem and will reboot automatically in one minute. That's due to the virus sirefef.AH. It's pretty similar to what happened to kesposito, as I said in the beginning of the post. You can check his topic by this link.

Note: the message and the rebooting command appeared when I uninstalled and reinstalled MSE in my computer. I did that because I knew it was infected, its protection was disabled and I couldn't reactivate it. When MSE was reinstalled and began to scan, it found sirefef.AH and other viruses (that's how I found out what virus was), then the message with the rebooting command appeared. And now I can't get rid of it. Searching for a solution, I came to this website and I found that first topic, with kesposito and JSntgRvr.

Note 2: The infection occurred with a fake antivirus program warning, saying it had been infected by several types of viruses. I can't remember quite well how that antivirus program was installed, but I know I did something wrong, because I believed in the fake message. I must have clicked on a button and it told me to register or buy the program, anything like that. That was when I realized I was fooled and got the virus.

Note 3: I uninstalled the (fake) antivirus program afterwards. I just remember how annoying it was by telling me all the time that the computer had been infected. But at that rate I already knew what was going on.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 14 June 2012 - 11:06 PM

I want you to use system restore to go back to a time before the computer starts to reboot
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 15 June 2012 - 09:03 PM

OK. But how do I do that?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 15 June 2012 - 09:17 PM

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

select system restore and choose a date to right before this happened
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 16 June 2012 - 10:08 PM

Strange. I clicked on System Restore and a message came up:

"There was an unexpected error: The parameter is incorrect. (0x80070057)

Please close System Restore and try again."

I closed the window and clicked on System Restore again, but the same message appeared.

Note: Before I came here on BleepingComputer, my father suggested me to change the date in order to "fool the virus". The infection occurred on June 10th. I changed the date to May 1st, I guess, I don't remember very well. But the change was made in the clock, in the normal mode. It didn't work out. Then, as soon as I followed your last instructions with no success, I changed it back to the current date, and the message is still appearing.

Did it appear because I changed the date like that? What should I do?

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:22 AM

Posted 16 June 2012 - 10:33 PM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 kebarzivo

kebarzivo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 17 June 2012 - 10:33 AM

Here is the log (note - my system is 32-bit, so I downloaded the frst.exe file for 32-bit):

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 17-06-2012 01
Ran by SYSTEM at 17-06-2012 12:26:15
Running from F:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2010-04-05] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [175640 2010-04-05] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [169496 2010-04-05] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1537320 2009-06-25] (Synaptics Incorporated)
HKLM\...\Run: [VIAAUD] C:\Program Files\VIA\VIAudioi\VDeck\VIAAUD.exe [502384 2010-05-31] (VIA)
HKLM\...\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r [1685616 2010-05-31] (VIA)
HKLM\...\Run: [BisonHK] C:\Program Files\BisonCam\BisonHK.exe [77824 2009-08-18] (mychat)
HKLM\...\Run: [PlusService] C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe [801792 2011-10-24] (Yuna Software)
HKLM\...\Run: [Browser companion helper] C:\Program Files\BrowserCompanion\BCHelper.exe /T=3 /S=7 [192816 2011-10-27] (Blabbers Communications LTD)
HKLM\...\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe [644104 2010-12-07] (Avid Technology, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\EX-\...\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe [2952128 2009-06-12] (SlySoft, Inc.)
HKU\EX-\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
HKU\EX-\...\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h [3209216 2012-02-02] (Ares Development Group)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 201.55.232.76 201.55.232.81
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Hotkey.lnk
ShortcutTarget: Hotkey.lnk -> C:\Program Files\Hotkey\Hotkey.exe ()
Startup: C:\Users\Todos os Usuários\Start Menu\Programs\Startup\Hotkey.lnk
ShortcutTarget: Hotkey.lnk -> C:\Program Files\Hotkey\Hotkey.exe ()

================================ Services (Whitelisted) ==================

2 AppHostSvc; C:\Windows\system32\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 hkmsvc; C:\Windows\System32\kmsvc.dll [71168 2010-11-20] (Microsoft Corporation)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
4 Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [935208 2009-07-29] (Nero AG)
4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator [128848 2010-11-04] (Microsoft Corporation)
2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [128848 2010-11-04] (Microsoft Corporation)
2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [128848 2010-11-04] (Microsoft Corporation)
2 PEVSystemStart; "C:\32788R22FWJFW\pev.3XE" EXEC /i CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:15 "C:\32788R22FWJFW\KNetSvcs.vbs" [407 2012-05-20] ()
2 PowerBiosServer; "C:\Program Files\Hotkey\PowerBiosServer.exe" [32256 2010-01-22] ()
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 WAS; C:\Windows\system32\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [104512 2009-06-11] (SlySoft, Inc.)
3 Atc002; C:\Windows\System32\DRIVERS\l260x86.sys [29184 2009-07-13] (Atheros Communications, Inc.)
3 AtcL001; C:\Windows\System32\DRIVERS\l160x86.sys [47104 2009-07-13] (Atheros Communications, Inc.)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [78336 2009-07-13] (Microsoft Corporation)
1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [24232 2009-02-17] (Elaborate Bytes AG)
3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd6.sys [44032 2009-07-13] (VIA Technologies, Inc. )
0 iirsp; C:\Windows\System32\DRIVERS\iirsp.sys [41040 2009-07-13] (Intel Corp./ICP vortex GmbH)
3 JME; C:\Windows\System32\DRIVERS\JME.sys [92272 2009-12-04] (JMicron Technology Corp.)
3 MAUSBFASTTRACK; C:\Windows\System32\DRIVERS\MAudioFastTrack.sys [158344 2010-12-07] (Avid Technology, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [74112 2012-03-20] (Microsoft Corporation)
3 rtl8192se; C:\Windows\System32\DRIVERS\rtl8192se.sys [982528 2009-11-05] (Realtek Semiconductor Corporation )
3 SrvHsfPCI; C:\Windows\System32\DRIVERS\VSTBS23.SYS [266752 2009-07-13] (Conexant Systems, Inc.)
3 SrvHsfV92; C:\Windows\System32\DRIVERS\VSTDPV3.SYS [980992 2009-07-13] (Conexant Systems, Inc.)
3 SrvHsfWinac; C:\Windows\System32\DRIVERS\VSTCNXT3.SYS [661504 2009-07-13] (Conexant Systems, Inc.)
3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1151392 2010-05-28] (VIA Technologies, Inc.)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-17 12:26 - 2012-06-17 12:26 - 00000000 ____D C:\FRST
2012-06-10 10:56 - 2012-06-10 10:57 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-10 10:40 - 2012-06-10 10:41 - 10298240 ____A (Microsoft Corporation) C:\Users\EX-\Downloads\mseinstall.exe
2012-06-10 10:16 - 2012-06-10 10:17 - 04539477 ____R (Swearware) C:\Users\EX-\Downloads\ComboFix.exe
2012-06-10 10:15 - 2012-06-10 10:30 - 00000000 ___SD C:\32788R22FWJFW
2012-06-10 10:10 - 2012-06-10 10:10 - 00000000 ____D C:\Users\EX-\Desktop\Symantec
2012-06-10 05:36 - 2012-06-10 05:36 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-10 05:32 - 2012-06-10 10:06 - 00000000 ____D C:\Users\Todos os Usuários\B7E85886000020B2011EDEA4B4EB238B
2012-06-10 05:32 - 2012-06-10 10:06 - 00000000 ____D C:\Users\All Users\B7E85886000020B2011EDEA4B4EB238B
2012-06-08 10:10 - 2012-06-08 11:14 - 449474311 ____A C:\Users\EX-\Downloads\Strangeland.rar
2012-05-20 08:47 - 2012-05-20 08:47 - 00000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Modelos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Meus documentos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Menu Iniciar
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Documents\Minhas músicas
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Documents\Minhas imagens
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Documents\Meus vídeos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Dados de aplicativos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Configurações locais
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\AppData\Local\Histórico
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\AppData\Local\Dados de aplicativos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Ambiente de rede
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Ambiente de impressão
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 ____D C:\users\DefaultAppPool
2012-05-20 08:47 - 2012-03-06 19:30 - 00000000 ____D C:\Users\DefaultAppPool\AppData\Local\Microsoft Help
2012-05-20 08:47 - 2009-07-13 23:48 - 00000000 ____D C:\Users\DefaultAppPool\AppData\Roaming\Media Center Programs

============ 3 Months Modified Files and Folders ===============

2012-06-17 07:05 - 2009-07-13 20:34 - 00016576 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-17 07:05 - 2009-07-13 20:34 - 00016576 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-17 07:04 - 2010-11-20 06:18 - 00000000 ____D C:\Users\EX-\Tracing
2012-06-17 07:03 - 2010-11-20 06:26 - 00001046 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-17 07:03 - 2010-11-20 05:22 - 2001252352 __ASH C:\pagefile.sys
2012-06-17 07:03 - 2010-11-20 05:22 - 1500938240 __ASH C:\hiberfil.sys
2012-06-17 07:03 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-17 07:03 - 2009-07-13 20:39 - 00072155 ____A C:\Windows\setupact.log
2012-06-12 17:14 - 2012-05-03 19:34 - 00853862 ____A C:\Users\EX-\Desktop\SecurityCheck.exe
2012-06-10 12:20 - 2011-01-24 07:41 - 01899499 ____A C:\Windows\WindowsUpdate.log
2012-06-10 12:08 - 2011-04-28 03:24 - 00002243 ____A C:\Windows\epplauncher.mif
2012-06-10 12:06 - 2011-01-24 08:13 - 00931080 ____A C:\Windows\ntbtlog.txt
2012-06-10 10:57 - 2012-06-10 10:56 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-10 10:57 - 2010-11-20 05:34 - 01699292 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-10 10:57 - 2009-07-29 10:46 - 00728802 ____A C:\Windows\System32\prfh0416.dat
2012-06-10 10:57 - 2009-07-29 10:46 - 00150216 ____A C:\Windows\System32\prfc0416.dat
2012-06-10 10:56 - 2009-07-13 18:37 - 00000000 ___RD C:\Program Files
2012-06-10 10:54 - 2010-11-20 06:26 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-10 10:41 - 2012-06-10 10:40 - 10298240 ____A (Microsoft Corporation) C:\Users\EX-\Downloads\mseinstall.exe
2012-06-10 10:30 - 2012-06-10 10:15 - 00000000 ___SD C:\32788R22FWJFW
2012-06-10 10:17 - 2012-06-10 10:16 - 04539477 ____R (Swearware) C:\Users\EX-\Downloads\ComboFix.exe
2012-06-10 10:10 - 2012-06-10 10:10 - 00000000 ____D C:\Users\EX-\Desktop\Symantec
2012-06-10 10:06 - 2012-06-10 05:32 - 00000000 ____D C:\Users\Todos os Usuários\B7E85886000020B2011EDEA4B4EB238B
2012-06-10 10:06 - 2012-06-10 05:32 - 00000000 ____D C:\Users\All Users\B7E85886000020B2011EDEA4B4EB238B
2012-06-10 05:36 - 2012-06-10 05:36 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-10 05:32 - 2009-07-13 18:37 - 00000000 ___HD C:\ProgramData
2012-06-10 05:17 - 2012-04-12 13:56 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-10 05:17 - 2011-12-20 11:35 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-08 11:14 - 2012-06-08 10:10 - 449474311 ____A C:\Users\EX-\Downloads\Strangeland.rar
2012-05-30 18:10 - 2012-05-05 14:22 - 00000000 ____D C:\Cakewalk Projects
2012-05-27 18:45 - 2009-07-13 18:37 - 00000000 ___AD C:\Windows
2012-05-21 18:12 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-05-20 08:47 - 2012-05-20 08:47 - 00000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Modelos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Meus documentos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Menu Iniciar
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Documents\Minhas músicas
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Documents\Minhas imagens
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Documents\Meus vídeos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Dados de aplicativos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Configurações locais
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\AppData\Local\Histórico
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\AppData\Local\Dados de aplicativos
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Ambiente de rede
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 __SHD C:\Users\DefaultAppPool\Ambiente de impressão
2012-05-20 08:47 - 2012-05-20 08:47 - 00000000 ____D C:\users\DefaultAppPool
2012-05-20 08:47 - 2009-07-13 18:37 - 00000000 ___RD C:\Users
2012-05-16 17:10 - 2012-05-16 17:10 - 00000000 ____D C:\Users\EX-\Playback wave
2012-05-16 16:59 - 2009-07-13 20:33 - 00410656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-16 16:57 - 2010-11-20 07:00 - 00013216 ____A C:\Windows\PFRO.log
2012-05-16 16:57 - 2009-07-13 23:50 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-13 19:09 - 2010-11-20 06:24 - 00000000 ____D C:\Users\Todos os Usuários\Microsoft Help
2012-05-13 19:09 - 2010-11-20 06:24 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-13 18:31 - 2010-11-20 06:17 - 00000000 ___RD C:\Users\EX-\Desktop\Downloads Ares
2012-05-13 18:16 - 2012-05-13 18:16 - 03992450 ____A C:\Users\EX-\Downloads\Edward Maya e Vika Jigulina - Stereo Love (Original Mix).mp3
2012-05-13 15:39 - 2011-01-24 07:57 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-13 15:34 - 2010-11-20 06:15 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-06 14:33 - 2012-05-06 14:33 - 00000000 ____D C:\Program Files\M-Audio
2012-05-06 14:33 - 2012-05-06 14:33 - 00000000 ____D C:\Program Files\Common Files\Digidesign
2012-05-06 14:33 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-05-05 15:25 - 2012-05-05 15:25 - 00002014 ____A C:\Users\Public\Desktop\Sound Forge 7.0.lnk
2012-05-05 15:25 - 2012-05-05 15:25 - 00000000 ____D C:\Program Files\Sony
2012-05-05 14:44 - 2012-05-05 14:44 - 00000000 ____D C:\Program Files\Steinberg
2012-05-05 14:44 - 2012-05-05 14:44 - 00000000 ____D C:\Program Files\Digidesign
2012-05-05 14:43 - 2012-05-05 14:43 - 00000000 ____D C:\Program Files\Native Instruments
2012-05-05 14:42 - 2012-05-05 14:09 - 00000000 ____D C:\Users\EX-\Desktop\Programas
2012-05-05 14:34 - 2012-05-05 14:34 - 00000000 ____D C:\Users\EX-\AppData\Roaming\Sony
2012-05-05 14:33 - 2012-05-05 14:33 - 00000000 ____D C:\Program Files\Sony Setup
2012-05-05 14:31 - 2012-05-05 14:31 - 00001222 ____A C:\Users\Public\Desktop\Guitar Tracks Pro 3 .LNK
2012-05-05 14:31 - 2012-05-05 14:31 - 00000000 ____D C:\Users\EX-\AppData\Roaming\Cakewalk
2012-05-05 14:30 - 2012-05-05 14:22 - 00000000 ____D C:\Program Files\Cakewalk
2012-05-05 13:00 - 2012-05-05 12:59 - 06910351 ____A C:\Users\EX-\Downloads\The Daily Mail.mp3
2012-05-03 19:44 - 2009-07-13 20:53 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-03 19:43 - 2012-05-03 19:43 - 00001241 ____A C:\Users\EX-\Documents\checkup.txt
2012-05-03 19:42 - 2012-05-03 19:34 - 00000000 ____D C:\Users\EX-\Desktop\Tools
2012-05-03 19:36 - 2012-05-03 19:36 - 00000000 ____A C:\Users\EX-\defogger_reenable
2012-05-03 19:36 - 2010-11-20 05:31 - 00000000 ____D C:\users\EX-
2012-04-29 06:12 - 2010-11-20 06:25 - 00000000 ____D C:\Users\Todos os Usuários\DVD Shrink
2012-04-29 06:12 - 2010-11-20 06:25 - 00000000 ____D C:\Users\All Users\DVD Shrink
2012-04-28 17:27 - 2012-04-28 17:26 - 09043281 ____A C:\Users\EX-\Downloads\280412 Em seu olhar.mp3
2012-04-15 03:30 - 2012-04-15 03:29 - 05827503 ____A C:\Users\EX-\Downloads\140412 metropole.mp3
2012-04-09 18:01 - 2012-04-09 17:48 - 00000000 ____D C:\Users\EX-\Documents\Composições
2012-04-09 18:00 - 2012-04-09 17:59 - 00000000 ____D C:\Users\EX-\Documents\Outros arquivos
2012-04-09 17:46 - 2011-12-17 16:58 - 00000000 ____D C:\Users\EX-\Documents\Angelis
2012-04-05 11:40 - 2012-04-05 11:40 - 00035328 ____A C:\Users\EX-\Downloads\Banco de palavras (1).xls
2012-03-31 16:37 - 2012-03-31 16:35 - 08071108 ____A C:\Users\EX-\Downloads\310302 contra.mp3
2012-03-31 04:01 - 2012-03-31 03:48 - 96744678 ____A C:\Users\EX-\Downloads\1979 - The Wall.rar
2012-03-30 20:39 - 2012-05-13 15:36 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-13 15:36 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 18:36 - 2012-05-13 15:36 - 02343424 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 02:23 - 2012-05-13 15:36 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-27 13:17 - 2010-11-20 06:17 - 00000000 ____D C:\Program Files\Ares
2012-03-27 13:16 - 2012-03-27 13:16 - 00000913 ____A C:\Users\Public\Desktop\Ares.lnk
2012-03-24 17:14 - 2012-03-24 17:11 - 18904572 ____A C:\Users\EX-\Downloads\Bounces2.rar
2012-03-22 11:12 - 2012-03-22 11:12 - 04435968 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr
2012-03-20 15:44 - 2012-03-20 15:44 - 00171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 15:44 - 2012-03-20 15:44 - 00074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys


ZeroAccess:
C:\Windows\Installer\{57184627-b689-f9f8-faad-2b2f0af1a3f0}
C:\Windows\Installer\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\@
C:\Windows\Installer\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\L
C:\Windows\Installer\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\n
C:\Windows\Installer\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\U

ZeroAccess:
C:\Users\EX-\AppData\Local\{57184627-b689-f9f8-faad-2b2f0af1a3f0}
C:\Users\EX-\AppData\Local\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\@
C:\Users\EX-\AppData\Local\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\L
C:\Users\EX-\AppData\Local\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\n
C:\Users\EX-\AppData\Local\{57184627-b689-f9f8-faad-2b2f0af1a3f0}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 1908.54 MB
Available physical RAM: 1491.64 MB
Total Pagefile: 1908.54 MB
Available Pagefile: 1487.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: (S.O.) (Fixed) (Total:297.99 GB) (Free:258.89 GB) NTFS
3 Drive f: (KINGSTON) (Removable) (Total:3.73 GB) (Free:1.87 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (Reservado pelo Sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 297 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y Reservado p NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C S.O. NTFS Partition 297 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT32 Removable 3823 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-29 08:23

======================= End Of Log ==========================

Thank you very much! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users