Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sirefef, help!


  • This topic is locked This topic is locked
5 replies to this topic

#1 Davidc2478

Davidc2478

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 12 June 2012 - 04:28 PM

Hello guys, I found this forum from doing a search about sirefef.y on google.

We have a laptop here that is infected and keeps rebooting after about a minute or so. I ran the frst program and I think I see where the problem is (zeroaccess?). Can someone help me please?
Here is the log.

David
_____________________
Scan result of Farbar Recovery Scan Tool Version: 12-06-2012
Ran by SYSTEM at 12-06-2012 16:59:36
Running from F:\
Windows 7 Enterprise (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-07-28] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-07-28] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-07-28] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-07-21] (IDT, Inc.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [392048 2010-06-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [DameWare MRC Agent] C:\Windows\dwrcs\DWRCST.exe [298944 2011-12-12] (SolarWinds)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [112152 2010-07-08] (Intel Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-09-11] (CyberLink Corp.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-09-23] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKU\Law School User\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Law School User\...\Run: [OpAgent] "OpAgent.exe" /agent [x]
HKU\Law School User\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17148552 2012-02-29] (Skype Technologies S.A.)
HKU\Luly\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKU\mchisholm\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKU\mchisholm\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-08] (Google Inc.)
HKU\mchisholm\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-29] (Skype Technologies S.A.)
HKU\mspring\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKU\mspring\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-08] (Google Inc.)
HKU\SP-C232SF\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-08] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 172.16.16.239 172.16.16.241
Tcpip\..\Interfaces\{DD154B4D-06D6-488F-ABE5-1CCE941E4E8F}: [NameServer]209.183.35.23 209.183.33.23
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\mchisholm\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [128752 2010-06-29] (SUPERAntiSpyware.com)
2 Credential Vault Host Control Service; "C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe" [1039776 2010-03-23] (Broadcom Corporation)
2 Credential Vault Host Storage; "C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe" [31136 2010-03-23] (Broadcom Corporation)
2 dwmrcs; C:\Windows\dwrcs\DWRCS.EXE -service [701376 2011-12-12] (SolarWinds)
3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [651720 2010-12-08] (Macrovision Europe Ltd.)
2 InstallFilterService; C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] ()
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice [51740536 2011-06-12] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
3 ose64; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [174440 2010-01-09] (Microsoft Corporation)
2 ptumlcmsvc; C:\Windows\system32\ptumlcmsvc64.exe [134144 2011-05-11] (DEVGURU Co., LTD)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 TIRmtSvc; C:\WINDOWS\TIREMOTE\TIRemoteService.exe [210944 2010-11-11] (Numara Software, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2533400 2010-07-08] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [38440 2009-11-03] (Broadcom Corporation)
3 DwMirror; C:\Windows\System32\DRIVERS\DamewareMini.sys [5632 2008-03-14] (DameWare Development, LLC)
1 dwvkbd; C:\Windows\System32\DRIVERS\dwvkbd64.sys [30720 2007-02-15] (DameWare)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [301232 2010-04-05] (Intel Corporation)
3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2009-10-25] (Marvell Semiconductor, Inc.)
0 PBADRV; C:\Windows\System32\Drivers\PBADRV.sys [32240 2008-06-04] (Dell Inc)
3 PTUMLBUS; C:\Windows\System32\Drivers\PTUMLBUS.sys [73744 2011-05-11] (DEVGURU Co., LTD.)
3 PTUMLCVsp; C:\Windows\System32\Drivers\PTUMLCVsp.sys [182672 2011-05-11] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMLMdm; C:\Windows\System32\Drivers\PTUMLMdm.sys [182672 2011-05-11] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMLNET61; C:\Windows\System32\Drivers\PTUMLNET61.sys [104976 2011-05-11] (DEVGURU Co., LTD.)
3 PTUMLNVsp; C:\Windows\System32\Drivers\PTUMLNVsp.sys [183824 2011-05-11] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMLRMNET; C:\Windows\System32\Drivers\PTUMLRMNET.sys [69136 2011-05-11] (DEVGURU Co., LTD.)
3 PTUMLVsp; C:\Windows\System32\Drivers\PTUMLVsp.sys [182672 2011-05-11] (DEVGURU Co., LTD.(www.devguru.co.kr))
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14920 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12360 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 stdflt; C:\Windows\System32\DRIVERS\stdfltn.sys [21040 2010-01-18] (ST Microelectronics)
3 SWNC8UA3; C:\Windows\System32\Drivers\SWNC8UA3.sys [280064 2009-08-12] (Sierra Wireless Inc.)
3 SWUMXA3; C:\Windows\System32\Drivers\SWUMXA3.sys [199552 2009-07-22] (Sierra Wireless Inc.)
3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]
3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-12 16:59 - 2012-06-12 16:59 - 00000000 ____D C:\FRST
2012-06-12 12:15 - 2012-06-12 12:15 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-12 12:15 - 2012-06-12 12:15 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-12 12:14 - 2012-06-12 12:14 - 12621696 ____A (Microsoft Corporation) C:\Users\SP-C232SF\Downloads\mseinstall.exe
2012-06-12 12:13 - 2012-06-12 12:13 - 00000000 ____D C:\Users\SP-C232SF\AppData\Roaming\Google
2012-06-12 12:13 - 2012-06-12 12:13 - 00000000 ____D C:\Users\SP-C232SF\AppData\Local\Google
2012-06-12 11:18 - 2012-06-12 12:32 - 00000224 ____A C:\Windows\setupact.log
2012-06-12 11:18 - 2012-06-12 11:18 - 00000000 ____A C:\Windows\setuperr.log
2012-06-12 11:17 - 2012-06-12 11:17 - 00001068 ____A C:\Windows\PFRO.log
2012-06-12 11:04 - 2012-06-12 11:05 - 00001124 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-12 11:04 - 2012-06-12 11:04 - 00000000 ____D C:\Users\SP-C232SF\AppData\Roaming\Malwarebytes
2012-06-12 11:00 - 2012-06-12 11:00 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Google
2012-06-12 11:00 - 2012-06-12 11:00 - 00000000 ____D C:\Users\mspring\AppData\Local\Google
2012-06-12 10:59 - 2012-06-12 11:00 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Adobe
2012-06-12 10:59 - 2012-06-12 10:59 - 00110944 ____A C:\Users\mspring\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\Documents\Bluetooth Exchange Folder
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Intel Corporation
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Apple Computer
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Local\PowerDVD DX
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Local\Broadcom
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Local\Adobe
2012-06-12 10:58 - 2012-06-12 10:58 - 00000476 _RASH C:\Users\mspring\ntuser.pol
2012-06-12 10:49 - 2012-06-12 10:49 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Malwarebytes
2012-06-12 10:48 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\LocalLow
2012-06-12 10:48 - 2012-06-12 10:58 - 00000000 ____D C:\users\mspring
2012-06-12 10:48 - 2012-06-12 10:48 - 00000020 ___SH C:\Users\mspring\ntuser.ini
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Templates
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Start Menu
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\PrintHood
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\NetHood
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\My Documents
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Documents\My Videos
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Documents\My Pictures
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Documents\My Music
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\AppData\Local\Temporary Internet Files
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\AppData\Local\History
2012-06-12 10:48 - 2011-12-16 10:32 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Macromedia
2012-06-12 10:48 - 2011-09-19 12:36 - 00000000 ____D C:\Users\mspring\AppData\Local\Microsoft Help
2012-06-12 10:48 - 2009-07-13 23:23 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Media Center Programs
2012-06-12 07:35 - 2012-06-12 07:35 - 00000000 ____D C:\Users\All Users\B7E8586B008FB8B45EA7B02EB4EB2331

============ 3 Months Modified Files and Folders =============

2012-06-12 16:59 - 2012-06-12 16:59 - 00000000 ____D C:\FRST
2012-06-12 12:32 - 2012-06-12 11:18 - 00000224 ____A C:\Windows\setupact.log
2012-06-12 12:32 - 2011-07-21 09:44 - 00359568 ____A C:\Windows\System32\ptumlacsvc-0.log
2012-06-12 12:32 - 2011-07-20 07:13 - 00000144 ____A C:\Windows\System32\config\netlogon.ftl
2012-06-12 12:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-12 12:28 - 2010-11-02 07:27 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-12 12:21 - 2009-07-13 20:45 - 00016912 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-12 12:21 - 2009-07-13 20:45 - 00016912 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-12 12:17 - 2010-11-01 14:23 - 01991364 ____A C:\Windows\WindowsUpdate.log
2012-06-12 12:16 - 2011-01-26 06:11 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-12 12:15 - 2012-06-12 12:15 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-12 12:15 - 2012-06-12 12:15 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-12 12:15 - 2011-01-26 06:11 - 00748034 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-12 12:15 - 2009-07-13 21:13 - 00730448 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-12 12:14 - 2012-06-12 12:14 - 12621696 ____A (Microsoft Corporation) C:\Users\SP-C232SF\Downloads\mseinstall.exe
2012-06-12 12:13 - 2012-06-12 12:13 - 00000000 ____D C:\Users\SP-C232SF\AppData\Roaming\Google
2012-06-12 12:13 - 2012-06-12 12:13 - 00000000 ____D C:\Users\SP-C232SF\AppData\Local\Google
2012-06-12 12:07 - 2010-11-02 07:27 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-12 11:42 - 2012-04-16 05:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-12 11:18 - 2012-06-12 11:18 - 00000000 ____A C:\Windows\setuperr.log
2012-06-12 11:17 - 2012-06-12 11:17 - 00001068 ____A C:\Windows\PFRO.log
2012-06-12 11:08 - 2011-07-20 08:08 - 00000000 ____D C:\Users\SP-C232SF\AppData\LocalLow
2012-06-12 11:05 - 2012-06-12 11:04 - 00001124 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-12 11:05 - 2010-11-02 08:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-12 11:04 - 2012-06-12 11:04 - 00000000 ____D C:\Users\SP-C232SF\AppData\Roaming\Malwarebytes
2012-06-12 11:03 - 2011-07-20 08:08 - 00000000 ____D C:\Users\SP-C232SF\AppData\Roaming\Adobe
2012-06-12 11:03 - 2011-07-20 08:08 - 00000000 ____D C:\Users\SP-C232SF\AppData\Local\Adobe
2012-06-12 11:00 - 2012-06-12 11:00 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Google
2012-06-12 11:00 - 2012-06-12 11:00 - 00000000 ____D C:\Users\mspring\AppData\Local\Google
2012-06-12 11:00 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Adobe
2012-06-12 10:59 - 2012-06-12 10:59 - 00110944 ____A C:\Users\mspring\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\Documents\Bluetooth Exchange Folder
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Intel Corporation
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Apple Computer
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Local\PowerDVD DX
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Local\Broadcom
2012-06-12 10:59 - 2012-06-12 10:59 - 00000000 ____D C:\Users\mspring\AppData\Local\Adobe
2012-06-12 10:59 - 2012-06-12 10:48 - 00000000 ____D C:\Users\mspring\AppData\LocalLow
2012-06-12 10:58 - 2012-06-12 10:58 - 00000476 _RASH C:\Users\mspring\ntuser.pol
2012-06-12 10:58 - 2012-06-12 10:48 - 00000000 ____D C:\users\mspring
2012-06-12 10:49 - 2012-06-12 10:49 - 00000000 ____D C:\Users\mspring\AppData\Roaming\Malwarebytes
2012-06-12 10:48 - 2012-06-12 10:48 - 00000020 ___SH C:\Users\mspring\ntuser.ini
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Templates
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Start Menu
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\PrintHood
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\NetHood
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\My Documents
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Documents\My Videos
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Documents\My Pictures
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\Documents\My Music
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\AppData\Local\Temporary Internet Files
2012-06-12 10:48 - 2012-06-12 10:48 - 00000000 __SHD C:\Users\mspring\AppData\Local\History
2012-06-12 07:35 - 2012-06-12 07:35 - 00000000 ____D C:\Users\All Users\B7E8586B008FB8B45EA7B02EB4EB2331
2012-06-12 07:15 - 2011-07-21 11:04 - 00000000 ____D C:\Users\mchisholm\AppData\Roaming\Skype
2012-06-11 10:17 - 2011-07-20 07:23 - 00000476 _RASH C:\Users\mchisholm\ntuser.pol
2012-06-11 10:17 - 2011-07-20 07:23 - 00000000 ____D C:\users\mchisholm
2012-06-11 07:23 - 2011-05-25 06:43 - 00000422 ___AH C:\Windows\Tasks\Norton Security Scan for Law School User.job
2012-05-10 05:06 - 2009-07-13 20:45 - 00418904 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-09 12:19 - 2010-11-01 11:38 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-09 12:16 - 2010-11-01 13:52 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-09 12:08 - 2010-11-01 14:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-09 12:07 - 2009-07-13 23:24 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-07 06:44 - 2012-04-16 05:42 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-07 06:44 - 2012-04-16 05:00 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-07 06:44 - 2011-05-20 04:54 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-02 11:57 - 2010-11-02 09:43 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-05-02 11:57 - 2010-11-02 09:43 - 00000000 ____D C:\Users\All Users\Skype
2012-04-30 07:11 - 2011-07-20 07:24 - 00003860 _RASH C:\Users\All Users\ntuser.pol
2012-04-27 09:24 - 2012-04-27 09:24 - 00000000 ____D C:\Users\mchisholm\AppData\Roaming\Intel
2012-04-27 09:23 - 2012-04-27 09:22 - 00000000 ____D C:\Windows\dwrcs
2012-04-27 09:22 - 2012-04-27 09:22 - 00001487 ____A C:\Windows\SysWOW64\DWRCSAccess.log
2012-04-27 09:22 - 2012-04-27 09:22 - 00000111 ____A C:\Windows\SysWOW64\DWRCCMDError.ini
2012-04-23 09:08 - 2010-12-08 10:04 - 00000000 ____D C:\Users\All Users\FLEXnet
2012-04-11 12:33 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-04-11 09:14 - 2011-07-20 07:23 - 00000000 ____D C:\Users\mchisholm\AppData\LocalLow
2012-04-04 11:56 - 2010-11-02 08:47 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-04 07:59 - 2012-04-04 07:59 - 00000662 ____A C:\Users\mchisholm\Downloads\10000768_04022012_121556_96457746.PDF
2012-03-30 22:05 - 2012-05-09 04:42 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 20:39 - 2012-05-09 04:42 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-09 04:42 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-30 19:10 - 2012-05-09 04:42 - 03146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 03:35 - 2012-05-09 04:42 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-27 11:36 - 2011-08-18 06:31 - 00000000 ____D C:\Users\mchisholm\AppData\Local\ElevatedDiagnostics
2012-03-22 11:57 - 2012-03-09 08:31 - 00000065 ____H C:\TrackitAudit.id
2012-03-22 11:22 - 2012-03-08 06:01 - 00000000 ____D C:\Users\mchisholm\AppData\Local\Google
2012-03-20 16:44 - 2012-03-20 16:44 - 00203888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 16:44 - 2012-03-20 16:44 - 00098688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-16 23:58 - 2012-05-09 04:42 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

ZeroAccess:
C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}
C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\@
C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\L
C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\n
C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\U

ZeroAccess:
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\@
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\L
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\n
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3893.83 MB
Available physical RAM: 3271.56 MB
Total Pagefile: 3891.98 MB
Available Pagefile: 3258.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (LEGALCORPS100-2) (Fixed) (Total:232.75 GB) (Free:181.71 GB) NTFS
3 Drive f: () (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 64 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 100 MB 40 MB
Partition 3 Primary 232 GB 140 MB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C LEGALCORPS1 NTFS Partition 232 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 62 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 62 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-08 06:12

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:37 PM

Posted 12 June 2012 - 06:11 PM

Hello Davidc2478,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.




Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4}
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now will it stay on? or still rebooting after a minute?

Edited by fireman4it, 12 June 2012 - 06:11 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Davidc2478

Davidc2478
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 13 June 2012 - 07:05 AM

Hey! So far so good. It's been longer than a minute and no restart!
Here's the fixlog
---------------------------
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 12-06-2012
Ran by SYSTEM at 2012-06-13 07:50:48 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{dad90380-54f9-14fd-e8ee-e106f9f66dd4} moved successfully.
C:\Users\mchisholm\AppData\Local\{dad90380-54f9-14fd-e8ee-e106f9f66dd4} moved successfully.

==== End of Fixlog ====

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:37 PM

Posted 13 June 2012 - 07:45 PM

Hello,

Now that we have that fixed we can trun some other tools to make sure nothing else is lerking about.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:37 PM

Posted 15 June 2012 - 05:48 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:37 PM

Posted 18 June 2012 - 02:32 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users