Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirfef.R and Sirefef.Ah


  • Please log in to reply
48 replies to this topic

#1 webgreen

webgreen

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 22 June 2012 - 04:19 PM

Hello,

My computer restarts after detecting 2 issues : Win32/sirefef.R and Win32/sirefef.AH. As the problem is similar to the one explained here (http://www.bleepingcomputer.com/forums/topic457855.html) I have followed every step described by user gringo_pr, but the problem is still there.

I think I got something wrong the fixlist.txt file.I post now the search.txt and the fixlog.txt

Farbar Recovery Scan Tool Version: 20-06-2012 01
Ran by SYSTEM at 2012-06-22 17:59:36
Running from D:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-06-22 11:42] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by SYSTEM at 2012-06-22 18:05:03 Run:2
Running from D:\

==============================================

Could not find C:\Windows\ERDNT\cache\services.exe.
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} not found.
C:\Users\Dale Tynan\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} not found.

==== End of Fixlog ====


Please, any help would be great. Thanks guys.
P.

Edited by webgreen, 22 June 2012 - 05:45 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:14 PM

Posted 23 June 2012 - 01:15 AM

Welcome to the forum, webgreen!

It would be helpful if you provided the Operating System installed on your computer, and whether it is 32 bit or 64 bit.

Also, do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.

Is the Repair your computer option listed?

If you do not have the option above, do you have a Windows installation CD/DVD for your Operating System available?

Also, do you have a USB flash/thumb drive available, and access to another computer?



Must tell you there are no two cases exactly the same, and following someone else's instructions may turn out negatively, as you experienced. The script written on the other topic was specifically for that user, for use on that particular computer. Running it on your machine may cause damage to the Operating System.

We will start anew, and conduct repairs that only apply to your machine.

Old duck...


#3 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 23 June 2012 - 09:39 AM

Thank you very much Aaflc.
According to your questions, i do have the repair option since my previous repair had started from there. I also have an usb driver with the " frst" thing, but I do not have another computer till tomorrow Sunday

Thanks for this help

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:14 PM

Posted 23 June 2012 - 10:33 AM

Good. :thumbup2:

What is your Operating System, Vista or Seven?

Also, is it 32 bit or 64 bit?

If you are not sure, do the following:

On the System Recovery Options menu you get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors
Command Prompt
  • Select Command Prompt
  • In the Command window, at the bliking cursor type wmic os get osarchitecture and press: Enter

You will get the following:

Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Whoever>wmic os get osarchitecture
OSArchitecture
64-bit

or, 32-bit

Then, post back what it shows.

Will be ready to roll when you provide this info.

Old duck...


#5 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 23 June 2012 - 01:53 PM

Hey! :) it is Windows 7 32bit

Thanks

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:14 PM

Posted 23 June 2012 - 04:51 PM

Looks like you have what we need, so let's press on when you are ready...

You may want to print these instructions so you can have access to follow them.

Also, you need a USB flash/thumb drive or an SD Card.


Please plug a flash drive into a clean computer.
(Maybe a neighbor or friend can let you use a computer for a few minutes, to format the flash drive, and download the program that follows...)

Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.

Now, since your Operating System is 32-bit, download Farbar Recovery Scan Tool
Save the program to the >> USB flash drive.

Next, plug the flash drive into the infected computer.

>>>Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter (remember what letter it is), click on it, and press: Open
[*]Close out of Notepad.
[*]Click the Command window.
[*]Type g:\frst.exe, and press: Enter
Note: Replace the drive letter g with the drive letter of your flash drive!
[*]The tool starts and prepares to run. Follow the prompts.
[*]Press the SCAN button.
[*]When done, the program saves the FRST.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Back at the System Recovery Options, press: Restart[/list]
Look in the flash drive and please provide the FRST.txt in your reply.

Old duck...


#7 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 23 June 2012 - 04:59 PM

Aaflac, I am pretty sure that we have a win 7 32 bits. However a few mimutes ago I decided to check it. I got the following:
Error
code=0x80040154
description=class not registered
fecility=interface

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:14 PM

Posted 23 June 2012 - 07:24 PM

Where you using the following at the Command prompt in System Recovery Options:
wmic os get osarchitecture

Did it say the following before you got the error:
WMI repository verification failed

If not, any info preceeded the error?

When at the Command prompt, were you at X:\Windows\System32, and then you typed in:
wmic os get osarchitecture ?


In any event, press on with the Farbar Recovery Scan Tool.
If you have problems with running it, try to get some specific info.

Old duck...


#9 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 24 June 2012 - 10:36 AM

Hi there,
Yes. I did the "wmic os..." in the system32 and the error are the four lines I had copied before:
ERROR
Code=0X80040154
Description=Class not registered
Facility=Interface
In any case, I will get a clean computer and procced with Farbar. I expect to have news in the next 3 hours

Thanks again

#10 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 24 June 2012 - 05:13 PM

Here we go: (Thanks!!!)


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by SYSTEM at 24-06-2012 18:59:29
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe" [1286144 2007-06-11] (CyberLink)
HKLM\...\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [457216 2007-04-25] (HiTRUST)
HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe [57344 2006-11-05] (Acer Inc.)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [752136 2007-06-27] (Dritek System Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM\...\Run: [Reader Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe [906648 2010-07-12] (Sony Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-09-23] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-09-23] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-09-23] (Intel Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Pablo\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [144384 2010-11-20] (Microsoft Corporation)
HKU\Pablo\...\Run: [Google Update] "C:\Users\Pablo\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-03-18] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.2
HKLM\...\InprocServer32: [Default-wbem] \\.\globalroot\systemroot\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\n. ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
ShortcutTarget: Empowering Technology Launcher.lnk -> C:\Acer\Empowering Technology\eAPLauncher.exe (Acer Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Pablo\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 ALaunchService; C:\Acer\ALaunch\ALaunchSvc.exe [50688 2007-01-26] ()
3 BITCOMET_HELPER_SERVICE; C:\Program Files\BitComet\tools\BitCometService.exe -service [1296728 2010-12-28] (www.BitComet.com)
2 eDataSecurity Service; "C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [457512 2007-04-25] (HiTRSUT)
3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [556544 2010-11-20] (Microsoft Corporation)
3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)
2 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2007-03-14] (Acer Inc.)
4 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [135168 2007-05-22] (Acer Inc.)
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [53248 2007-02-13] (Acer Inc.)
2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2007-05-10] ()
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [107008 2006-11-24] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 nlsX86cc; C:\Windows\system32\NLSSRV32.EXE [67904 2010-10-20] (Nalpeiron Ltd.)
3 Sony SCSI Helper Service; "C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe" [73728 2010-04-02] (Sony Corporation)
3 wbengine; "C:\Windows\system32\wbengine.exe" [1203200 2010-11-20] (Microsoft Corporation)
2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [167936 2007-09-14] (acer)

========================== Drivers (Whitelisted) =============

1 17783601; C:\Windows\System32\DRIVERS\17783601.sys [128016 2009-09-25] (Kaspersky Lab)
0 17783602; C:\Windows\System32\DRIVERS\17783602.sys [37392 2009-10-22] (Kaspersky Lab)
1 62767281; C:\Windows\System32\DRIVERS\62767281.sys [128016 2009-09-25] (Kaspersky Lab)
0 62767282; C:\Windows\System32\DRIVERS\62767282.sys [37392 2009-10-22] (Kaspersky Lab)
3 DKbFltr; C:\Windows\System32\DRIVERS\DKbFltr.sys [21264 2006-11-02] (Dritek System Inc.)
1 DritekPortIO; \??\C:\Program Files\Launch Manager\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
3 ialm; C:\Windows\System32\DRIVERS\igxpmp32.sys [6278560 2009-01-21] (Intel Corporation)
2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [76584 2006-12-07] ()
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [6144 2007-08-08] (NewTech Infosystems, Inc.)
0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [20776 2007-04-25] (HiTRUST)
0 PSDNServ; C:\Windows\System32\drivers\PSDNServ.sys [16680 2007-04-25] (HiTRUST)
0 psdvdisk; C:\Windows\System32\drivers\psdvdisk.sys [60712 2007-04-25] (HiTRUST)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1749376 2007-08-02] ()
3 huawei_cdcacm; C:\Windows\System32\DRIVERS\ew_jucdcacm.sys [x]
3 huawei_enumerator; C:\Windows\System32\DRIVERS\ew_jubusenum.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-22 18:54 - 2012-06-18 18:32 - 00062987 ____A (Satinfo SL.) C:\EliSiref.exe
2012-06-22 17:40 - 2012-06-22 16:31 - 00138120 ____A (ESET) C:\ESET.exe
2012-06-22 17:09 - 2012-06-22 16:45 - 02506080 ____A C:\avg.exe
2012-06-22 16:22 - 2012-06-22 16:22 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-06-22 15:57 - 2012-06-22 15:57 - 00000000 ____D C:\FRST
2012-06-20 20:18 - 2012-06-20 20:18 - 00677376 ____A C:\Users\Pablo\Downloads\MicrosoftFixit50687.msi
2012-06-20 20:14 - 2012-06-20 20:14 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-20 20:08 - 2012-06-20 20:10 - 10288512 ____A (Microsoft Corporation) C:\Users\Pablo\Downloads\mseinstall(2).exe
2012-06-20 19:26 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-20 19:26 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-20 19:26 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-20 19:26 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-20 19:26 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-20 19:26 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-20 19:26 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-20 19:25 - 2012-06-02 10:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-20 19:25 - 2012-06-02 10:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-20 14:35 - 2012-06-20 14:35 - 00000000 ____D C:\Program Files\AVG
2012-06-20 14:34 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-20 14:25 - 2012-06-20 20:14 - 00000000 ____D C:\Users\All Users\MFAData
2012-06-20 14:23 - 2012-06-20 14:25 - 03879304 ____A (AVG Technologies) C:\Users\Pablo\Downloads\avg_free_stb_all_2012_2180_cnet.exe
2012-06-20 14:05 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-20 14:05 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-20 14:05 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-20 14:05 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-20 14:05 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-20 14:05 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-20 14:05 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-20 14:05 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-20 14:05 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-20 14:05 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-20 14:05 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-20 14:05 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-20 14:05 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-20 14:05 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-20 13:40 - 2012-06-20 13:40 - 00000000 ____D C:\Users\Pablo\Desktop\Virus Removal Tool1
2012-06-20 13:40 - 2009-10-22 08:54 - 00037392 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\62767282.sys
2012-06-20 13:40 - 2009-10-09 18:31 - 00311312 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\6276728.sys
2012-06-20 13:40 - 2009-09-25 12:59 - 00128016 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\62767281.sys
2012-06-20 13:20 - 2012-02-29 21:46 - 00019824 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-06-20 13:20 - 2012-02-29 21:37 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-06-20 13:20 - 2012-02-29 21:33 - 00159232 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-06-20 13:20 - 2012-02-29 21:29 - 00005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-06-20 13:07 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-20 13:07 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-20 13:07 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-20 13:07 - 2012-01-04 00:59 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-20 13:07 - 2012-01-04 00:58 - 00442880 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-06-20 13:06 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-20 13:06 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-20 13:06 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-20 13:06 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-20 13:06 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-20 13:06 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-20 13:06 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-20 13:06 - 2012-03-30 20:39 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-06-20 13:06 - 2012-03-30 20:39 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-20 13:06 - 2012-03-30 02:23 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-06-20 13:06 - 2012-03-16 23:27 - 00056176 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-06-20 13:06 - 2012-03-02 21:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-06-20 13:06 - 2012-02-16 21:34 - 00826880 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-06-20 13:06 - 2012-02-16 20:13 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-06-20 13:06 - 2011-12-29 21:27 - 00478720 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2012-06-20 13:06 - 2011-12-15 23:52 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2012-06-20 08:23 - 2012-06-20 19:44 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-20 08:21 - 2012-06-20 12:48 - 00000000 ____D C:\Users\Pablo\Desktop\Virus Removal Tool
2012-06-20 08:21 - 2009-10-22 08:54 - 00037392 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\17783602.sys
2012-06-20 08:21 - 2009-10-09 18:31 - 00311312 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\1778360.sys
2012-06-20 08:21 - 2009-09-25 12:59 - 00128016 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\17783601.sys
2012-06-20 07:22 - 2012-06-20 08:20 - 139398576 ____A ( ) C:\Users\Pablo\Downloads\setup_9.0.0.722_20.06.2012_18-14.exe
2012-06-20 07:18 - 2012-06-20 08:40 - 275611648 ____A C:\Users\Pablo\Downloads\kav_rescue_10.iso
2012-06-20 07:01 - 2012-06-20 07:01 - 00000000 ____D C:\Users\All Users\ESET
2012-06-20 06:48 - 2012-06-20 06:58 - 52236800 ____A C:\Users\Pablo\Desktop\eav_nt32_esn.msi
2012-06-20 06:48 - 2012-06-20 06:58 - 00825312 ____A (Iminent) C:\Users\Pablo\Desktop\IminentSetup_2-KFRPtAWP-1_.exe
2012-06-20 06:46 - 2012-06-20 06:47 - 00347224 ____A (Softonic) C:\Users\Pablo\Downloads\SoftonicDownloader_para_eset-nod32-antivirus.exe
2012-06-15 06:28 - 2012-06-15 06:30 - 10300288 ____A (Microsoft Corporation) C:\Users\Pablo\Downloads\mseinstall(1).exe
2012-06-15 06:25 - 2012-06-15 06:27 - 10288512 ____A (Microsoft Corporation) C:\Users\Pablo\Downloads\mseinstall.exe
2012-05-27 14:21 - 2012-05-27 14:21 - 00444340 ____A C:\Users\Pablo\Downloads\supertabla.png

============ 3 Months Modified Files and Folders ===============

2012-06-23 13:45 - 2011-04-25 18:28 - 01760372 ____A C:\Windows\setupact.log
2012-06-23 13:45 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-22 16:45 - 2012-06-22 17:09 - 02506080 ____A C:\avg.exe
2012-06-22 16:31 - 2012-06-22 17:40 - 00138120 ____A (ESET) C:\ESET.exe
2012-06-22 16:22 - 2012-06-22 16:22 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-06-22 15:57 - 2012-06-22 15:57 - 00000000 ____D C:\FRST
2012-06-22 13:45 - 2012-04-02 20:18 - 00000000 ____D C:\Users\Pablo\AppData\Roaming\Dropbox
2012-06-22 12:01 - 2012-05-24 03:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-22 12:00 - 2009-07-13 20:53 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-22 11:42 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-06-21 21:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2012-06-21 17:02 - 2012-04-02 20:21 - 00000000 ___RD C:\Users\Pablo\Dropbox
2012-06-21 16:32 - 2010-06-05 20:54 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2452495401-3267665153-2883801510-1000UA.job
2012-06-20 20:33 - 2011-04-25 18:28 - 00020610 ____A C:\Windows\PFRO.log
2012-06-20 20:27 - 2009-10-28 16:44 - 01693580 ____A C:\Windows\WindowsUpdate.log
2012-06-20 20:21 - 2009-10-28 16:24 - 00015808 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-20 20:21 - 2009-10-28 16:24 - 00015808 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-20 20:18 - 2012-06-20 20:18 - 00677376 ____A C:\Users\Pablo\Downloads\MicrosoftFixit50687.msi
2012-06-20 20:15 - 2011-02-23 17:29 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-20 20:14 - 2012-06-20 20:14 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-20 20:14 - 2012-06-20 14:25 - 00000000 ____D C:\Users\All Users\MFAData
2012-06-20 20:14 - 2009-10-28 16:52 - 00726806 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-20 20:10 - 2012-06-20 20:08 - 10288512 ____A (Microsoft Corporation) C:\Users\Pablo\Downloads\mseinstall(2).exe
2012-06-20 20:02 - 2009-12-11 15:15 - 00000000 ____D C:\Windows\Minidump
2012-06-20 19:55 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-06-20 19:44 - 2012-06-20 08:23 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-20 16:09 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-06-20 14:35 - 2012-06-20 14:35 - 00000000 ____D C:\Program Files\AVG
2012-06-20 14:25 - 2012-06-20 14:23 - 03879304 ____A (AVG Technologies) C:\Users\Pablo\Downloads\avg_free_stb_all_2012_2180_cnet.exe
2012-06-20 14:12 - 2009-07-13 23:49 - 00000000 ____D C:\Program Files\Windows Journal
2012-06-20 13:40 - 2012-06-20 13:40 - 00000000 ____D C:\Users\Pablo\Desktop\Virus Removal Tool1
2012-06-20 13:28 - 2009-07-13 20:33 - 00446432 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-20 13:27 - 2009-02-04 10:24 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-20 13:20 - 2007-08-08 15:23 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-20 12:48 - 2012-06-20 08:21 - 00000000 ____D C:\Users\Pablo\Desktop\Virus Removal Tool
2012-06-20 12:48 - 2012-02-07 21:44 - 00000000 __SHD C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}
2012-06-20 12:48 - 2009-10-28 16:24 - 00000000 ____D C:\users\Pablo
2012-06-20 08:40 - 2012-06-20 07:18 - 275611648 ____A C:\Users\Pablo\Downloads\kav_rescue_10.iso
2012-06-20 08:20 - 2012-06-20 07:22 - 139398576 ____A ( ) C:\Users\Pablo\Downloads\setup_9.0.0.722_20.06.2012_18-14.exe
2012-06-20 07:01 - 2012-06-20 07:01 - 00000000 ____D C:\Users\All Users\ESET
2012-06-20 07:01 - 2008-10-23 09:34 - 00000000 ____D C:\Program Files\ESET
2012-06-20 06:58 - 2012-06-20 06:48 - 52236800 ____A C:\Users\Pablo\Desktop\eav_nt32_esn.msi
2012-06-20 06:58 - 2012-06-20 06:48 - 00825312 ____A (Iminent) C:\Users\Pablo\Desktop\IminentSetup_2-KFRPtAWP-1_.exe
2012-06-20 06:48 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2012-06-20 06:47 - 2012-06-20 06:46 - 00347224 ____A (Softonic) C:\Users\Pablo\Downloads\SoftonicDownloader_para_eset-nod32-antivirus.exe
2012-06-19 21:32 - 2010-06-05 20:54 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2452495401-3267665153-2883801510-1000Core.job
2012-06-18 18:32 - 2012-06-22 18:54 - 00062987 ____A (Satinfo SL.) C:\EliSiref.exe
2012-06-17 20:42 - 2012-05-24 03:07 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-17 20:42 - 2011-12-09 12:37 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-16 06:07 - 2009-12-30 14:08 - 00024064 ____A C:\Users\Pablo\Desktop\HPFilter.xla
2012-06-15 06:30 - 2012-06-15 06:28 - 10300288 ____A (Microsoft Corporation) C:\Users\Pablo\Downloads\mseinstall(1).exe
2012-06-15 06:27 - 2012-06-15 06:25 - 10288512 ____A (Microsoft Corporation) C:\Users\Pablo\Downloads\mseinstall.exe
2012-06-03 18:35 - 2009-11-20 14:47 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-02 14:19 - 2012-06-20 19:26 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 19:26 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 19:26 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 19:26 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 19:26 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-20 19:26 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-20 19:26 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 10:19 - 2012-06-20 19:25 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 10:12 - 2012-06-20 19:25 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-28 19:36 - 2011-10-10 11:45 - 00000000 ____D C:\Users\Pablo\Desktop\River
2012-05-27 14:21 - 2012-05-27 14:21 - 00444340 ____A C:\Users\Pablo\Downloads\supertabla.png
2012-05-24 03:10 - 2012-05-24 03:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-05-24 03:06 - 2011-04-08 11:16 - 00000498 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-05-19 11:46 - 2012-05-19 10:31 - 186330550 ____A C:\Users\Pablo\Downloads\George_Harrison_-_Let_It_Roll.rar
2012-05-19 10:12 - 2012-03-08 21:01 - 02725098 ____A C:\Users\Pablo\Downloads\Michel Teló - Ai Se Eu te Pego.mp3
2012-05-17 15:11 - 2012-06-20 14:05 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-20 14:05 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-20 14:05 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-20 14:05 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-20 14:05 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-20 14:05 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-20 14:05 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-20 14:05 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-20 14:05 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-20 14:05 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-20 14:05 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-20 14:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-20 14:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-20 14:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 17:05 - 2012-06-20 13:06 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-13 20:02 - 2012-05-13 20:02 - 00000000 ____D C:\Users\All Users\Mozilla
2012-05-13 20:02 - 2012-05-13 20:02 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-13 20:02 - 2009-01-31 16:44 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-05-04 01:59 - 2012-06-20 14:34 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-04-30 20:44 - 2012-06-20 13:06 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-20 13:06 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 17:59 - 2007-08-08 15:27 - 00000000 ____D C:\Windows\System32\Macromed
2012-04-27 17:58 - 2012-04-27 17:54 - 00000000 ____D C:\Windows\System32\Adobe
2012-04-27 17:41 - 2012-04-27 17:41 - 00000000 ____D C:\Users\Pablo\AppData\Local\Unity
2012-04-26 04:51 - 2010-05-05 12:56 - 00000000 ____D C:\Users\Pablo\Desktop\Madero
2012-04-25 20:45 - 2012-06-20 13:06 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-20 13:06 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-20 13:06 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 20:36 - 2012-06-20 13:07 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-20 13:07 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-20 13:07 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-22 20:38 - 2010-04-12 14:53 - 00000000 ____D C:\Users\Pablo\Desktop\Fotos Recientes sin archivar
2012-04-11 20:07 - 2011-05-08 20:36 - 00000000 ____D C:\Users\Pablo\Desktop\Spy
2012-04-09 21:00 - 2010-08-26 08:22 - 00000000 ____D C:\Users\Pablo\Desktop\CV'S
2012-04-08 15:28 - 2012-04-08 13:02 - 00059904 ____A C:\Users\Pablo\Desktop\Short List Teylem - Gerente Comercial.xls
2012-04-08 12:50 - 2012-04-08 12:50 - 00051200 ____A C:\Users\Pablo\Downloads\_Métricas
2012-04-08 12:50 - 2012-04-08 12:50 - 00044544 ____A C:\Users\Pablo\Downloads\Short List Tecotex - Gerente Comercial.xls
2012-04-07 03:26 - 2012-06-20 13:06 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-02 19:20 - 2008-10-23 08:06 - 00000000 ____D C:\Users\Pablo\AppData\Roaming\Skype
2012-04-01 20:24 - 2011-12-14 21:53 - 00000000 ____D C:\Users\Pablo\AppData\Roaming\BitComet
2012-03-31 11:57 - 2012-03-31 11:57 - 00000000 ____D C:\Users\Pablo\AppData\Roaming\WinEdt Team
2012-03-30 20:39 - 2012-06-20 13:06 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-30 20:39 - 2012-06-20 13:06 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 02:23 - 2012-06-20 13:06 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys


ZeroAccess:
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\@
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\L
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\U

ZeroAccess:
C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}
C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}\@
C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}\L
C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 2037.39 MB
Available physical RAM: 1770.32 MB
Total Pagefile: 1968.96 MB
Available Pagefile: 1842.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.35 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:32.51 GB) (Free:3.74 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:32.26 GB) (Free:13.08 GB) NTFS
4 Drive f: () (Removable) (Total:3.83 GB) (Free:3.83 GB) FAT32
5 Drive x: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:0.54 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 539 KB
Disk 1 Online 3935 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 33 GB 10 GB
Partition 3 Primary 32 GB 42 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C ACER NTFS Partition 33 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 32 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3935 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3935 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-18 19:34

======================= End Of Log ==========================

#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:14 PM

Posted 24 June 2012 - 08:30 PM

Can see the culprit...and there is some extra info needed.
Please, bear with me.

Once again, please boot to the System Recovery Options and run FRST, as done previously.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close Notepad.
  • In the command window type x:\frst.exe and press Enter (Replace 'x' with the letter of the flash drive.)

Type the following text in the blank box after Search:

services.exe

Posted Image

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the flash drive!!

Please provide the Search.txt in your reply.

Old duck...


#12 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 24 June 2012 - 10:35 PM

Here we go:

Farbar Recovery Scan Tool Version: 20-06-2012 01
Ran by SYSTEM at 2012-06-25 00:31:31
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-06-22 11:42] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:14 PM

Posted 24 June 2012 - 11:19 PM

Let's press on, and please do the following...

Open Notepad (Start > All Programs > Accessories > Notepad)

Copy the entire contents of the code box below to Notepad.

Start
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}
C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}
HKLM\...\InprocServer32: [Default-wbem] \\.\globalroot\systemroot\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\n 
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end
  • In Notepad, go to File > Save as...
  • Save to: the USB flash drive
  • In File name use: fixlist.txt
  • Click: Save
Have FRST.exe and fixlist.txt on the flash
drive.

Next, plug the flash drive into the infected computer, and use the same USB posrt as before.

Now, please enter System Recovery Options like you did previously:
  • >>> Restart the computer, etc. > select: Command Prompt
  • Type g:\frst.exe, and press: Enter
  • Replace the drive letter g with the drive letter of your flash drive, if necessary.
  • In FRST, this time press the Fix button.
  • The program saves a Fixlog.txt, on the flash drive.
  • Click the Command prompt window, type exit, and press: Enter
  • Back at the System Recovery Options, press: Restart
  • Let the computer boot normally.
Please open the flash drive, and provide the Fixlog.txt in your reply.

Old duck...


#14 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 24 June 2012 - 11:32 PM

Here is the log. Now, booting the infected computer...

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by SYSTEM at 2012-06-25 01:31:06 Run:3
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\RtHDVCpl Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Skytel Value deleted successfully.
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5} moved successfully.
C:\Users\Pablo\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5} moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default value was restored successfully .
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#15 webgreen

webgreen
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 24 June 2012 - 11:38 PM

Thank you thank you very much!!! the computer does not restart.

How do we proceed?

MSE is disable, should I enable now??? (firewall too, etc)


Thanks for your time. Extremely efficient.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users