Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Sirefef keeps rebooting PC


  • This topic is locked This topic is locked
3 replies to this topic

#1 bernas

bernas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 30 June 2012 - 08:52 PM

Mod Edit: MOVED to Virus,Trojan and Malware Removal Logs ~~boopme


Hello all,
windows keeps rebooting. After start, the following message appears:

"windows has encountered a critical error and will restart in one minute"

Even in safe mode.

I was able to get the FRST.log capture.


Running from F:\
Windows 7 Enterprise (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-09-23] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-09-23] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-09-23] (Intel Corporation)
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [287800 2009-11-11] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-08-11] (Macrovision Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\NUNO\...\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup [x]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

================================ Services (Whitelisted) ==================

2 Automatic CDROM Monitor; C:\Windows\system32\SupportAppPT\ztemon_cd.exe [86016 2009-08-21] ()
3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [556544 2010-11-20] (Microsoft Corporation)
3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice [31125880 2011-06-12] (Microsoft Corporation)
3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [4640000 2010-01-09] (Microsoft Corporation)
3 wbengine; "C:\Windows\system32\wbengine.exe" [1203200 2010-11-20] (Microsoft Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [15544 2010-02-24] (Hewlett-Packard Company)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
1 SCDEmu; C:\Windows\System32\Drivers\SCDEmu.sys [112096 2011-11-14] (Power Software Ltd)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [77184 2010-11-20] (Microsoft Corporation)
3 terminpt; C:\Windows\system32\drivers\terminpt.sys [25600 2010-11-20] (Microsoft Corporation)
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [112640 2010-11-20] (Microsoft Corporation)
3 ZTEusbmdm6k; C:\Windows\System32\DRIVERS\ZTEusbmdm6k.sys [105088 2009-06-30] (ZTE Incorporated)
3 ZTEusbnmea; C:\Windows\System32\DRIVERS\ZTEusbnmea.sys [105088 2009-06-30] (ZTE Incorporated)
3 ZTEusbser6k; C:\Windows\System32\DRIVERS\ZTEusbser6k.sys [105088 2009-06-30] (ZTE Incorporated)
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-30 16:19 - 2012-06-30 16:19 - 00000000 ____D C:\FRST
2012-06-30 16:18 - 2012-06-30 15:44 - 00882424 ____A C:\Users\NUNO\Desktop\FRST.exe
2012-06-29 07:51 - 2012-06-29 07:51 - 00000000 ___SD C:\ComboFix
2012-06-29 07:24 - 2012-06-29 07:24 - 00000620 ____A C:\Users\NUNO\Desktop\ComboFix - Atalho (2).lnk
2012-06-29 07:24 - 2012-06-29 07:20 - 04566027 ____R (Swearware) C:\Users\NUNO\Desktop\ComboFix.exe
2012-06-29 07:22 - 2012-06-29 07:22 - 00000620 ____A C:\Users\NUNO\Desktop\ComboFix - Atalho.lnk
2012-06-29 07:22 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-29 07:22 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-29 07:22 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-29 07:22 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-29 07:22 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-29 07:22 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-29 07:22 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-29 07:22 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-29 07:21 - 2012-06-29 07:22 - 00000000 ____D C:\Qoobox
2012-06-29 07:21 - 2012-06-29 07:21 - 00000000 ____D C:\Windows\erdnt
2012-06-27 15:33 - 2012-06-27 15:33 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-27 14:27 - 2012-06-27 14:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-27 12:14 - 2012-06-27 12:14 - 00140832 ____A C:\Windows\System32\Drivers\str.sys
2012-06-22 05:04 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-22 05:04 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-22 05:04 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-22 05:04 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-22 05:04 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-22 05:04 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-22 05:04 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-22 05:04 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-22 05:04 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 21:16 - 2012-06-21 21:16 - 00000000 ____D C:\Users\NUNO\Documents\ATHENS 2004
2012-06-20 20:14 - 2012-06-20 20:18 - 00444952 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-06-20 20:14 - 2012-06-20 20:18 - 00109080 ____A (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-06-20 20:14 - 2012-06-20 20:14 - 00000000 ____D C:\Users\NUNO\AppData\Roaming\TheAsskickers
2012-06-20 20:14 - 2012-06-20 20:14 - 00000000 ____D C:\Program Files\OpenAL
2012-06-20 20:09 - 2012-06-21 04:49 - 00000262 ____A C:\Windows\Tasks\DLL-files.com Fixer_MONTHLY.job
2012-06-19 19:31 - 2012-06-19 19:31 - 00000000 ____D C:\Users\All Users\InstallShield
2012-06-15 20:07 - 2012-06-15 20:07 - 00000000 ____D C:\Windows\System32\appmgmt
2012-06-15 19:37 - 2012-06-15 19:38 - 00000000 ____D C:\Windows\Ubisoft
2012-06-15 19:34 - 2012-06-26 16:57 - 00042864 ____A C:\Windows\Directx.log
2012-06-15 15:45 - 2012-06-15 15:45 - 00000000 ____D C:\Users\NUNO\AppData\Local\Demiurge Studios
2012-06-15 15:39 - 2008-10-14 21:22 - 04379984 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll
2012-06-15 15:39 - 2008-10-14 21:22 - 02036576 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll
2012-06-15 15:39 - 2008-10-14 21:22 - 00452440 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_40.dll
2012-06-14 18:07 - 2012-06-14 18:07 - 00000000 ____D C:\Users\All Users\RELOADED
2012-06-14 18:02 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 18:02 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 18:02 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 18:02 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 18:02 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 18:02 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 18:02 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 18:02 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 18:02 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 18:02 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 18:02 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 18:02 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 18:02 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 18:02 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 15:20 - 2012-06-14 15:22 - 00041350 ____A C:\Windows\System32\DFDumpR1-488857.dmp
2012-06-14 15:20 - 2012-06-14 15:20 - 00000004 ____A C:\Windows\System32\playername.txt
2012-06-14 15:20 - 2012-06-14 15:20 - 00000000 ____D C:\Windows\System32\NUNO_swarm
2012-06-14 12:11 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-14 12:11 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-14 12:11 - 2012-04-27 20:41 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-06-14 12:11 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-14 12:11 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-14 12:11 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-14 12:11 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-14 12:11 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-14 12:11 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-14 12:11 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-14 12:11 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-10 15:55 - 2012-06-12 16:56 - 00000565 ____A C:\Windows\Spidey.ini
2012-06-10 14:33 - 2012-06-10 14:33 - 00000000 ____D C:\Users\NUNO\AppData\Local\Wildtangent
2012-06-10 08:12 - 2012-06-10 08:12 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-06-10 08:12 - 2012-06-10 08:12 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-06-10 08:12 - 2012-06-10 08:12 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2012-06-09 16:42 - 2012-06-09 16:42 - 00004096 ____A C:\Windows\d3dx.dat
2012-06-09 16:42 - 2012-06-09 16:42 - 00000000 ____D C:\Users\NUNO\AppData\Roaming\MinMaxGames
2012-06-09 16:30 - 2012-06-09 16:30 - 00000000 ____D C:\Program Files\Trendy Entertainment
2012-06-07 15:26 - 2012-06-07 15:26 - 00000000 ____D C:\Users\NUNO\AppData\Roaming\Hothead Games
2012-06-06 03:53 - 2012-06-06 07:03 - 00027297 ____A C:\Users\NUNO\FamilyBudget1.xlsx

============ 3 Months Modified Files ========================

2012-06-30 17:02 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-30 17:01 - 2009-07-13 20:39 - 00039481 ____A C:\Windows\setupact.log
2012-06-30 15:44 - 2012-06-30 16:18 - 00882424 ____A C:\Users\NUNO\Desktop\FRST.exe
2012-06-29 07:54 - 2012-04-17 05:31 - 01906916 ____A C:\Windows\WindowsUpdate.log
2012-06-29 07:29 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-06-29 07:24 - 2012-06-29 07:24 - 00000620 ____A C:\Users\NUNO\Desktop\ComboFix - Atalho (2).lnk
2012-06-29 07:22 - 2012-06-29 07:22 - 00000620 ____A C:\Users\NUNO\Desktop\ComboFix - Atalho.lnk
2012-06-29 07:21 - 2011-04-11 20:48 - 00684148 ____A C:\Windows\System32\prfh0816.dat
2012-06-29 07:21 - 2011-04-11 20:48 - 00135398 ____A C:\Windows\System32\prfc0816.dat
2012-06-29 07:21 - 2010-11-20 13:01 - 01552582 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-29 07:20 - 2012-06-29 07:24 - 04566027 ____R (Swearware) C:\Users\NUNO\Desktop\ComboFix.exe
2012-06-27 22:26 - 2009-07-13 20:34 - 00022400 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-27 22:26 - 2009-07-13 20:34 - 00022400 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-27 16:14 - 2012-04-30 18:04 - 00002243 ____A C:\Windows\epplauncher.mif
2012-06-27 15:53 - 2009-07-13 20:34 - 00009216 _____ C:\Windows\System32\umstartup.etl
2012-06-27 15:41 - 2012-04-18 06:01 - 00078848 ____A C:\Windows\KMSEmulator.exe
2012-06-27 15:40 - 2009-07-13 20:53 - 00032506 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-27 15:11 - 2012-04-18 02:57 - 00032373 ____A C:\Windows\AutoKMS.log
2012-06-27 12:14 - 2012-06-27 12:14 - 00140832 ____A C:\Windows\System32\Drivers\str.sys
2012-06-26 16:57 - 2012-06-15 19:34 - 00042864 ____A C:\Windows\Directx.log
2012-06-22 20:09 - 2012-04-30 07:40 - 00000278 ____A C:\Windows\Tasks\DLL-files.com Fixer_UPDATES.job
2012-06-21 04:49 - 2012-06-20 20:09 - 00000262 ____A C:\Windows\Tasks\DLL-files.com Fixer_MONTHLY.job
2012-06-20 20:18 - 2012-06-20 20:14 - 00444952 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-06-20 20:18 - 2012-06-20 20:14 - 00109080 ____A (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-06-20 10:51 - 2010-11-20 13:48 - 00015640 ____A C:\Windows\PFRO.log
2012-06-16 16:22 - 2012-05-10 16:08 - 00074072 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
2012-06-15 10:30 - 2012-04-18 02:21 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-15 10:30 - 2012-04-18 02:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-15 10:19 - 2009-07-13 20:33 - 00407168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 18:08 - 2012-04-17 06:08 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-14 15:22 - 2012-06-14 15:20 - 00041350 ____A C:\Windows\System32\DFDumpR1-488857.dmp
2012-06-14 15:20 - 2012-06-14 15:20 - 00000004 ____A C:\Windows\System32\playername.txt
2012-06-12 16:56 - 2012-06-10 15:55 - 00000565 ____A C:\Windows\Spidey.ini
2012-06-09 16:42 - 2012-06-09 16:42 - 00004096 ____A C:\Windows\d3dx.dat
2012-06-06 07:03 - 2012-06-06 03:53 - 00027297 ____A C:\Users\NUNO\FamilyBudget1.xlsx
2012-06-02 14:19 - 2012-06-22 05:04 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 05:04 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 05:04 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 05:04 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 05:04 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-22 05:04 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 05:04 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-22 05:04 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:12 - 2012-06-22 05:04 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-30 14:13 - 2012-05-30 14:13 - 05973266 ____A C:\Users\NUNO\lately---stevie-wonder.mp3
2012-05-30 14:08 - 2012-05-30 14:08 - 10326240 ____A C:\Users\NUNO\everybodyhurts.mp3
2012-05-22 16:16 - 2012-05-22 16:16 - 00006350 ____A C:\Windows\ZTEInstallInfo.log
2012-05-22 16:16 - 2012-05-22 16:16 - 00001632 ____A C:\Users\Public\Desktop\banda larga tmn .lnk
2012-05-17 15:11 - 2012-06-14 18:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:52 - 2012-05-17 14:52 - 01091072 ____A C:\Users\NUNO\Desktop\Canárias Catederal.ppt
2012-05-17 14:48 - 2012-06-14 18:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-14 18:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-14 18:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-14 18:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-14 18:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-14 18:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-14 18:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-14 18:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-14 18:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-14 18:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-14 18:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-14 18:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-14 18:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 21:07 - 2012-04-18 16:01 - 00215552 __ASH C:\Users\NUNO\Thumbs.db
2012-05-14 17:05 - 2012-06-14 12:11 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-10 15:49 - 2012-05-10 15:49 - 00001044 ____A C:\Users\NUNO\Desktop\Attack on Pearl Harbor.lnk
2012-05-08 14:27 - 2012-05-02 14:53 - 00006397 ____A C:\Users\NUNO\Desktop\IRS MIDUCAVA 2012
2012-05-05 07:01 - 2012-05-04 19:30 - 00000014 ____A C:\Windows\compedia.ini
2012-05-04 19:42 - 2012-04-21 19:24 - 00000000 ____A C:\Users\NUNO\AppData\Local\FnF4.txt
2012-04-30 20:44 - 2012-06-14 12:11 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 07:40 - 2012-04-30 07:40 - 01998168 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_43.dll
2012-04-29 10:00 - 2012-04-29 10:00 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-04-29 09:55 - 2012-04-29 09:55 - 00000001 ____A C:\Windows\System32\SI.bin
2012-04-28 06:46 - 2012-04-28 06:45 - 00006932 ____A C:\Users\NUNO\senha Portal das Finanças.jnt
2012-04-27 20:41 - 2012-06-14 12:11 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-04-27 19:17 - 2012-06-14 12:11 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 15:01 - 2012-04-12 14:12 - 00004933 ____A C:\Users\NUNO\IRS PAI MÃE 2012
2012-04-25 20:45 - 2012-06-14 12:11 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-14 12:11 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-14 12:11 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 15:20 - 2012-04-24 15:21 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-24 15:20 - 2012-04-24 15:21 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-24 15:20 - 2012-04-24 15:21 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-24 15:20 - 2012-04-24 15:21 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-23 20:36 - 2012-06-14 12:11 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-14 12:11 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-14 12:11 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-21 13:07 - 2012-04-21 13:03 - 02493503 ____A C:\Users\NUNO\Downloads\Operation.Stealth (1).zip
2012-04-21 13:03 - 2012-04-21 12:59 - 03284167 ____A C:\Users\NUNO\Downloads\flashback.zip
2012-04-21 12:38 - 2012-04-21 12:38 - 00629058 ____A C:\Users\NUNO\Downloads\might-and-magic-2.zip
2012-04-21 12:31 - 2012-04-21 12:31 - 03487343 ____A C:\Users\NUNO\Downloads\agent-mlicnak.zip
2012-04-21 12:22 - 2012-04-21 12:22 - 00000012 ____A C:\Users\NUNO\Downloads\DFend.dat
2012-04-21 10:01 - 2012-04-21 10:01 - 00000000 _RASH C:\MSDOS.SYS
2012-04-21 10:01 - 2012-04-21 10:01 - 00000000 _RASH C:\IO.SYS
2012-04-19 16:28 - 2012-04-19 16:28 - 00002196 ____A C:\Users\Public\Desktop\The Battle for Middle-earth ™.lnk
2012-04-18 18:01 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-04-18 16:33 - 2012-04-18 16:33 - 00002075 ____A C:\Users\Public\Desktop\Angry Birds Seasons.lnk
2012-04-18 16:14 - 2012-04-18 16:14 - 00001332 ____A C:\Users\NUNO\Desktop\scummvm - Atalho.lnk
2012-04-18 02:54 - 2012-04-18 02:54 - 00000184 ____A C:\Windows\AutoKMS.ini
2012-04-18 02:54 - 2012-04-17 05:43 - 00108824 ____A C:\Users\NUNO\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-18 02:22 - 2012-04-18 02:21 - 15297504 ____A C:\Users\NUNO\Downloads\bsplayer261.1065.exe
2012-04-18 02:00 - 2012-04-18 02:00 - 00000020 ____A C:\Windows\hùŒ
2012-04-18 00:44 - 2012-04-18 00:44 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-04-17 06:27 - 2012-04-17 06:27 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-04-17 06:27 - 2012-04-17 06:27 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-04-17 06:27 - 2012-04-17 06:25 - 00004293 ____A C:\Windows\IE9_main.log
2012-04-17 06:27 - 2009-07-13 20:57 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-04-17 06:27 - 2009-07-13 20:52 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2012-04-17 06:26 - 2012-04-17 06:26 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-04-17 06:26 - 2012-04-17 06:26 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-04-17 06:26 - 2012-04-17 06:26 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-04-17 06:26 - 2012-04-17 06:26 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-04-17 06:26 - 2012-04-17 06:26 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-04-17 06:26 - 2012-04-17 06:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-04-17 06:26 - 2012-04-17 06:26 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-04-17 06:26 - 2012-04-17 06:26 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-04-17 06:26 - 2012-04-17 06:26 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-04-17 06:26 - 2012-04-17 06:26 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-04-17 06:23 - 2012-04-17 06:23 - 00000000 ____A C:\Users\NUNO\AppData\Local\QSwitch.txt
2012-04-17 06:23 - 2012-04-17 06:23 - 00000000 ____A C:\Users\NUNO\AppData\Local\DSwitch.txt
2012-04-17 06:23 - 2012-04-17 06:23 - 00000000 ____A C:\Users\NUNO\AppData\Local\AtStart.txt
2012-04-17 05:56 - 2012-04-17 05:56 - 05343744 ____A () C:\Users\NUNO\Downloads\DFend.exe
2012-04-17 05:37 - 2012-04-17 05:37 - 00000020 ___SH C:\Users\NUNO\ntuser.ini
2012-04-17 05:32 - 2009-07-13 20:46 - 00000854 ____A C:\Windows\System32\license.rtf
2012-04-17 05:31 - 2012-04-17 05:29 - 00001355 ____A C:\Windows\TSSysprep.log
2012-04-17 05:29 - 2009-07-13 20:34 - 00002790 ____A C:\Windows\DtcInstall.log
2012-04-07 03:26 - 2012-06-14 12:11 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

ZeroAccess:
C:\Windows\Installer\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}
C:\Windows\Installer\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\@
C:\Windows\Installer\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\L
C:\Windows\Installer\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\n
C:\Windows\Installer\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\U

ZeroAccess:
C:\Users\NUNO\AppData\Local\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}
C:\Users\NUNO\AppData\Local\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\@
C:\Users\NUNO\AppData\Local\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\L
C:\Users\NUNO\AppData\Local\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\n
C:\Users\NUNO\AppData\Local\{6b3b24be-f0ff-d0c9-0f11-3431fb7dd0eb}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 2039.43 MB
Available physical RAM: 1634.34 MB
Total Pagefile: 2039.43 MB
Available Pagefile: 1632.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.2 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:111.75 GB) (Free:61.02 GB) NTFS
2 Drive e: (Repair disc Windows 7 32-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
3 Drive f: (BERNARDO) (Removable) (Total:3.73 GB) (Free:0.59 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (Sistema Reservado) (Fixed) (Total:0.04 GB) (Free:0.02 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 111 GB 0 B
Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 45 MB 1024 KB
Partition 2 Primary 111 GB 46 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y Sistema Res NTFS Partition 45 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F BERNARDO FAT32 Removable 3823 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-19 10:02

Edited by boopme, 30 June 2012 - 09:27 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:52 AM

Posted 01 July 2012 - 12:46 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:52 AM

Posted 03 July 2012 - 11:16 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:52 AM

Posted 06 July 2012 - 11:17 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users