Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Sirefef.AH and Sirefef.R, computer keeps restarting


  • This topic is locked This topic is locked
9 replies to this topic

#1 Trivial Man

Trivial Man

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 11 July 2012 - 02:28 AM

Title pretty much says it all. Whenever my computer restarts if I don't do anything Microsoft Security Essentials will detect 2 infections, Sirefef.AH and Sirefef.R, and then inform me that I have a minute until the computer shuts down. If I end the process for Microsoft Security Essentials before any detections occur though then I can use my computer like normal. I'm guessing I need to use FRST to replace services.exe like in the other topics exhibiting this behavior, but since I can't interpret the logs I don't know how to fix this myself and admit that I could be way off.

On a possibly unrelated note, I've never been able to get ComboFix to run properly. I was asked to use it in a prior help topic on this site but was unable. Since then I've tried several times on my own to make it run to no avail. It always hangs after it informs me that it may take 10 minutes or more for badly infected systems and that text just hangs there even when I leave it on overnight.

I don't really care if ComboFix ever runs on my computer, but I figured it could be a symptom for something else so I'm listing it. Mostly I'd just like to be able to restart my computer without racing to stop processes before it gets stuck in a cycle.

Thanks in advance for whoever decides to help me.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:03 PM

Posted 11 July 2012 - 02:41 PM

Please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Trivial Man

Trivial Man
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 11 July 2012 - 03:44 PM

First up is FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-07-2012
Ran by SYSTEM at 11-07-2012 14:31:09
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [476512 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [738616 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10082920 2011-06-09] (Realtek Semiconductor)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-06-27] (LogMeIn Inc.)
HKU\Martin\...\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe" /MINIMIZED [6379888 2012-05-17] (BitTorrent, Inc.)
HKU\Martin\...\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent [1242448 2011-08-01] (Valve Corporation)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]
Tcpip\Parameters: [DhcpNameServer] 24.116.2.50 24.116.2.34

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-11] (SUPERAntiSpyware.com)
2 cfWiMAXService; "C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe" [185712 2009-08-10] (TOSHIBA CORPORATION)
2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [46448 2009-03-10] (TOSHIBA CORPORATION)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 Hamachi2Svc; "C:\Program Files\LogMeIn Hamachi\hamachi-2.exe" -s [1385896 2012-06-27] (LogMeIn Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
3 StumbleUponUpdateService; "C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe" [120232 2010-04-07] (stumbleupon.com)
3 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [54136 2010-11-29] (TOSHIBA Corporation)
2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [464224 2009-08-05] (TOSHIBA Corporation)
3 TOSHIBA HDD SSD Alert Service; "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe" [111960 2009-09-17] (TOSHIBA Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [36208 2009-07-02] (COMPAL ELECTRONIC INC.)
3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [32000 2012-01-10] (ManyCam LLC)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)
3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv.sys [22400 2012-02-22] (ManyCam LLC)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 RTL8187Se; C:\Windows\System32\DRIVERS\RTL8187Se.sys [333824 2008-08-22] (Realtek Semiconductor Corporation )
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [104648 2010-04-26] (MCCI Corporation)
3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [14920 2010-04-26] (MCCI Corporation)
3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [132424 2010-04-26] (MCCI Corporation)
3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [110280 2010-04-26] (MCCI Corporation)
3 BlackBox; [x]
3 catchme; \??\C:\Users\Martin\AppData\Local\Temp\catchme.sys [x]
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]
3 WinPhlash; \??\C:\WINDOWS\TEMP\WINPHLASH\PHLASHNT.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-11 09:16 - 2012-07-11 09:16 - 00000000 ____D C:\Users\Martin\Desktop\Policenauts
2012-07-10 21:44 - 2012-07-10 22:06 - 00000000 ____D C:\FRST
2012-07-10 21:38 - 2012-07-10 21:38 - 00000033 ____A C:\Users\Martin\Desktop\sire.txt
2012-07-10 20:29 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-10 20:29 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-10 20:29 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-10 20:29 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-10 20:29 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-10 20:29 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-10 20:29 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-10 20:29 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-10 20:29 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-10 20:29 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-10 20:29 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-10 20:29 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-10 20:29 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-10 20:29 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-10 20:27 - 2012-07-10 20:27 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-10 20:26 - 2012-07-10 20:26 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-10 20:20 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 18:42 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 18:42 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 18:42 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 18:42 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 18:42 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 18:42 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 18:42 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 18:42 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 18:42 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 18:42 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 15:58 - 2012-07-10 15:58 - 00000873 ____A C:\Users\Public\Desktop\LogMeIn Hamachi.lnk
2012-07-10 15:58 - 2012-07-10 15:58 - 00000000 ____D C:\Program Files\LogMeIn Hamachi
2012-07-10 14:40 - 2012-07-10 15:20 - 00003307 ____A C:\Users\Martin\Desktop\nes want.txt
2012-07-10 13:22 - 2012-07-10 13:22 - 00061790 ____A C:\Users\Martin\Desktop\have nes.txt
2012-07-10 13:22 - 2012-07-10 13:22 - 00021397 ____A C:\Users\Martin\Desktop\miss nes.txt
2012-07-08 17:28 - 2012-07-08 17:28 - 00000000 ____D C:\Users\Martin\AppData\Roaming\ieSpell
2012-07-08 15:15 - 2012-07-08 15:16 - 00000000 ____D C:\Users\Martin\AppData\Local\{EEB6524A-E384-40E2-8DFF-F690A96699EC}
2012-07-07 21:10 - 2012-07-07 21:10 - 00004622 ____A C:\Users\Martin\Desktop\n64 want.txt
2012-07-07 19:10 - 2012-07-07 19:11 - 00000000 ____D C:\Users\Public\Documents\romcenter
2012-07-07 19:10 - 2012-07-07 19:11 - 00000000 ____D C:\Program Files\Romcenter
2012-07-07 19:10 - 2012-07-07 19:10 - 00001002 ____A C:\Users\Martin\Desktop\RomCenter.lnk
2012-07-06 21:32 - 2012-07-06 21:32 - 00000000 ____D C:\Users\Martin\AppData\Local\Macromedia
2012-07-06 21:24 - 2012-07-06 21:24 - 00000000 ____D C:\Users\All Users\Ask
2012-07-06 21:24 - 2012-07-06 21:24 - 00000000 ____D C:\Users\All Users\Application Data\Ask
2012-06-21 12:58 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 12:58 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 12:58 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 12:58 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 12:58 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 12:58 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 12:58 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 12:58 - 2012-06-02 13:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 12:58 - 2012-06-02 13:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 08:16 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-17 19:54 - 2012-06-17 19:54 - 00000000 ____D C:\Users\Martin\AppData\Local\{603BB4F2-C353-4B31-AB24-5C2D83477A60}
2012-06-17 19:50 - 2012-06-17 19:50 - 00000000 ____D C:\Users\Martin\AppData\Local\{F7A160D1-8CB3-4199-95D3-A14AEB8A84F4}
2012-06-13 20:58 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 20:58 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 20:58 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 20:58 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 20:58 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 20:58 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 20:58 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 20:58 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 20:58 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-12 16:39 - 2012-06-12 18:34 - 00000000 ____D C:\Users\Martin\Desktop\other patches
2012-06-12 15:36 - 2012-06-12 15:36 - 00000000 ____D C:\Users\Martin\AppData\Roaming\bsnes

============ 3 Months Modified Files ========================

2012-07-11 12:27 - 2011-10-17 20:47 - 01116821 ____A C:\Windows\WindowsUpdate.log
2012-07-11 12:27 - 2009-08-27 20:12 - 00827812 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-11 12:17 - 2012-04-22 09:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-11 12:10 - 2011-10-18 10:34 - 00006624 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-11 12:10 - 2011-10-18 10:34 - 00006624 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-11 12:01 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-10 21:38 - 2012-07-10 21:38 - 00000033 ____A C:\Users\Martin\Desktop\sire.txt
2012-07-10 21:09 - 2009-07-13 20:33 - 03976952 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 21:08 - 2011-10-04 08:03 - 00202272 ____A C:\Users\Martin\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-10 20:47 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-10 20:27 - 2012-07-10 20:27 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-10 20:21 - 2011-01-06 12:44 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-10 15:58 - 2012-07-10 15:58 - 00000873 ____A C:\Users\Public\Desktop\LogMeIn Hamachi.lnk
2012-07-10 15:20 - 2012-07-10 14:40 - 00003307 ____A C:\Users\Martin\Desktop\nes want.txt
2012-07-10 13:22 - 2012-07-10 13:22 - 00061790 ____A C:\Users\Martin\Desktop\have nes.txt
2012-07-10 13:22 - 2012-07-10 13:22 - 00021397 ____A C:\Users\Martin\Desktop\miss nes.txt
2012-07-07 21:10 - 2012-07-07 21:10 - 00004622 ____A C:\Users\Martin\Desktop\n64 want.txt
2012-07-07 19:10 - 2012-07-07 19:10 - 00001002 ____A C:\Users\Martin\Desktop\RomCenter.lnk
2012-07-07 18:25 - 2011-12-05 21:56 - 00000946 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-24 08:31 - 2011-04-17 00:34 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-06-24 08:31 - 2011-04-17 00:34 - 00000258 _RASH C:\Users\All Users\Application Data\ntuser.pol
2012-06-22 20:17 - 2012-04-22 09:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-22 20:17 - 2011-05-14 14:58 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-11 18:40 - 2012-07-10 20:20 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-10 18:42 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-07 09:14 - 2012-06-07 09:09 - 00000110 ____A C:\Users\Martin\Desktop\fun info.txt
2012-06-05 21:05 - 2012-07-10 18:42 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 18:42 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 18:42 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-04 12:53 - 2012-05-31 21:30 - 00010885 ____A C:\Users\Martin\Desktop\gameboy want.txt
2012-06-02 14:19 - 2012-06-21 12:58 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 12:58 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 12:58 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 12:58 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 12:58 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 12:58 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 12:58 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 13:19 - 2012-06-21 12:58 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:12 - 2012-06-21 12:58 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-10 20:29 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-10 20:29 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-10 20:29 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-10 20:29 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-10 20:29 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 20:29 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-10 20:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-10 20:29 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 20:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 20:29 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-10 20:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-10 20:29 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 20:29 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 20:29 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-10 18:42 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-10 18:42 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-10 18:42 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-10 18:42 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-10 18:42 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 07:34 - 2012-05-31 07:34 - 00000946 ____A C:\Users\Martin\Desktop\Audacity.lnk
2012-05-27 17:37 - 2012-05-27 17:37 - 00000682 ____A C:\Users\Mcx1-PORTABLE-TRIVIA\Desktop\Project64 1.7.0.49.lnk
2012-05-27 13:20 - 2012-05-11 08:01 - 00000333 ____A C:\Users\Martin\Desktop\digimon.txt
2012-05-27 12:40 - 2012-05-12 10:48 - 00048993 ____A C:\Users\Martin\Desktop\digivolve guide.txt
2012-05-24 11:24 - 2012-05-24 11:23 - 00000185 ____A C:\Windows\UPCHECK.TXT
2012-05-24 11:23 - 2012-05-24 11:23 - 00000003 ____A C:\Windows\System32\PKBX.PWD
2012-05-10 14:50 - 2012-05-10 14:50 - 00000904 ____A C:\Users\Public\Desktop\IMG to ISO.lnk
2012-05-04 01:59 - 2012-06-21 08:16 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-04-30 20:44 - 2012-06-13 20:58 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 20:58 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 10:45 - 2012-04-27 10:45 - 00060416 ____A C:\Windows\System32\rbap350.dll
2012-04-26 12:52 - 2012-04-26 12:46 - 00000028 ____A C:\Windows\encore_launcher.ini
2012-04-25 20:45 - 2012-06-13 20:58 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-13 20:58 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-13 20:58 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 20:36 - 2012-06-13 20:58 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-13 20:58 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 20:58 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 08:37 - 2012-01-02 18:04 - 00001048 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-22 09:13 - 2012-04-16 23:12 - 00000573 ____A C:\Users\Martin\Desktop\tactics.txt


ZeroAccess:
C:\Users\Martin\AppData\Local\{f6bf00ee-09b6-0f2f-323f-7cb5e02ff1d5}
C:\Users\Martin\AppData\Local\{f6bf00ee-09b6-0f2f-323f-7cb5e02ff1d5}\@
C:\Users\Martin\AppData\Local\{f6bf00ee-09b6-0f2f-323f-7cb5e02ff1d5}\L
C:\Users\Martin\AppData\Local\{f6bf00ee-09b6-0f2f-323f-7cb5e02ff1d5}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 3838.42 MB
Available physical RAM: 3388.5 MB
Total Pagefile: 3836.7 MB
Available Pagefile: 3388.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1980.47 MB

======================= Partitions =========================

1 Drive c: (Laptop Hard Drive) (Fixed) (Total:223.33 GB) (Free:14.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.28 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (SHELLY) (Removable) (Total:0.03 GB) (Free:0 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 30 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 223 GB 1501 MB
Partition 3 Primary 8 GB 224 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Laptop Hard NTFS Partition 223 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 30 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F SHELLY FAT Removable 30 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-08 06:38

======================= End Of Log ==========================

Next is search.txt

Farbar Recovery Scan Tool Version: 10-07-2012
Ran by SYSTEM at 2012-07-11 14:33:25
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-07-10 20:47] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:03 PM

Posted 11 July 2012 - 06:16 PM

Hi,

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Users\Martin\AppData\Local\{f6bf00ee-09b6-0f2f-323f-7cb5e02ff1d5}
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Trivial Man

Trivial Man
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 11 July 2012 - 08:58 PM

Well, ComboFix remained consistent by not working past the part where it says it may take 10 or more minutes, but the constant 1 minute until restarting warnings have disappeared even when security essentials is running. So my primary problem is solved even if I am still a bit annoyed with ComboFix.

Anyways, heres the log from FRST in case you need it. ComboFix naturally never generated a log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 10-07-2012
Ran by SYSTEM at 2012-07-11 18:36:22 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Users\Martin\AppData\Local\{f6bf00ee-09b6-0f2f-323f-7cb5e02ff1d5} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:03 PM

Posted 11 July 2012 - 09:04 PM

Hi

Please delete the copy of ComboFix that you have on your desktop and download a fresh copy from the link below but rename it to svchost before saving it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Now boot into safe mode and run it with the following command:

Press the WinKey + R to open a run box:

Copy/paste the following text into the open run box > Click OK

ComboFix /nombr

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Trivial Man

Trivial Man
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 11 July 2012 - 10:07 PM

Just to clarify before I do this, do you want me to just delete ComboFix.exe or do you want me to uninstall as per the ComboFix guide?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:03 PM

Posted 11 July 2012 - 10:09 PM

Hi

just right click and delete it

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:03 PM

Posted 17 July 2012 - 05:51 PM

do you still need help with your machine?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:03 PM

Posted 23 July 2012 - 06:17 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users