Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP Sirefef reboot


  • This topic is locked This topic is locked
2 replies to this topic

#1 tobias69

tobias69

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 23 July 2012 - 02:19 AM

Help, my computer automatiquely reboot after 1 minute.
MSSE say sirefef infection

here the FRST.TXT file.

Thanks

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by W7 at 23-07-2012 09:11:53
Running from C:\
Service Pack 1 (X86) OS Language: French Standard
Attention: Could not load system hive.Erreur : Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-07-23 09:35 - 2012-07-23 09:11 - 00000000 ____D C:\FRST
2012-07-23 09:12 - 2012-07-23 09:12 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\yyhuknpj.sys
2012-07-23 09:08 - 2012-07-23 09:08 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\guwslplh.sys
2012-07-23 08:24 - 2012-07-23 08:24 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2012-07-23 08:19 - 2012-07-23 08:36 - 00000000 ____D C:\Windows\erdnt
2012-07-22 23:32 - 2012-07-22 23:32 - 00892164 ____A (Farbar) C:\FRST.exe
2012-07-22 23:05 - 2012-07-23 08:36 - 00000000 ___SD C:\32788R22FWJFW
2012-07-22 23:03 - 2012-07-23 08:36 - 00000000 ____D C:\Qoobox
2012-07-22 23:02 - 2012-07-22 23:02 - 04582474 ____R (Swearware) C:\Users\W7\Desktop\z.exe
2012-07-22 21:22 - 2012-07-23 08:58 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-07-22 10:48 - 2012-07-22 10:49 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-21 11:39 - 2012-07-21 11:39 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-21 11:32 - 2012-07-21 11:32 - 00000012 ____A C:\Windows\srun.log
2012-07-15 10:14 - 2012-06-02 10:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-15 10:14 - 2012-06-02 10:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-15 10:14 - 2012-06-02 10:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-15 10:14 - 2012-06-02 10:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-15 10:14 - 2012-06-02 10:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-15 10:14 - 2012-06-02 10:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-15 10:13 - 2012-06-02 11:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-15 10:13 - 2012-06-02 10:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-15 10:13 - 2012-06-02 10:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-15 10:13 - 2012-06-02 10:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-15 10:13 - 2012-06-02 10:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-15 10:13 - 2012-06-02 10:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-15 10:13 - 2012-06-02 10:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-15 10:13 - 2012-06-02 10:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-15 10:01 - 2012-06-12 04:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-14 18:51 - 2012-06-06 07:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-14 18:51 - 2012-06-06 07:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-14 18:51 - 2012-06-06 07:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-14 18:51 - 2012-06-02 06:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-14 18:51 - 2012-06-02 06:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-14 18:51 - 2012-06-02 06:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-14 18:51 - 2012-06-02 06:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-14 18:51 - 2012-06-02 06:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-14 18:51 - 2010-06-26 05:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-14 18:50 - 2012-06-09 06:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-14 18:27 - 2012-06-03 00:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-07-14 18:27 - 2012-06-03 00:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-07-14 18:27 - 2012-06-03 00:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-07-14 18:27 - 2012-06-03 00:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-07-14 18:27 - 2012-06-03 00:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-07-14 18:27 - 2012-06-03 00:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-07-14 18:26 - 2012-06-03 00:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-07-14 18:26 - 2012-06-02 15:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-07-14 18:26 - 2012-06-02 15:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-23 09:08 - 2012-07-23 09:08 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\guwslplh.sys
2012-07-23 09:07 - 2009-12-27 17:46 - 00001044 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-23 09:07 - 2009-07-14 06:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-23 09:06 - 2009-07-14 06:39 - 00093867 ____A C:\Windows\setupact.log
2012-07-23 09:00 - 2012-05-07 11:30 - 00001002 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-23 08:57 - 2011-01-28 20:18 - 00002243 ____A C:\Windows\epplauncher.mif
2012-07-22 23:32 - 2012-07-22 23:32 - 00892164 ____A (Farbar) C:\FRST.exe
2012-07-22 23:12 - 2009-07-14 01:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-22 23:07 - 2009-12-27 17:46 - 00001048 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-22 23:07 - 2009-07-14 06:34 - 00009696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-22 23:07 - 2009-07-14 06:34 - 00009696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-22 23:02 - 2012-07-22 23:02 - 04582474 ____R (Swearware) C:\Users\W7\Desktop\z.exe
2012-07-22 23:00 - 2009-10-07 02:47 - 01283707 ____A C:\Windows\WindowsUpdate.log
2012-07-22 10:49 - 2009-08-14 10:37 - 01585724 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-21 11:32 - 2012-07-21 11:32 - 00000012 ____A C:\Windows\srun.log
2012-07-15 21:09 - 2009-07-14 06:33 - 00416368 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-15 10:02 - 2010-04-17 20:01 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-14 19:37 - 2012-05-07 11:30 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-14 19:37 - 2011-05-17 12:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-12 04:40 - 2012-07-15 10:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 06:41 - 2012-07-14 18:50 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 07:05 - 2012-07-14 18:51 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-06 07:05 - 2012-07-14 18:51 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-06 07:03 - 2012-07-14 18:51 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-03 17:00 - 2012-06-03 17:00 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_netaapl_01009.Wdf
2012-06-03 00:19 - 2012-07-14 18:27 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-03 00:19 - 2012-07-14 18:27 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-03 00:19 - 2012-07-14 18:27 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-03 00:19 - 2012-07-14 18:27 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-03 00:19 - 2012-07-14 18:26 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-03 00:12 - 2012-07-14 18:27 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-03 00:12 - 2012-07-14 18:27 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:19 - 2012-07-14 18:26 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:12 - 2012-07-14 18:26 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 11:07 - 2012-07-15 10:13 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 10:43 - 2012-07-15 10:13 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 10:33 - 2012-07-15 10:13 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 10:26 - 2012-07-15 10:13 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 10:25 - 2012-07-15 10:13 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 10:25 - 2012-07-15 10:13 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 10:23 - 2012-07-15 10:13 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 10:21 - 2012-07-15 10:14 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 10:20 - 2012-07-15 10:14 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 10:19 - 2012-07-15 10:14 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 10:19 - 2012-07-15 10:13 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 10:17 - 2012-07-15 10:14 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 10:16 - 2012-07-15 10:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 10:14 - 2012-07-15 10:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 06:45 - 2012-07-14 18:51 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-02 06:45 - 2012-07-14 18:51 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 06:40 - 2012-07-14 18:51 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-02 06:40 - 2012-07-14 18:51 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 06:39 - 2012-07-14 18:51 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-27 18:05 - 2012-05-27 18:05 - 00001717 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-05-27 11:36 - 2012-05-27 11:35 - 74982768 ____A (Apple Inc.) C:\Users\W7\Desktop\iTunesSetup.exe
2012-05-07 11:31 - 2012-05-07 11:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-05-01 06:44 - 2012-06-14 12:22 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-28 05:17 - 2012-06-14 12:32 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 06:45 - 2012-06-14 12:22 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 06:45 - 2012-06-14 12:22 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 06:41 - 2012-06-14 12:22 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe


ZeroAccess:
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\@
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\L
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\n
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\U
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\L\00000004.@
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\L\1afb2d56
C:\Windows\Installer\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\L\201d3dde

ZeroAccess:
C:\Users\W7\AppData\Local\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}
C:\Users\W7\AppData\Local\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\@
C:\Users\W7\AppData\Local\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\L
C:\Users\W7\AppData\Local\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\n
C:\Users\W7\AppData\Local\{98a53318-6617-c1c0-dfe4-2d16b1bc8a53}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 48%
Total physical RAM: 1013.95 MB
Available physical RAM: 523.15 MB
Total Pagefile: 2037.95 MB
Available Pagefile: 1577.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.84 MB

======================= Partitions =========================

1 Drive c: (Acer) (Fixed) (Total:132.94 GB) (Free:8.84 GB) NTFS
2 Drive d: () (Fixed) (Total:4 GB) (Free:2.7 GB) FAT32
3 Drive e: () (Removable) (Total:7.45 GB) (Free:7.44 GB) FAT32

Diskpart a rencontr‚ une erreurÿ: Le serveur RPC n'est pas disponible.
Pour plus d'informations, voir le journal d'‚v‚nements systŠme.


==========================================================

Last Boot: 2012-07-19 23:04

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 23 July 2012 - 11:17 AM

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


FRST needs to be run from the Recovery environment

please follow these directions

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:15 PM

Posted 29 July 2012 - 04:36 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users