Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Stubborn Sirefef.ah ASAP Please!


  • This topic is locked This topic is locked
10 replies to this topic

#1 infectedTim

infectedTim

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 23 July 2012 - 01:48 PM

Hello, this is my first time in this forum. My first indication of a problem with my computer was that MSE was not started, and would not start when I attempted to do so. I uninstalled MSE, and then reinstalled it. During the quick scan it attempted during the installation, it let me know it found the serious threat of Sirefef.AH. I told it to remove the problem and it began to do so, but before it was done, a windows message popped up: "Windows has encountered a critical problem and will restart in automatically in one minute. Please save your work." I then have approximately 60 seconds to do anything before the computer reboot itself. Now, it is giving me this error and reboot every time I restart the computer. It does this even in safe mode. I used the Farbar recovery scan tool to get this log:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 23-07-2012 14:33:55
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13605408 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1045800 2008-03-27] (Synaptics, Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [NPSStartup] [x]
HKLM\...\Run: [Nuance PDF Converter Professional 7-reminder] "C:\Program Files\Nuance\PDF Professional 7\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Converter Professional 7\Ereg\Ereg.ini" [x]
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [HTC Sync Loader] "C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup [651264 2012-04-17] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\6T Services\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Tim\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Tim\...\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [1261472 2012-04-03] (Adobe Systems Incorporated)
HKU\Tim\...\Run: [ISUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler [x]
HKU\Tim\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Tim\...\Run: [AdobeBridge] [x]
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\Tim\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 astcc; C:\Windows\system32\astsrv.exe [57344 2010-11-01] (Nalpeiron Ltd.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 FsUsbExService; C:\Windows\system32\FsUsbExService.Exe [238952 2010-07-04] (Teruten)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [88576 2011-09-15] ()
2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [177704 2007-06-05] ()
2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [45056 2011-11-11] (Intuit)
3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2009-07-23] (Intuit Inc.)

========================== Drivers (Whitelisted) =============

3 FsUsbExDisk; \??\C:\Windows\system32\FsUsbExDisk.SYS [36608 2010-06-14] ()
3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [60104 2010-07-12] (FTDI Ltd.)
3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [73032 2010-07-12] (FTDI Ltd.)
3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [15544 2010-02-24] (Hewlett-Packard Company)
3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [25088 2009-10-26] (HTC, Corporation)
3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows ® Win 7 DDK provider)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-07-23] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 nvsmu; C:\Windows\System32\DRIVERS\nvsmu.sys [12032 2007-02-16] (NVIDIA Corporation)
3 VAD_DEV; C:\Windows\System32\drivers\vad.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-23 14:33 - 2012-07-23 14:33 - 00000000 ____D C:\FRST
2012-07-23 09:50 - 2012-07-23 09:30 - 00388608 ____A (Trend Micro Inc.) C:\Users\Tim\Desktop\HijackThis.exe
2012-07-23 08:52 - 2012-07-23 08:52 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-23 08:23 - 2012-07-23 09:12 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-07-23 06:51 - 2012-07-23 06:51 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-13 11:02 - 2012-07-13 11:02 - 00687508 ____N C:\Users\Tim\Documents\APR Company Meeting PP Template.pptx
2012-07-11 09:08 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 09:08 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 09:08 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 09:08 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 09:08 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 09:08 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 09:08 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 09:08 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 09:08 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 09:08 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 09:08 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 09:08 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 09:08 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 09:08 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 09:02 - 2012-07-11 09:02 - 00259992 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 09:02 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 04:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 04:17 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 04:17 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 04:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 04:17 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 04:17 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 04:17 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 04:17 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 04:17 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 04:17 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-03 11:56 - 2012-07-03 11:56 - 00000000 ____D C:\Users\Tim\Desktop\MASTER Specials sheets without Credits 2012 V2 - Copy
2012-07-02 07:26 - 2012-07-02 07:26 - 00229672 ____A C:\Users\Tim\Downloads\CrucialScan.exe
2012-06-28 06:40 - 2012-06-28 06:41 - 05026104 ____A C:\Users\Tim\Downloads\Free_Trial_Issue.pdf.part
2012-06-28 05:02 - 2012-06-28 05:02 - 00000000 ____D C:\Program Files\QuickTime
2012-06-28 04:44 - 2012-06-28 04:45 - 39483256 ____A (Apple Inc.) C:\Users\Tim\Downloads\QuickTimeInstaller.exe
2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll

============ 3 Months Modified Files ========================

2012-07-23 10:15 - 2012-03-21 18:09 - 00422449 ____A C:\Windows\setupact.log
2012-07-23 10:15 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-23 10:12 - 2012-04-06 11:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-23 09:30 - 2012-07-23 09:50 - 00388608 ____A (Trend Micro Inc.) C:\Users\Tim\Desktop\HijackThis.exe
2012-07-23 09:12 - 2012-07-23 08:23 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-07-23 09:06 - 2011-01-01 18:36 - 01605135 ____A C:\Windows\WindowsUpdate.log
2012-07-23 09:03 - 2009-07-13 20:33 - 03853216 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-23 08:53 - 2011-11-21 08:11 - 00747184 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-23 08:52 - 2011-01-04 08:05 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-23 08:23 - 2012-05-21 10:47 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-19 06:57 - 2009-07-13 20:34 - 00020528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-19 06:57 - 2009-07-13 20:34 - 00020528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-17 07:19 - 2012-04-06 11:01 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-17 07:19 - 2011-05-08 23:15 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-13 12:18 - 2011-02-17 11:22 - 00561152 __ASH C:\Users\Tim\Documents\Thumbs.db
2012-07-13 11:02 - 2012-07-13 11:02 - 00687508 ____N C:\Users\Tim\Documents\APR Company Meeting PP Template.pptx
2012-07-12 11:02 - 2011-01-01 16:57 - 00148912 ____A C:\Users\Tim\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-11 09:04 - 2011-01-05 05:31 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 09:02 - 2012-07-11 09:02 - 00259992 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-03 09:46 - 2011-02-11 05:35 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 07:26 - 2012-07-02 07:26 - 00229672 ____A C:\Users\Tim\Downloads\CrucialScan.exe
2012-06-28 06:41 - 2012-06-28 06:40 - 05026104 ____A C:\Users\Tim\Downloads\Free_Trial_Issue.pdf.part
2012-06-28 04:45 - 2012-06-28 04:44 - 39483256 ____A (Apple Inc.) C:\Users\Tim\Downloads\QuickTimeInstaller.exe
2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
2012-06-21 08:16 - 2011-01-01 19:35 - 00002020 ___AH C:\Users\Tim\Documents\Default.rdp
2012-06-11 18:40 - 2012-07-11 09:02 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 04:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 08:06 - 2012-06-08 08:05 - 09846466 ____A C:\Users\Tim\Downloads\10th Anniversary Buying Show Video.wmv.part
2012-06-08 06:46 - 2012-06-08 06:45 - 00143064 ____A C:\Windows\Minidump\060812-29374-01.dmp
2012-06-08 06:45 - 2012-06-08 06:45 - 217398132 ____A C:\Windows\MEMORY.DMP
2012-06-06 16:43 - 2012-06-06 16:43 - 00353700 ____A C:\Users\Tim\Documents\CampingNeedsList Father Son 2012.xlsx
2012-06-06 16:43 - 2012-06-06 16:43 - 00000165 ___AH C:\Users\Tim\Documents\~$CampingNeedsList Father Son 2012.xlsx
2012-06-05 21:05 - 2012-07-11 04:17 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 04:17 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 04:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-03 17:10 - 2012-06-03 17:10 - 00039424 ____A C:\Users\Tim\Documents\Sales May 2012 Rolling 12 Top 50 UP.xls
2012-06-03 17:01 - 2012-06-03 17:00 - 00038912 ____A C:\Users\Tim\Documents\Sales May 2012 Rolling 12 Top 50 Down.xls
2012-06-03 16:57 - 2012-06-03 16:56 - 00039936 ____A C:\Users\Tim\Documents\Sales May 2012 Top 50 Down.xls
2012-06-03 16:56 - 2012-06-03 16:56 - 00039936 ____A C:\Users\Tim\Documents\SalesMay 2012 top 50 By Rolling 12.xls
2012-06-03 16:52 - 2012-06-03 16:52 - 00039936 ____A C:\Users\Tim\Documents\Sales May 2012 Top 50 UP.xls
2012-06-03 16:46 - 2012-06-03 16:45 - 00039936 ____A C:\Users\Tim\Documents\Sales May Top 50 Down.xls
2012-06-02 14:19 - 2012-06-22 04:11 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 04:11 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 04:11 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 04:11 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 04:11 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-22 04:11 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 04:11 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 04:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-22 04:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 09:08 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 09:08 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 09:08 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 09:08 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 09:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 09:08 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 09:08 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 09:08 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 09:08 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 09:08 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 09:08 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 09:08 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 09:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 09:08 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-11 04:17 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 04:17 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 04:17 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 04:17 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 04:17 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 04:26 - 2012-05-31 04:26 - 00001037 ____A C:\Users\Tim\Desktop\Dropbox.lnk
2012-05-31 04:20 - 2012-05-31 04:20 - 18002040 ____A (Dropbox, Inc.) C:\Users\Tim\Downloads\Dropbox 1.4.7.exe
2012-05-25 09:58 - 2009-07-13 20:53 - 00032558 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-23 16:06 - 2012-05-23 16:06 - 00001304 ____A C:\Windows\System32\_GEAREXT.WO_IDENT.TXT
2012-05-18 09:55 - 2012-05-18 09:55 - 00001040 ____A C:\Users\Public\Desktop\HTC Sync.lnk
2012-05-17 18:24 - 2012-05-17 18:24 - 02095104 ____A C:\Users\Tim\Downloads\QuakeLiveNP_520.msi
2012-05-14 18:46 - 2012-05-14 18:46 - 09490616 ____A (HTC) C:\Users\Tim\Downloads\PG8610000_Shooter_hboot_1.50.0000_2.17.651.5_pg2fs_unlock.exe
2012-05-11 13:16 - 2012-03-22 04:12 - 00001930 ____A C:\Windows\PFRO.log
2012-05-11 11:50 - 2012-05-11 11:50 - 00002975 ____A C:\Users\Tim\Desktop\Pixetell.lnk
2012-05-11 11:41 - 2012-05-11 11:43 - 17846741 ____A C:\Users\Tim\Downloads\Pixetell-1.3.16005.zip
2012-05-11 11:37 - 2012-05-11 11:37 - 00463080 ____A (CNET Download.com) C:\Users\Tim\Downloads\cnet_Pixetell-1_3_16005_zip.exe
2012-05-10 09:18 - 2012-05-10 09:18 - 00318904 ____A (Microsoft Corporation) C:\Users\Tim\Downloads\wmpfirefoxplugin(1).exe
2012-05-04 01:59 - 2012-06-13 10:54 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-04-30 20:44 - 2012-06-13 09:11 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 09:11 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 08:23 - 2011-02-09 10:57 - 00060304 ____A C:\Users\Tim\g2mdlhlpx.exe
2012-04-26 06:09 - 2012-04-26 06:09 - 00041578 ____A C:\Users\Tim\Desktop\Adobe Invoice Buy.com
2012-04-25 20:45 - 2012-06-13 09:11 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-13 09:11 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-13 09:11 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-25 04:14 - 2012-04-25 04:14 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk


ZeroAccess:
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\@
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\L
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\n
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\U
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\L\00000004.@
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\L\201d3dde
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\U\00000004.@
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\U\00000008.@
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\U\80000000.@

ZeroAccess:
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\@
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\L
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 1982.61 MB
Available physical RAM: 1541.44 MB
Total Pagefile: 1982.61 MB
Available Pagefile: 1543.35 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.79 GB) (Free:117.59 GB) NTFS
2 Drive d: (Data Drive) (Fixed) (Total:232.88 GB) (Free:179.69 GB) NTFS
3 Drive f: (100719_1346) (CDROM) (Total:0.31 GB) (Free:0 GB) CDFS
4 Drive g: () (Removable) (Total:0.02 GB) (Free:0 GB) FAT
5 Drive h: () (Removable) (Total:0.24 GB) (Free:0.23 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 232 GB 0 B
Disk 2 Online 15 MB 0 B
Disk 3 Online 245 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Data Drive NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 15 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 245 MB 32 KB

==================================================================================

Disk: 3
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT Removable 245 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-19 07:59

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 PM

Posted 23 July 2012 - 02:48 PM

Good evening. :)

I want you to fire up FRST again and enter the following into the Search: textbox: services.exe
Then click the Search File(s) button and wait.
Once the search has completed, the results will be saved alongside FRST as Search.txt - please copy and paste the contents of that textfile into your next reply.

So long, and thanks for all the fish.

 

 


#3 infectedTim

infectedTim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 23 July 2012 - 07:00 PM

Here, thanks!

Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-23 19:34:04
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#4 infectedTim

infectedTim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 24 July 2012 - 07:52 AM

Help, please...I am out of business without this laptop!

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 PM

Posted 24 July 2012 - 02:23 PM

Good evening. :)

As I have to work for a living I am limited in the the free time that I have to research your issue, and those of the other people that I am helping, and formulate responses that will resolve them. While I am happy to continue with your problem, if you need an immediate resolution for business reasons then should consider employing someone in a professional capacity.

Please let me know whether or not you wish me to proceed.

So long, and thanks for all the fish.

 

 


#6 infectedTim

infectedTim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 24 July 2012 - 02:43 PM

Please proceed...I didn't mean to offend!

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 PM

Posted 24 July 2012 - 04:00 PM

Copy and paste the following text into a new Notepad window and save it alongside FRST as fixlist.txt:

CMD: ren C:\Windows\System32\services.exe services.old
CMD: copy /y "C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe" C:\Windows\System32
C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}
C:\Windows\assembly\GAC\Desktop.ini

Run FRST as previously, but this time click the Fix button just once and wait.
Once complete the results will be written to the textfile Fixlog.txt, saved alongside FRST as before - please let me have the contents of the file in your next reply.

Also, try to boot the PC normally and tell me what happens.

So long, and thanks for all the fish.

 

 


#8 infectedTim

infectedTim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 24 July 2012 - 08:37 PM

The computer had an error the first time it tried to boot but I couldn't see what it said before it restarted. When it restarted all seems okay. MSE is off and it says that the definitions are out of date although they were up to date when I had the infection. I did not try to connect to the network until you said it was okay.

Here is the log file:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 24-07-2012 01
Ran by SYSTEM at 2012-07-24 21:20:22 Run:1
Running from G:\

==============================================


========= ren C:\Windows\System32\services.exe services.old =========


========= End of CMD: =========


========= copy /y "C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe" C:\Windows\System32 =========

1 file(s) copied.

========= End of CMD: =========

C:\Windows\Installer\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8} not found.
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini not found.

==== End of Fixlog ====

Thanks!

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 PM

Posted 25 July 2012 - 02:10 PM

Good evening. :)

Try putting the PC back online and see how it goes - make sure that the anti-virus is working an updates OK.

So long, and thanks for all the fish.

 

 


#10 infectedTim

infectedTim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 31 July 2012 - 08:58 PM

Hi, thanks for your help. The laptop seemed to be okay. Then the hinge broke and the bezel cracked when I closed the lid. I decided to get a new laptop. Please close the thread.

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 PM

Posted 01 August 2012 - 02:44 PM

Thanks for letting me know.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users