Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef R AB AH Need Help


  • This topic is locked This topic is locked
4 replies to this topic

#1 Allen Wrench

Allen Wrench

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 24 July 2012 - 08:35 AM

Win 7 laptop running MSE. Noticed web sites constantly redirecting and MSE not starting. Uninstalled and then reinstalled MSE then detetected and attempted to remove viruses. Virus Sirefef R AB AH still on computer and it constantly shuts down and reboots.

1. Can I remove the HD and retrieve the data from another computer? Will this require some type of security to view the data?

2. Can this be fixed or better to reformat and reload?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:41 AM

Posted 24 July 2012 - 09:05 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Allen Wrench

Allen Wrench
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 24 July 2012 - 11:40 AM

This is the FRST log if needed:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 24-07-2012 03:26:31
Running from G:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-17] (Synaptics, Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2008-09-23] (CyberLink Corp.)
HKLM\...\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [210216 2008-06-13] (CyberLink Corp.)
HKLM\...\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM\...\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM\...\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-10-06] (CyberLink Corp.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a [75072 2010-12-15] (Sprint)
HKLM\...\Run: [RDVCHG] "C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe" [316736 2010-12-15] (C-motech Co.,Ltd)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1246544 2010-11-03] (Logitech, Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Dog2\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [144384 2010-11-20] (Microsoft Corporation)
HKU\Dog2\...\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-09-30] (Hewlett-Packard)
HKU\Dog2\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company)
HKU\Dog2\...\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -s [247144 2009-11-13] (TomTom)
HKU\Dog2\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Dog2\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
Startup: C:\Users\Dog2\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 AdobeActiveFileMonitor8.0; C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [169312 2009-09-06] (Adobe Systems Incorporated)
3 CASprint; "C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" [124224 2010-12-15] (SmithMicro Inc.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 NvtlService; "C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe" [82944 2010-01-11] ()
4 RealNetworks Downloader Resolver Service; "C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe" [31408 2011-08-15] ()
2 Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [365952 2008-10-06] ()
2 RichVideo; "C:\Program Files\CyberLink\Shared files\RichVideo.exe" [241734 2008-09-15] ()
3 SolidWorks Licensing Service; "C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe" [79360 2011-04-23] (SolidWorks)
3 SprintRcAppSvc; "C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe" /n "SprintRcAppSvc" [120128 2010-12-15] (SmithMicro Inc.)
2 StkASSrv; C:\Windows\System32\StkASv2K.exe [24576 2011-09-22] (Syntek America Inc.)
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
2 MSSQL$MAT_SQL1; "c:\Program Files\Microsoft SQL Server\MSSQL11.MAT_SQL1\MSSQL\Binn\sqlservr.exe" -sMAT_SQL1 [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
3 MSSQLFDLauncher$MAT_SQL1; "c:\Program Files\Microsoft SQL Server\MSSQL11.MAT_SQL1\MSSQL\Binn\fdlauncher.exe" -s MSSQL11.MAT_SQL1 [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
2 ReportServer$MAT_SQL1; "c:\Program Files\Microsoft SQL Server\MSRS11.MAT_SQL1\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [x]
4 SQLAgent$MAT_SQL1; "c:\Program Files\Microsoft SQL Server\MSSQL11.MAT_SQL1\MSSQL\Binn\SQLAGENT.EXE" -i MAT_SQL1 [x]
4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]
4 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 hitmanpro35; \??\C:\Windows\system32\drivers\hitmanpro36.sys [27424 2012-05-18] ()
3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [112128 2008-06-29] (Intel® Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MUSTechVIDCAP; C:\Windows\System32\drivers\musgostrm.sys [252160 2007-02-16] (Micronas Technologies)
3 Nmea; C:\Windows\System32\DRIVERS\pctnullport.sys [38680 2010-12-15] (PCTEL Inc.)
3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [229376 2010-06-08] (Novatel Wireless Inc)
3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [32408 2010-12-15] (Smith Micro Inc.)
4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-29] (Microsoft Corporation)
4 RsFx0200; C:\Windows\System32\DRIVERS\RsFx0200.sys [268888 2012-02-11] (Microsoft Corporation)
3 StkAMini; C:\Windows\System32\Drivers\StkAMini.sys [241628 2011-09-22] (Syntek America Inc.)
3 StkScan; C:\Windows\System32\Drivers\StkScan.sys [4772 2011-09-22] (Syntek America Inc.)
3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [37248 2010-06-08] ()
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-24 03:26 - 2012-07-24 03:26 - 00000000 ____D C:\FRST
2012-07-23 20:38 - 2012-07-23 20:38 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-23 19:53 - 2012-07-23 19:53 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-19 17:15 - 2012-07-19 17:35 - 00000000 ____D C:\Users\Dog2\Desktop\Music01
2012-07-19 10:26 - 2012-07-19 10:31 - 00000000 ____D C:\Users\Dog2\AppData\Local\QuickPlay
2012-07-19 10:26 - 2012-07-19 10:27 - 00000021 ____A C:\Users\All Users\hpqp.txt
2012-07-19 05:49 - 2012-07-19 05:49 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-19 05:48 - 2012-07-19 05:49 - 00000000 ____D C:\Program Files\iTunes
2012-07-19 05:48 - 2012-07-19 05:48 - 00000000 ____D C:\Program Files\iPod
2012-07-16 07:08 - 2012-07-16 07:09 - 01120768 ____A C:\Users\Dog2\Downloads\ALL-AHS-AWARDS-TO-2011-Cumulative-list.xls
2012-07-16 06:24 - 2012-07-16 06:37 - 00380928 ____A C:\Users\Dog2\Documents\Database2.accdb
2012-07-16 06:23 - 2012-07-16 06:24 - 00311296 ____A C:\Users\Dog2\Documents\Database1.accdb
2012-07-16 06:16 - 2012-07-16 21:33 - 00458752 ____A C:\Users\Dog2\Documents\ThomasDaylily.accdb
2012-07-12 04:34 - 2012-07-12 04:34 - 02457178 ____A C:\Users\Dog2\Downloads\The Ant - This is SO good!.zip
2012-07-10 23:11 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-10 23:11 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-10 23:11 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-10 23:11 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-10 23:11 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-10 23:11 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-10 23:11 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-10 23:11 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-10 23:11 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-10 23:11 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-10 23:11 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-10 23:11 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-10 23:11 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-10 23:11 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-10 23:02 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 15:01 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 15:01 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 15:01 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 15:01 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 15:01 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 15:01 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 15:01 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 15:01 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 15:01 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 15:01 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-02 06:32 - 2012-07-02 06:47 - 38561640 ____A (Google Inc.) C:\Users\Dog2\Downloads\GoogleSketchUpWEN (1).exe
2012-07-02 04:47 - 2012-07-02 04:47 - 00085352 ____A C:\Users\Dog2\Documents\aaa.xps
2012-06-27 21:43 - 2012-06-27 21:43 - 02505216 ____A C:\Users\Dog2\Desktop\Chap006.ppt

============ 3 Months Modified Files ========================

2012-07-23 23:04 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-23 23:04 - 2009-07-13 20:39 - 14908736 ____A C:\Windows\setupact.log
2012-07-23 23:03 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-23 22:59 - 2011-02-20 22:33 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-23 22:59 - 2009-11-18 02:45 - 00000284 ____A C:\Users\All Users\hpqp.ini
2012-07-23 22:44 - 2012-03-23 04:33 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cd08f1281b1dce.job
2012-07-23 21:10 - 2011-09-02 06:29 - 00000254 ____A C:\Windows\Tasks\HP Photo Creations Messager.job
2012-07-23 21:01 - 2009-11-17 20:09 - 00040336 ____A C:\Windows\PFRO.log
2012-07-23 20:39 - 2009-11-17 20:20 - 01228094 ____A C:\Windows\WindowsUpdate.log
2012-07-23 20:38 - 2011-02-03 14:48 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-23 20:38 - 2009-11-17 20:31 - 01032476 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-23 20:37 - 2009-11-17 19:40 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-23 20:37 - 2009-11-17 19:40 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-19 12:53 - 2012-05-25 07:36 - 00009704 ____A C:\Users\Dog2\Desktop\AlbumList.xlsx
2012-07-19 10:27 - 2012-07-19 10:26 - 00000021 ____A C:\Users\All Users\hpqp.txt
2012-07-19 05:49 - 2012-07-19 05:49 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-16 21:33 - 2012-07-16 06:16 - 00458752 ____A C:\Users\Dog2\Documents\ThomasDaylily.accdb
2012-07-16 07:09 - 2012-07-16 07:08 - 01120768 ____A C:\Users\Dog2\Downloads\ALL-AHS-AWARDS-TO-2011-Cumulative-list.xls
2012-07-16 06:37 - 2012-07-16 06:24 - 00380928 ____A C:\Users\Dog2\Documents\Database2.accdb
2012-07-16 06:24 - 2012-07-16 06:23 - 00311296 ____A C:\Users\Dog2\Documents\Database1.accdb
2012-07-12 04:34 - 2012-07-12 04:34 - 02457178 ____A C:\Users\Dog2\Downloads\The Ant - This is SO good!.zip
2012-07-10 23:29 - 2009-07-13 20:33 - 00458608 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 23:10 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-10 23:02 - 2009-12-20 13:20 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-06 04:43 - 2011-08-31 20:32 - 00219493 ____A C:\Windows\hpwins21.dat
2012-07-06 04:43 - 2011-08-31 19:51 - 00005535 ____A C:\Users\All Users\hpzinstall.log
2012-07-06 04:36 - 2011-09-02 06:07 - 00001833 ____A C:\Users\Dog2\AppData\Roaming\ConvAPIPlugin.log
2012-07-04 07:02 - 2009-07-13 20:53 - 00032650 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-02 06:57 - 2012-02-13 13:22 - 00001995 ____A C:\Users\Public\Desktop\Google SketchUp 8.lnk
2012-07-02 06:47 - 2012-07-02 06:32 - 38561640 ____A (Google Inc.) C:\Users\Dog2\Downloads\GoogleSketchUpWEN (1).exe
2012-07-02 04:47 - 2012-07-02 04:47 - 00085352 ____A C:\Users\Dog2\Documents\aaa.xps
2012-06-27 21:43 - 2012-06-27 21:43 - 02505216 ____A C:\Users\Dog2\Desktop\Chap006.ppt
2012-06-19 10:11 - 2012-06-19 10:11 - 00000239 ____A C:\Users\Dog2\files.txt
2012-06-11 18:40 - 2012-07-10 23:02 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-10 15:01 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-10 15:01 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 15:01 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 15:01 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-21 04:26 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 04:26 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 04:26 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 04:26 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 04:26 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 04:26 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 04:26 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-21 04:26 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-21 04:26 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-10 23:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-10 23:11 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-10 23:11 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-10 23:11 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-10 23:11 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 23:11 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-10 23:11 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-10 23:11 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 23:11 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 23:11 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-10 23:11 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-10 23:11 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 23:11 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 23:11 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-10 15:01 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-10 15:01 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-10 15:01 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-10 15:01 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-10 15:01 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-21 09:14 - 2011-01-05 09:13 - 00000060 ____A C:\Users\Dog2\DeductionPro2009.log
2012-05-18 08:25 - 2012-05-18 08:24 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-05-18 08:01 - 2012-05-18 08:01 - 00000492 ____A C:\Windows\System32\.crusader
2012-05-18 07:21 - 2012-05-18 07:09 - 07287176 ____A (SurfRight B.V.) C:\Users\Dog2\Downloads\HitmanPro36.exe
2012-05-18 05:56 - 2012-05-18 05:55 - 09989040 ____A (OPSWAT, Inc.) C:\Users\Dog2\Downloads\AppRemover.exe
2012-05-18 05:40 - 2012-05-18 05:37 - 16111032 ____A (Microsoft Corporation) C:\Users\Dog2\Downloads\Windows-KB890830-V4.8.exe
2012-05-18 05:31 - 2012-05-18 05:27 - 10288512 ____A (Microsoft Corporation) C:\Users\Dog2\Downloads\mseinstall.exe
2012-05-17 20:53 - 2012-05-17 20:24 - 69275640 ____A (Microsoft Corporation) C:\Users\Dog2\Downloads\msert.exe
2012-05-10 16:13 - 2012-05-10 16:11 - 05427712 ____A C:\Users\Dog2\Downloads\Photographiessourires-keeponsmiling.pps
2012-05-05 22:02 - 2012-04-27 06:22 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-05-05 22:02 - 2011-07-11 05:11 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-05-01 09:12 - 2012-05-01 09:12 - 00036891 ____A C:\Users\Dog2\Downloads\S10dl.csv
2012-05-01 09:12 - 2009-07-21 16:32 - 00003140 ____A C:\Users\Dog2\AppData\Roaming\wklnhst.dat
2012-04-30 20:44 - 2012-06-13 13:10 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 13:11 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 13:25 - 2012-04-26 13:25 - 00000020 ___SH C:\Users\ReportServer$MAT_SQL1\ntuser.ini
2012-04-26 13:24 - 2012-04-26 13:24 - 00000020 ___SH C:\Users\MSSQLFDLauncher$MAT_SQL1\ntuser.ini
2012-04-26 13:24 - 2012-04-26 13:24 - 00000020 ___SH C:\Users\MSSQL$MAT_SQL1\ntuser.ini
2012-04-26 12:25 - 2012-04-23 10:38 - 1382169176 ____A (Microsoft Corporation) C:\Users\Dog2\Documents\SQLEXPRADV_x86_ENU.exe

ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\201d3dde

ZeroAccess:
C:\Users\Dog2\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Dog2\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\Dog2\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\Dog2\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
C:\Users\Dog2\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3003.19 MB
Available physical RAM: 2492.41 MB
Total Pagefile: 3001.47 MB
Available Pagefile: 2498.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:221.96 GB) (Free:116 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10.92 GB) (Free:1.79 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: (KINGSTON) (Removable) (Total:3.75 GB) (Free:3.73 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 2048 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3852 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 221 GB 1024 KB
Partition 2 Primary 10 GB 221 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 221 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3851 MB 4096 B

==================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT32 Removable 3851 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 20:11

======================= End Of Log ==========================

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:41 AM

Posted 24 July 2012 - 02:09 PM

Hello Allen Wrench,

Welcome to the forum.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: x:\Windows\System32\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Dog2\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\assembly\GAC\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:41 AM

Posted 04 August 2012 - 05:03 PM

This thread will now be closed due to lack of activity.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users