Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef + 1Minute Reboots


  • This topic is locked This topic is locked
7 replies to this topic

#1 DJGaGa

DJGaGa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 24 July 2012 - 05:10 PM

Working on a doctor's infected computer.

It's infected with Sirefef and is rebooting every minute.

Save me please :(

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:36 AM

Posted 24 July 2012 - 10:13 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DJGaGa

DJGaGa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 25 July 2012 - 02:56 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 24-07-2012 02
Ran by sruser at 25-07-2012 12:11:53
Running from C:\Users\sruser\Desktop
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-07-25 12:10 - 2012-07-25 12:10 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rnpkmctu.sys
2012-07-25 12:05 - 2012-07-25 12:05 - 00000474 ____A C:\Users\sruser\Desktop\defogger_disable.log
2012-07-25 12:05 - 2012-07-25 12:05 - 00000000 ____A C:\Users\sruser\defogger_reenable
2012-07-25 12:05 - 2012-07-25 11:58 - 00607260 ____R (Swearware) C:\Users\sruser\Desktop\dds.scr
2012-07-25 12:05 - 2012-07-25 11:57 - 00050477 ____A C:\Users\sruser\Desktop\Defogger.exe
2012-07-25 11:56 - 2012-07-24 15:23 - 00892784 ____A (Farbar) C:\Users\sruser\Desktop\FRST.exe
2012-07-13 11:52 - 2012-07-13 11:52 - 00302592 ____A C:\Users\sruser\Desktop\p8ils1xy.exe
2012-07-13 11:40 - 2012-07-13 11:28 - 00426163 ____A C:\Users\sruser\Desktop\Windows6.1-KB976586-x86.msu
2012-07-12 16:45 - 2012-07-12 16:45 - 00002050 _RASH C:\Users\willowuser\ntuser.pol
2012-07-12 16:45 - 2012-07-12 16:45 - 00000020 __ASH C:\Users\willowuser\ntuser.ini
2012-07-12 16:45 - 2012-06-11 11:39 - 00000000 ____D C:\Users\willowuser\AppData\Roaming\ICAClient
2012-07-12 16:45 - 2012-02-03 19:08 - 00002326 ____A C:\Users\willowuser\Desktop\MSN.lnk
2012-07-12 16:45 - 2011-11-16 16:25 - 00000036 ____A C:\Users\willowuser\AppData\Roaming\webica.ini
2012-07-12 16:29 - 2012-07-12 16:29 - 00001268 ____A C:\Users\sruser\Desktop\shutdown.exe.lnk
2012-07-12 16:09 - 2012-07-12 16:09 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-05 17:00 - 2012-07-05 17:00 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-05 16:58 - 2012-07-05 16:58 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-05 16:39 - 2012-07-05 16:39 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-05 16:39 - 2012-07-05 16:39 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-07-05 15:53 - 2012-07-05 16:34 - 00000361 ____A C:\rkill.log
2012-07-05 15:51 - 2012-07-05 15:51 - 01012656 ____A C:\Users\sruser\Desktop\iExplore.exe
2012-07-05 10:09 - 2012-07-05 10:09 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-05 09:54 - 2012-07-13 12:00 - 00000342 ____A C:\Windows\Tasks\At37.job
2012-07-05 09:54 - 2012-07-13 12:00 - 00000340 ____A C:\Windows\Tasks\At13.job
2012-07-05 09:54 - 2012-07-05 17:04 - 00000340 ____A C:\Windows\Tasks\At18.job
2012-07-05 09:54 - 2012-07-05 16:59 - 00000342 ____A C:\Windows\Tasks\At42.job
2012-07-05 09:54 - 2012-07-05 15:00 - 00000342 ____A C:\Windows\Tasks\At40.job
2012-07-05 09:54 - 2012-07-05 15:00 - 00000340 ____A C:\Windows\Tasks\At16.job
2012-07-05 09:54 - 2012-07-05 14:02 - 00000342 ____A C:\Windows\Tasks\At39.job
2012-07-05 09:54 - 2012-07-05 14:02 - 00000340 ____A C:\Windows\Tasks\At15.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At48.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At47.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At46.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At45.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At44.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At43.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At41.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At34.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At33.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At32.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At31.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At30.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At29.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At28.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At27.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At26.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000342 ____A C:\Windows\Tasks\At25.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At9.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At8.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At7.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At6.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At5.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At4.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At3.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At24.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At23.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At22.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At21.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At20.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At2.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At19.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At17.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At10.job
2012-07-05 09:54 - 2012-07-05 13:20 - 00000340 ____A C:\Windows\Tasks\At1.job
2012-07-05 09:54 - 2012-07-05 13:00 - 00000342 ____A C:\Windows\Tasks\At38.job
2012-07-05 09:54 - 2012-07-05 13:00 - 00000340 ____A C:\Windows\Tasks\At14.job
2012-07-05 09:54 - 2012-07-05 11:00 - 00000342 ____A C:\Windows\Tasks\At36.job
2012-07-05 09:54 - 2012-07-05 11:00 - 00000340 ____A C:\Windows\Tasks\At12.job
2012-07-05 09:54 - 2012-07-05 10:03 - 00000340 ____A C:\Windows\Tasks\At11.job
2012-07-05 09:54 - 2012-07-05 10:00 - 00000342 ____A C:\Windows\Tasks\At35.job
2012-07-05 09:53 - 2012-07-05 09:55 - 00000000 ____D C:\Users\sruser\php
2012-07-05 09:53 - 2012-07-05 09:53 - 00000002 ____A C:\Users\sruser\uz.dat
2012-06-27 09:59 - 2012-06-27 09:59 - 00000000 ____D C:\Windows\Minidump


============ 3 Months Modified Files ========================

2012-07-25 12:09 - 2009-07-13 21:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 12:09 - 2009-07-13 21:39 - 00038787 ____A C:\Windows\setupact.log
2012-07-25 12:08 - 2009-07-13 16:11 - 00259072 ____A C:\Windows\System32\services.exe
2012-07-25 12:05 - 2012-07-25 12:05 - 00000474 ____A C:\Users\sruser\Desktop\defogger_disable.log
2012-07-25 12:05 - 2012-07-25 12:05 - 00000000 ____A C:\Users\sruser\defogger_reenable
2012-07-25 11:58 - 2012-07-25 12:05 - 00607260 ____R (Swearware) C:\Users\sruser\Desktop\dds.scr
2012-07-25 11:57 - 2012-07-25 12:05 - 00050477 ____A C:\Users\sruser\Desktop\Defogger.exe
2012-07-25 11:56 - 2010-11-20 14:01 - 00805802 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-24 15:23 - 2012-07-25 11:56 - 00892784 ____A (Farbar) C:\Users\sruser\Desktop\FRST.exe
2012-07-13 12:00 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At37.job
2012-07-13 12:00 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At13.job
2012-07-13 12:00 - 2012-04-17 12:08 - 00000296 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-13 11:52 - 2012-07-13 11:52 - 00302592 ____A C:\Users\sruser\Desktop\p8ils1xy.exe
2012-07-13 11:42 - 2012-04-10 16:16 - 01830885 ____A C:\Windows\WindowsUpdate.log
2012-07-13 11:28 - 2012-07-13 11:40 - 00426163 ____A C:\Users\sruser\Desktop\Windows6.1-KB976586-x86.msu
2012-07-12 16:45 - 2012-07-12 16:45 - 00002050 _RASH C:\Users\willowuser\ntuser.pol
2012-07-12 16:45 - 2012-07-12 16:45 - 00000020 __ASH C:\Users\willowuser\ntuser.ini
2012-07-12 16:29 - 2012-07-12 16:29 - 00001268 ____A C:\Users\sruser\Desktop\shutdown.exe.lnk
2012-07-12 16:09 - 2012-07-12 16:09 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-12 16:09 - 2009-07-13 21:34 - 00027568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-12 16:09 - 2009-07-13 21:34 - 00027568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-05 17:15 - 2009-07-13 19:04 - 00000715 ____A C:\Windows\win.ini
2012-07-05 17:04 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At18.job
2012-07-05 17:00 - 2012-07-05 17:00 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-05 16:59 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At42.job
2012-07-05 16:55 - 2010-11-20 14:48 - 00726216 ____A C:\Windows\PFRO.log
2012-07-05 16:39 - 2012-07-05 16:39 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-05 16:34 - 2012-07-05 15:53 - 00000361 ____A C:\rkill.log
2012-07-05 15:51 - 2012-07-05 15:51 - 01012656 ____A C:\Users\sruser\Desktop\iExplore.exe
2012-07-05 15:00 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At40.job
2012-07-05 15:00 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At16.job
2012-07-05 14:02 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At39.job
2012-07-05 14:02 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At15.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At48.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At47.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At46.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At45.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At44.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At43.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At41.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At34.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At33.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At32.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At31.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At30.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At29.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At28.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At27.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At26.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At25.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At9.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At8.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At7.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At6.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At5.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At4.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At3.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At24.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At23.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At22.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At21.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At20.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At2.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At19.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At17.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At10.job
2012-07-05 13:20 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At1.job
2012-07-05 13:00 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At38.job
2012-07-05 13:00 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At14.job
2012-07-05 11:00 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At36.job
2012-07-05 11:00 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At12.job
2012-07-05 10:03 - 2012-07-05 09:54 - 00000340 ____A C:\Windows\Tasks\At11.job
2012-07-05 10:00 - 2012-07-05 09:54 - 00000342 ____A C:\Windows\Tasks\At35.job
2012-07-05 09:53 - 2012-07-05 09:53 - 00000002 ____A C:\Users\sruser\uz.dat
2012-07-05 09:04 - 2012-04-20 16:10 - 00002050 _RASH C:\Users\sruser\ntuser.pol
2012-06-27 16:00 - 2012-05-21 09:20 - 00000062 ____A C:\Windows\dcmvwr.INI
2012-06-27 09:59 - 2012-02-03 19:40 - 00181086 ____N C:\Windows\Minidump\062712-11076-01.dmp
2012-06-26 22:00 - 2012-04-20 14:24 - 00022350 ____A C:\Windows\PowerSetup.ini
2012-06-18 13:16 - 2012-06-06 16:38 - 00000062 ____A C:\Windows\PCVCDBR.INI
2012-06-14 14:38 - 2012-05-15 14:11 - 00000330 ____A C:\Windows\Tasks\HPCeeScheduleForSR-HW-01$.job
2012-06-14 09:29 - 2012-05-10 16:15 - 00000822 ____A C:\temp.bmp
2012-06-13 03:20 - 2009-07-13 21:33 - 00349312 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 03:02 - 2012-04-17 11:08 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-06 17:07 - 2012-04-27 12:16 - 01728054 ____A C:\Users\sruser\Desktop\elbow composite.bmp
2012-06-06 16:38 - 2012-06-06 16:38 - 00000000 ____A C:\Windows\pcvcdvw.INI
2012-06-04 16:49 - 2012-06-04 16:48 - 00004368 ____A C:\Users\sruser\Desktop\unhide.txt
2012-06-04 16:04 - 2012-05-21 16:40 - 02127960 ____A (Kaspersky Lab ZAO) C:\Users\Administrator\Desktop\TDSSKiller.com.exe
2012-06-04 16:01 - 2012-06-04 16:01 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\unhide.exe
2012-06-02 15:19 - 2012-06-19 02:45 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 15:19 - 2012-06-19 02:45 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 15:19 - 2012-06-19 02:45 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:19 - 2012-06-19 02:45 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 15:19 - 2012-06-19 02:45 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 15:19 - 2012-06-19 02:45 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 15:12 - 2012-06-19 02:45 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 15:12 - 2012-06-19 02:45 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:12 - 2012-06-19 02:45 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-14 20:03 - 2012-06-13 01:21 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 20:00 - 2012-06-13 01:21 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 18:05 - 2012-06-13 01:21 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-07 15:20 - 2012-05-07 15:21 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-05-07 15:20 - 2012-05-07 15:21 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-05-03 13:45 - 2012-05-03 13:45 - 00000000 ____A C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-04-30 21:44 - 2012-06-13 01:21 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 20:17 - 2012-06-13 01:21 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 07:40 - 2012-04-27 07:40 - 13497721 ____A C:\Users\sruser\Downloads\SysinternalsSuite.zip


ZeroAccess:
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\@
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\L
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\U
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\L\00000004.@
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\L\1afb2d56
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\L\201d3dde

ZeroAccess:
C:\Users\sruser\AppData\Local\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}
C:\Users\sruser\AppData\Local\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\@
C:\Users\sruser\AppData\Local\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\L
C:\Users\sruser\AppData\Local\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\n
C:\Users\sruser\AppData\Local\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 16:11] - [2012-07-25 12:08] - 0259072 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\services.exe IS INFECTED. <===== ATTENTION!

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-02-03 18:50] - [2012-02-03 18:50] - 0246144 ____A (Microsoft Corporation) C37AEE5966EB5929E2051AC7409B5730


========================= Memory info ======================

Percentage of memory in use: 25%
Total physical RAM: 3242.02 MB
Available physical RAM: 2418.78 MB
Total Pagefile: 6482.32 MB
Available Pagefile: 5607.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.43 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:690.32 GB) (Free:655.21 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:8.21 GB) (Free:0.99 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (UNTITLED 1) (Removable) (Total:0.93 GB) (Free:0.93 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 955 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 690 GB 101 MB
Partition 3 Primary 8 GB 690 GB
Partition 4 Primary 1904 KB 698 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 100 MB Healthy System (partition with boot components)

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 690 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D HP_RECOVERY NTFS Partition 8 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 954 MB 1024 B

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F UNTITLED 1 FAT32 Removable 954 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 00:02

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 24-07-2012 02
Ran by sruser at 2012-07-25 12:13:20
Running from C:\Users\sruser\Desktop

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 16:11] - [2009-07-13 18:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 16:11] - [2012-07-25 12:08] - 0259072 ____A () D41D8CD98F00B204E9800998ECF8427E

=== End Of Search ===

Edited by Orange Blossom, 25 July 2012 - 03:14 PM.
Restored FRST log to post. ~ OB


#4 DJGaGa

DJGaGa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 25 July 2012 - 03:24 PM

Farbar Recovery Scan Tool Version: 24-07-2012 02
Ran by sruser at 2012-07-25 12:13:20
Running from C:\Users\sruser\Desktop

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 16:11] - [2009-07-13 18:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 16:11] - [2012-07-25 12:08] - 0259072 ____A () D41D8CD98F00B204E9800998ECF8427E

=== End Of Search ===

#5 DJGaGa

DJGaGa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 25 July 2012 - 03:26 PM

Note: F8 Restore is not working. Screen just hangs on a black screen.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 26 July 2012 - 02:49 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
C:\WINDOWS\assembly\GAC\Desktop.ini
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}
C:\Users\sruser\AppData\Local\{e24ace88-0b6f-8f8d-839a-2e907fc0da1e}
CMD: Del /q C:\Windows\Tasks\At*.job


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 29 July 2012 - 01:38 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 01 August 2012 - 05:44 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users