Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef


  • This topic is locked This topic is locked
2 replies to this topic

#1 sopp

sopp

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 28 July 2012 - 10:29 AM

I appear to be yet another victim of the Sirefef virus. My Microsoft Security Essentials detected several threats after performing a scan, and immediately after that i got 'Windows will reboot in one minute' message, locking me in a cycle of reboots. Here are the logs from FRST.
Thank you in advance for your help.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 28-07-2012 18:05:07
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [497648 2010-09-16] (Adobe Systems Incorporated)
HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [SoundMan] SOUNDMAN.EXE [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [74752 2011-03-17] (Nullsoft, Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "D:\Adobe\Acrobat\Acrobat\Acrobat_sl.exe" [x]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "D:\Adobe\Acrobat\Acrobat\Acrotray.exe" [x]
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [UnlockerAssistant] "C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe" [17408 2010-07-04] ()
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [10752 2012-01-30] ()
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-06-27] (LogMeIn Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-06-11] (Advanced Micro Devices, Inc.)
HKU\Dani\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Dani\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun [4527424 2011-08-16] (DT Soft Ltd)
HKU\Dani\...\Run: [Google Update] "C:\Users\Dani\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-22] (Google Inc.)
HKU\Dani\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Guest\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Guest\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun [4527424 2011-08-16] (DT Soft Ltd)
HKU\Guest\...\Run: [Google Update] "C:\Users\Dani\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-22] (Google Inc.)
HKU\Guest\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\LOLRecorder.lnk
ShortcutTarget: LOLRecorder.lnk -> C:\Program Files (x86)\LOLReplay\LOLRecorder.exe ()
Startup: C:\Users\Dani\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Dani\Start Menu\Programs\Startup\Launchy.lnk
ShortcutTarget: Launchy.lnk -> C:\Program Files (x86)\Launchy\Launchy.exe ()

==================== Services (Whitelisted) ======

2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [2369960 2012-06-27] (LogMeIn Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 PinnacleUpdateSvc; C:\Program Files (x86)\PowerUp Software\Pinnacle Game Profiler\pinnacle_updater.exe [430080 2011-05-09] (PowerUp Software, LLC)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-07-05] ()
4 RemoteAccess; C:\Windows\SysWOW64\nprdim.dll [x]

========================== Drivers (Whitelisted) =============

3 ALCXWDM; C:\Windows\System32\drivers\RTKVAC64.SYS [3492128 2009-03-10] (Realtek Semiconductor Corp.)
3 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [271424 2011-11-30] (DT Soft Ltd)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [526392 2011-11-30] (Duplex Secure Ltd.)
3 EverestDriver; \??\D:\dani\EVEREST Ultimate Edition 5.30.2032 Beta\kerneld.amd64 [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-28 18:04 - 2012-07-28 18:05 - 00000000 ____D C:\FRST
2012-07-28 06:51 - 2012-07-28 06:42 - 01438391 ____A (Farbar) C:\Users\Dani\Desktop\FRST64.exe
2012-07-28 06:46 - 2012-07-28 06:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.97EBD83E0B4ACC89
2012-07-28 06:26 - 2012-07-28 06:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F9D8E8D44C366F63
2012-07-28 06:22 - 2012-07-28 06:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.478F539887AA7F60
2012-07-28 06:18 - 2012-07-28 06:18 - 00000000 ____D C:\Windows\pss
2012-07-28 05:49 - 2012-07-28 05:49 - 00000000 ____D C:\Users\Dani\Downloads\PESEdit.com 2013 Demo Patch 1.0
2012-07-28 05:44 - 2012-07-28 05:45 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-28 05:44 - 2012-07-28 05:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-28 05:41 - 2012-07-28 05:42 - 184067455 ____A C:\Users\Dani\Downloads\PESEdit.com 2013 Demo Patch 1.0.rar
2012-07-27 06:37 - 2012-07-27 06:37 - 00000000 ____D C:\Users\Dani\AppData\Local\Criterion Games
2012-07-27 06:34 - 2012-07-27 06:34 - 00000000 ____D C:\Users\All Users\Electronic Arts
2012-07-27 06:33 - 2012-07-27 06:33 - 00001452 ____A C:\Windows\SysWOW64\ealregsnapshot1.reg
2012-07-26 13:01 - 2012-07-26 13:04 - 00000000 ____D C:\Users\Dani\AppData\Roaming\mIRC
2012-07-26 13:01 - 2012-07-26 13:01 - 00000000 ____D C:\Program Files (x86)\mIRC
2012-07-26 12:53 - 2012-07-26 12:59 - 00000000 ____D C:\Users\Dani\Documents\Calibre Library
2012-07-26 12:53 - 2012-07-26 12:53 - 00000000 ____D C:\Users\Dani\AppData\Roaming\calibre
2012-07-26 12:52 - 2012-07-26 12:52 - 00000960 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk
2012-07-26 12:52 - 2012-07-26 12:52 - 00000000 ____D C:\Program Files (x86)\Calibre2
2012-07-15 23:46 - 2012-04-13 01:01 - 01867776 ____A C:\Users\Dani\Desktop\xf-maya2013_x64.exe
2012-07-15 23:36 - 2012-07-15 23:47 - 00000000 ____D C:\Users\Dani\Documents\maya
2012-07-15 23:36 - 2012-07-15 23:39 - 00000000 ____D C:\Users\All Users\FLEXnet
2012-07-15 23:36 - 2012-07-15 23:36 - 00000000 ____D C:\Users\Dani\AppData\Local\Autodesk
2012-07-15 16:27 - 2012-07-15 16:27 - 00000000 ____D C:\Users\Dani\Documents\Inventor Server x64 Direct Connect
2012-07-15 16:26 - 2012-07-15 16:26 - 00000000 ____D C:\Program Files (x86)\Autodesk
2012-07-15 16:22 - 2012-07-15 16:24 - 00000000 ____D C:\Program Files\Autodesk
2012-07-15 16:22 - 2012-07-15 16:22 - 00001455 ____A C:\Users\Public\Desktop\Autodesk Maya 2013 64-bit.lnk
2012-07-15 16:22 - 2012-07-15 16:22 - 00000000 ____D C:\Program Files\Common Files\Macrovision Shared
2012-07-15 16:17 - 2012-07-15 16:26 - 00000000 ____D C:\Program Files\Common Files\Autodesk Shared
2012-07-15 15:58 - 2012-07-15 23:47 - 00000000 ____D C:\Users\Dani\AppData\Roaming\Autodesk
2012-07-15 15:58 - 2012-07-15 23:47 - 00000000 ____D C:\Users\All Users\Autodesk
2012-07-15 10:40 - 2012-07-15 10:40 - 00000000 ____D C:\Users\Dani\Documents\Almost Human
2012-07-12 11:26 - 2012-07-26 08:10 - 00000000 ____D C:\Users\Dani\AppData\Roaming\Raptr
2012-07-12 11:26 - 2012-07-12 11:27 - 00000000 ____D C:\Program Files (x86)\Raptr
2012-07-07 10:19 - 2012-07-07 10:19 - 00273168 ____A C:\Windows\Minidump\070712-22109-01.dmp
2012-07-05 11:16 - 2012-07-13 12:06 - 00298016 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-07-05 11:16 - 2012-07-05 11:16 - 00000000 ____D C:\Users\Dani\AppData\Local\PunkBuster
2012-07-05 11:11 - 2012-07-13 12:06 - 00298016 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-07-05 11:11 - 2012-07-09 05:18 - 00298016 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-07-05 11:11 - 2012-07-05 11:17 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2012-07-05 11:11 - 2012-07-05 11:07 - 03130440 ____A C:\Windows\SysWOW64\pbsvc_blr.exe
2012-07-05 11:10 - 2012-07-05 11:10 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-07-03 01:52 - 2012-07-03 01:55 - 38944805 ____A C:\Users\Dani\Desktop\Logo5 - Stuklo.m4a
2012-07-02 23:31 - 2012-07-02 23:31 - 00000000 ____D C:\Users\All Users\ATI
2012-07-02 23:31 - 2012-07-02 23:31 - 00000000 ____D C:\Program Files (x86)\AMD APP
2012-07-02 23:23 - 2012-07-02 23:23 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi

============ 3 Months Modified Files ========================

2012-07-28 06:51 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-28 06:50 - 2011-08-22 07:51 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-28 06:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-28 06:48 - 2009-07-13 20:51 - 00039168 ____A C:\Windows\setupact.log
2012-07-28 06:46 - 2012-07-28 06:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.97EBD83E0B4ACC89
2012-07-28 06:42 - 2012-07-28 06:51 - 01438391 ____A (Farbar) C:\Users\Dani\Desktop\FRST64.exe
2012-07-28 06:26 - 2012-07-28 06:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F9D8E8D44C366F63
2012-07-28 06:22 - 2012-07-28 06:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.478F539887AA7F60
2012-07-28 05:54 - 2012-06-20 14:51 - 00119296 ____A C:\Windows\SysWOW64\zlib.dll
2012-07-28 05:46 - 2011-05-20 12:44 - 01766671 ____A C:\Windows\WindowsUpdate.log
2012-07-28 05:45 - 2011-05-21 03:39 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-28 05:44 - 2011-05-21 03:38 - 00787930 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-28 05:42 - 2012-07-28 05:41 - 184067455 ____A C:\Users\Dani\Downloads\PESEdit.com 2013 Demo Patch 1.0.rar
2012-07-28 05:34 - 2011-12-04 12:22 - 00001004 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2950565119-3029434765-3803492602-1001UA.job
2012-07-28 05:04 - 2011-08-22 07:51 - 00000994 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-27 10:40 - 2011-12-04 12:22 - 00000952 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2950565119-3029434765-3803492602-1001Core.job
2012-07-27 06:33 - 2012-07-27 06:33 - 00001452 ____A C:\Windows\SysWOW64\ealregsnapshot1.reg
2012-07-27 06:28 - 2011-05-20 13:45 - 00334748 ____A C:\Windows\DirectX.log
2012-07-26 12:58 - 2009-07-13 21:13 - 00782528 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-26 12:52 - 2012-07-26 12:52 - 00000960 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk
2012-07-26 05:22 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-26 05:22 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-23 13:12 - 2011-11-02 06:22 - 00000600 ____A C:\Users\Dani\AppData\Local\PUTTY.RND
2012-07-15 16:22 - 2012-07-15 16:22 - 00001455 ____A C:\Users\Public\Desktop\Autodesk Maya 2013 64-bit.lnk
2012-07-13 12:06 - 2012-07-05 11:16 - 00298016 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-07-13 12:06 - 2012-07-05 11:11 - 00298016 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-07-09 05:18 - 2012-07-05 11:11 - 00298016 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-07-07 10:19 - 2012-07-07 10:19 - 00273168 ____A C:\Windows\Minidump\070712-22109-01.dmp
2012-07-05 11:17 - 2012-07-05 11:11 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2012-07-05 11:07 - 2012-07-05 11:11 - 03130440 ____A C:\Windows\SysWOW64\pbsvc_blr.exe
2012-07-03 01:55 - 2012-07-03 01:52 - 38944805 ____A C:\Users\Dani\Desktop\Logo5 - Stuklo.m4a
2012-06-27 04:33 - 2012-05-02 23:04 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-27 04:33 - 2011-05-20 13:13 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-27 04:22 - 2012-06-27 04:12 - 00319488 ____A (Realtek Semiconductor Corp.) C:\Windows\HideWin.exe
2012-06-26 14:17 - 2011-11-29 11:19 - 00000003 ____A C:\Windows\System32\HRUPPROG.TXT
2012-06-20 15:27 - 2012-06-20 15:27 - 00024283 ____A C:\Users\Dani\Downloads\Fahrenheit - Indigo Prophecy.pin
2012-06-20 15:18 - 2011-05-21 04:44 - 00026838 ____A C:\Windows\PFRO.log
2012-06-20 12:28 - 2012-06-20 12:28 - 00000725 ____A C:\Users\Public\Desktop\Fahrenheit (Indigo Prophecy).lnk
2012-06-11 02:50 - 2012-06-11 02:50 - 16457728 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl64.dll
2012-06-11 02:50 - 2012-06-11 02:50 - 00187392 ____A C:\Windows\System32\clinfo.exe
2012-06-11 02:50 - 2012-06-11 02:50 - 00075264 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo64.dll
2012-06-11 02:50 - 2012-06-11 02:50 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OpenVideo.dll
2012-06-11 02:50 - 2012-06-11 02:50 - 00063488 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode64.dll
2012-06-11 02:50 - 2012-06-11 02:50 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OVDecode.dll
2012-06-11 02:49 - 2012-06-11 02:49 - 13008896 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2012-06-02 14:19 - 2012-06-18 19:38 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 19:38 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 19:38 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 19:38 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 19:38 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-18 19:38 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-18 19:38 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 04:19 - 2012-06-18 19:38 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 04:15 - 2012-06-18 19:38 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-28 09:56 - 2012-05-28 09:56 - 01785856 ____A C:\Windows\SysWOW64\ipnathlp.dll
2012-05-28 09:56 - 2012-05-28 09:56 - 00000400 ____A C:\Windows\SysWOW64\ipnathlp.ocx
2012-05-25 09:00 - 2012-05-25 09:00 - 00013927 ____A C:\Users\Dani\Downloads\Fear And Loathing In Las Vegas DC (1998) BRRip XvidHD 720p-NPW.torrent
2012-05-22 04:58 - 2012-05-22 04:58 - 00641584 ____A C:\Windows\Minidump\052212-49484-01.dmp
2012-05-07 08:30 - 2011-11-02 01:25 - 00007168 ____A C:\Users\Dani\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-07 06:03 - 2012-05-07 06:03 - 00000947 ____A C:\Users\Public\Desktop\µTorrent.lnk
2012-05-03 03:06 - 2012-05-02 23:11 - 31600444 ____A C:\1020.log
2012-05-02 23:30 - 2009-07-13 18:34 - 00002033 ____A C:\Windows\win.ini
2012-05-02 23:21 - 2011-06-26 09:10 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-02 23:10 - 2012-05-02 23:10 - 02460952 ____A C:\Users\Dani\Downloads\lj1020-HB-pnp-win32-en.exe

ZeroAccess:
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\@
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\L
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\n
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\U
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\U\00000001.@
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\U\80000000.@
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}\U\800000cb.@

ZeroAccess:
C:\Users\Dani\AppData\Local\{0d2c9a9d-d613-5073-17a6-8152fed31670}
C:\Users\Dani\AppData\Local\{0d2c9a9d-d613-5073-17a6-8152fed31670}\@
C:\Users\Dani\AppData\Local\{0d2c9a9d-d613-5073-17a6-8152fed31670}\L
C:\Users\Dani\AppData\Local\{0d2c9a9d-d613-5073-17a6-8152fed31670}\n
C:\Users\Dani\AppData\Local\{0d2c9a9d-d613-5073-17a6-8152fed31670}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3071.55 MB
Available physical RAM: 2537.17 MB
Total Pagefile: 3069.7 MB
Available Pagefile: 2530.87 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:84.15 GB) (Free:2.8 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Big) (Fixed) (Total:195.31 GB) (Free:20.92 GB) NTFS
4 Drive f: () (Removable) (Total:0.48 GB) (Free:0.24 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 279 GB 1024 KB
Disk 1 Online 490 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 84 GB 31 KB
Partition 2 Primary 195 GB 84 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 84 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Big NTFS Partition 195 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 489 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 489 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-23 09:45

======================= End Of Log ==========================




Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-28 18:06:28
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2012-07-28 06:51] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 AM

Posted 30 July 2012 - 10:06 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Users\Dani\AppData\Local\{0d2c9a9d-d613-5073-17a6-8152fed31670}
C:\Windows\Installer\{0d2c9a9d-d613-5073-17a6-8152fed31670}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe  C:\Windows\System32\services.exe
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registery key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • Fixlog.txt report from FRST
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 AM

Posted 05 August 2012 - 12:25 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users