Jump to content
Example#{example}"); ipb.editor_values.get('templates')['togglesource'] = new Template(""); ipb.editor_values.get('templates')['toolbar'] = new Template(""); ipb.editor_values.get('templates')['button'] = new Template("Emoticons
"); // Add smilies into the mix ipb.editor_values.set( 'show_emoticon_link', false ); ipb.editor_values.set( 'bbcodes', $H({"acronym":{"id":"8","title":"Acronym","desc":"Allows you to make an acronym that will display a description when moused over","tag":"acronym","useoption":"1","example":"[acronym='Laugh Out Loud']lol[/acronym]","switch_option":"0","menu_option_text":"Enter the description for this acronym (EG: Laugh Out Loud)","menu_content_text":"Enter the acronym (EG: lol)","single_tag":"0","optional_option":"0","image":""},"entry":{"id":"35","title":"Blog Entry Link","desc":"This tag provides an easy way to link to a blog entry.","tag":"entry","useoption":"1","example":"[entry=100]Click me![/entry]","switch_option":"0","menu_option_text":"Entry ID","menu_content_text":"Text to display","single_tag":"0","optional_option":"0","image":""},"blog":{"id":"34","title":"Blog Link","desc":"This tag provides an easy way to link to a blog.","tag":"blog","useoption":"1","example":"[blog=100]Click me![/blog]","switch_option":"0","menu_option_text":"Blog ID","menu_content_text":"Text to display","single_tag":"0","optional_option":"0","image":""},"code":{"id":"13","title":"Code","desc":"Allows you to enter general code","tag":"code","useoption":"0","example":"[code]$text = 'Some long code here';[/code]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"extract":{"id":"33","title":"Extract Blog Entry","desc":"This will allow users to define an extract for an entry. Only this piece of the entry will be displayed on the main blog page and will show up in the RSS feed.","tag":"extract","useoption":"0","example":"[extract]This is an example![/extract]","switch_option":"0","menu_option_text":"","menu_content_text":"Blog entry extract","single_tag":"0","optional_option":"0","image":""},"flv":{"id":"38","title":"FLV Player","desc":"This code inserts a FLV Player into your post.","tag":"flv","useoption":"0","example":"[flv=Title]http://ipsbeyond.com/test.mov[/qt]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"hr":{"id":"12","title":"Horizontal Rule","desc":"Adds a horizontal rule to separate text","tag":"hr","useoption":"0","example":"[hr]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"1","optional_option":"0","image":""},"html":{"id":"15","title":"HTML Code","desc":"Allows you to enter formatted/syntax-highlighted HTML code","tag":"html","useoption":"0","example":"[html][/html]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"member":{"id":"31","title":"Member","desc":"Given a member name, a link is automatically generated to the member's profile","tag":"member","useoption":"1","example":"[member=admin] runs this site.","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"1","optional_option":"0","image":""},"overline":{"id":"37","title":"Overline","desc":"Added a line above the text.","tag":"overline","useoption":"0","example":"[overline]There is a line above this text[/overline]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"php":{"id":"14","title":"PHP Code","desc":"Allows you to enter PHP code into a formatted/highlighted syntax box","tag":"php","useoption":"0","example":"[php]$variable = true;\n\nprint_r($variable);[/php]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"post":{"id":"6","title":"Post Link","desc":"This tag provides an easy way to link to a post.","tag":"post","useoption":"1","example":"[post=1]Click me![/post]","switch_option":"0","menu_option_text":"Enter the Post ID","menu_content_text":"Enter the title for this link","single_tag":"0","optional_option":"0","image":""},"snapback":{"id":"1","title":"Post Snap Back","desc":"This tag displays a little linked image which links back to a post - used when quoting posts from the board. Opens in same window by default.","tag":"snapback","useoption":"0","example":"[snapback]100[/snapback]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"spoiler":{"id":"7","title":"Spoiler","desc":"Spoiler tag","tag":"spoiler","useoption":"0","example":"[spoiler]Some hidden text[/spoiler]","switch_option":"0","menu_option_text":"","menu_content_text":"Enter the text to be masked","single_tag":"0","optional_option":"0","image":""},"sql":{"id":"16","title":"SQL Code","desc":"Allows you to enter formatted/syntax-highlighted SQL code","tag":"sql","useoption":"0","example":"[sql]SELECT p.*, t.* FROM posts p LEFT JOIN topics t ON t.tid=p.topic_id WHERE t.tid=7[/sql]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"topic":{"id":"5","title":"Topic Link","desc":"This tag provides an easy way to link to a topic","tag":"topic","useoption":"1","example":"[topic=1]Click me![/topic]","switch_option":"0","menu_option_text":"Enter the topic ID","menu_content_text":"Enter the title for this link","single_tag":"0","optional_option":"0","image":""},"twitter":{"id":"36","title":"Twitter","desc":"A tag to link to a user's twitter account","tag":"twitter","useoption":"0","example":"[twitter]userName[/twitter]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":"twitter.png"},"wiki":{"id":"39","title":"Wiki tag","desc":"This tag links to the wiki.","tag":"wiki","useoption":"0","example":"[wiki]Main Page[/wiki]","switch_option":"0","menu_option_text":"","menu_content_text":"","single_tag":"0","optional_option":"0","image":""},"xml":{"id":"17","title":"XML Code","desc":"Allows you to enter formatted/syntax-highlighted XML code","tag":"xml","useoption":"0","example":"[xml]Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.
DO NOT RUN ComboFix unless requested to.
Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.
When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.
Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Virus:Win32/Sirefef.R Windows reboots
#1 
?
- Group: Members
- Posts: 1
- Joined: Today, 01:05 PM
Posted Today, 01:56 PM
Hi guys.I'm trying to fix my dads computer, which reboots with a message that windows has found an error.
I attached the harddrive to another computer and did a scan with MSE, and it found the virus in services.exe
I tried to follow the prep. guide, but there is not time to do anything before it reboots.
I ran frst and here is the logfile:
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01
Ran by SYSTEM at 28-06-2012 20:50:51
Running from F:\
Windows Vista ? Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1021224 2007-09-07] (Synaptics, Inc.)
HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-09-07] (Synaptics, Inc.)
HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [71216 2007-03-14] (Cyberlink Corp.)
HKLM\...\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [54832 2007-02-07] ()
HKLM\...\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [457216 2007-04-25] (HiTRUST)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [858632 2007-10-17] (Dritek System Inc.)
HKLM\...\Run: [HPUsageTrackingLEDM] "C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe" "C:\Program Files\HP\HP UT LEDM\" [30264 2009-08-04] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-14] (Adobe Systems Incorporated)
HKU\Lars\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-04-10] (Google Inc.)
HKU\Lars\...\Run: [Google Update] "C:\Users\Lars\AppData\Local\Google\Update\GoogleUpdate.exe" /c [133104 2009-09-05] (Google Inc.)
HKU\Lars\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Lars\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Sebastian\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-04-10] (Google Inc.)
HKU\Sebastian\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKLM\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDg5Nzg5NjEzLVQxLVhMKzEtVUNBTEwrMS1CQVI4RysxLVVDQUxMMisyLVRCOCsyLUZMKzgtUUlYMSs0LVgyMDEwKzItTElDKzItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VQKzQtU1AxUzQrMS1ERFQrMjA1NDQtREQxMEYrMS1TVDEwRkFQUCsxLUYxME0xMkROKzEtVEJOKzEtVTEwKzE"&"prod=90"&"ver=10.0.1416 [x]
Startup: C:\Users\All Users\Start Menu\Programs\Startup\BTTray.lnk
ShortcutTarget: BTTray.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
ShortcutTarget: Empowering Technology Launcher.lnk -> C:\Acer\Empowering Technology\eAPLauncher.exe (Acer Inc.)
================================ Services (Whitelisted) ==================
2 AGCoreService; "C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe" [20480 2010-06-28] (AG Interactive)
2 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [132424 2008-11-07] (Apple Inc.)
2 eDataSecurity Service; "C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [457512 2007-04-25] (HiTRSUT)
3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [292352 2008-01-18] (Microsoft Corporation)
3 ehSched; C:\Windows\ehome\ehsched.exe [131072 2006-11-02] (Microsoft Corporation)
2 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2007-04-22] (Acer Inc.)
2 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [135168 2007-06-13] (Acer Inc.)
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [57344 2007-09-10] (Acer Inc.)
2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2007-06-28] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [45816 2009-08-07] (NOS Microsystems Ltd.)
2 HP LaserJet Service; "C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe" [136704 2009-06-24] (HP)
2 HPSIService; C:\Windows\system32\HPSIsvc.exe [99896 2010-04-07] (HP)
2 Irmon; C:\Windows\System32\irmon.dll [17920 2006-11-02] (Microsoft Corporation)
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [107008 2006-11-24] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
2 MSSQL$MSSMLBIZ; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29263712 2008-11-24] (Microsoft Corporation)
4 MSSQLServerADHelper; "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [45408 2008-11-24] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 o2flash; "C:\Program Files\O2Micro Oz128 Driver\o2flash.exe" [65536 2007-02-12] (O2Micro International)
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [272024 2007-04-02] ()
2 SQLBrowser; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [239968 2008-11-24] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [86880 2010-12-10] (Microsoft Corporation)
2 TeamViewer; "C:\Program Files\TeamViewer3\TeamViewer_Service.exe" -service [185640 2009-01-22] (TeamViewer GmbH)
2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [167936 2007-06-13] (acer)
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
========================== Drivers (Whitelisted) =============
3 DKbFltr; C:\Windows\System32\DRIVERS\DKbFltr.sys [21264 2006-11-02] (Dritek System Inc.)
2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [15392 2007-07-03] (Acer, Inc.)
2 irda; C:\Windows\System32\DRIVERS\irda.sys [95744 2008-01-18] (Microsoft Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [17408 2010-03-05] (Marvell Semiconductor, Inc.)
3 NSCIRDA; C:\Windows\System32\DRIVERS\nscirda.sys [30720 2008-01-18] (National Semiconductor Corporation)
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [6144 2007-09-14] (NewTech Infosystems, Inc.)
0 O2MDRDR; C:\Windows\System32\DRIVERS\o2media.sys [39680 2007-04-03] (O2Micro )
0 O2SDRDR; C:\Windows\System32\DRIVERS\o2sd.sys [35712 2007-04-02] (O2Micro )
0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [20776 2007-04-25] (HiTRUST)
0 PSDNServ; C:\Windows\System32\drivers\PSDNServ.sys [16680 2007-04-25] (HiTRUST)
0 psdvdisk; C:\Windows\System32\drivers\psdvdisk.sys [60712 2007-04-25] (HiTRUST)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1769984 2007-10-01] ()
3 WisINT15; \??\C:\Elements\1stboot\WisINT15.SYS [2339 2005-11-25] ()
2 {95808DC4-FA4A-4c74-92FE-5B863F82066B}; \??\C:\Program Files\CyberLink\PowerDVD\000.fcl [13560 2006-11-02] (Cyberlink Corp.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-06-21 12:32 - 2012-06-21 12:32 - 00012522 ____A C:\ComboFix.txt210612.txt
2012-06-21 12:27 - 2012-06-21 12:27 - 00012522 ____A C:\ComboFix.txt
2012-06-21 11:53 - 2012-06-21 12:28 - 00000000 ____D C:\ComboFix
2012-06-18 18:35 - 2012-06-18 18:36 - 00000000 ____D C:\FRST
2012-06-18 07:28 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-18 07:28 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-18 07:28 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-18 07:28 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-18 07:28 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-18 07:28 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-18 07:28 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-18 07:28 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-18 07:24 - 2012-06-18 07:10 - 04560591 ____R (Swearware) C:\Users\Sebastian\Desktop\ComboFix.exe
2012-06-18 07:18 - 2012-06-21 12:28 - 00000000 ____D C:\Qoobox
2012-06-18 07:17 - 2012-06-21 12:23 - 00000000 ____D C:\Windows\erdnt
2012-06-15 07:14 - 2012-06-15 07:30 - 00000000 ____D C:\Users\Lars\AppData\Roaming\TeamViewer
2012-06-15 07:02 - 2012-06-15 07:02 - 00001891 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk
2012-06-15 07:02 - 2012-06-15 07:02 - 00000000 ____D C:\Program Files\Adobe
2012-06-15 06:58 - 2012-06-15 06:58 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-15 06:58 - 2012-06-15 06:58 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-15 06:58 - 2012-06-15 06:58 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-15 06:58 - 2012-06-15 06:58 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-15 06:47 - 2012-06-15 06:47 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-15 06:42 - 2012-06-15 06:43 - 10300288 ____A (Microsoft Corporation) C:\Users\Sebastian\Downloads\mseinstall.exe
2012-06-13 09:01 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 09:01 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 09:01 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 09:01 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 09:01 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 09:01 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 09:01 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 09:01 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 09:01 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 09:01 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 09:01 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 09:01 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 09:01 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 09:01 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 08:56 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 08:56 - 2012-05-01 06:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 08:56 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 08:56 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 08:56 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-11 09:02 - 2012-06-11 09:02 - 00138440 ____A C:\Windows\Minidump\Mini061112-01.dmp
2012-06-11 03:58 - 2012-06-11 03:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-04 07:09 - 2012-06-04 07:09 - 00138440 ____A C:\Windows\Minidump\Mini060412-01.dmp
2012-06-02 23:39 - 2012-05-02 05:39 - 04286643 ____A C:\Users\Lars\Desktop\Rasmus Seebach Million?r feat. Ankerstjerne - YouTube.mp3
2012-06-02 13:19 - 2012-06-02 13:19 - 00001768 ____A C:\Users\Lars\Desktop\Windows Movie Maker.lnk
2012-06-02 13:10 - 2012-06-02 13:21 - 00003584 ____A C:\Users\Lars\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
============ 3 Months Modified Files and Folders ===============
2012-06-28 10:28 - 2010-01-29 00:44 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-28 10:28 - 2009-08-31 23:00 - 00065536 _____ C:\Windows\System32\Ikeext.etl
2012-06-28 10:28 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-28 10:28 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-28 10:28 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-22 12:25 - 2010-01-29 00:44 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-22 12:24 - 2009-09-05 04:37 - 00000938 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1767389403-1596513045-919892342-1006UA.job
2012-06-22 11:38 - 2008-04-07 16:37 - 02001893 ____A C:\Windows\WindowsUpdate.log
2012-06-22 11:30 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\tracing
2012-06-22 11:27 - 2006-11-02 02:33 - 01389676 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-21 12:42 - 2008-04-07 16:39 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-06-21 12:42 - 2006-11-02 05:01 - 00032606 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-21 12:37 - 2012-01-06 12:38 - 00002198 ____A C:\Windows\epplauncher.mif
2012-06-21 12:32 - 2012-06-21 12:32 - 00012522 ____A C:\ComboFix.txt210612.txt
2012-06-21 12:28 - 2012-06-21 11:53 - 00000000 ____D C:\ComboFix
2012-06-21 12:28 - 2012-06-18 07:18 - 00000000 ____D C:\Qoobox
2012-06-21 12:27 - 2012-06-21 12:27 - 00012522 ____A C:\ComboFix.txt
2012-06-21 12:27 - 2006-11-02 03:18 - 00000000 __RHD C:\users\Default
2012-06-21 12:27 - 2006-11-02 03:18 - 00000000 ___RD C:\users\Public
2012-06-21 12:23 - 2012-06-18 07:17 - 00000000 ____D C:\Windows\erdnt
2012-06-21 12:17 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
2012-06-21 12:16 - 2007-09-14 06:24 - 00243898 ____A C:\Windows\PFRO.log
2012-06-21 11:00 - 2008-04-07 10:46 - 00000000 ____D C:\users\Sebastian
2012-06-18 20:52 - 2009-09-16 22:08 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-06-18 18:36 - 2012-06-18 18:35 - 00000000 ____D C:\FRST
2012-06-18 08:29 - 2010-05-17 11:03 - 00001356 ____A C:\Users\Sebastian\AppData\Local\d3d9caps.dat
2012-06-18 07:23 - 2006-11-02 04:52 - 00074360 ____A C:\Windows\setupact.log
2012-06-18 07:10 - 2012-06-18 07:24 - 04560591 ____R (Swearware) C:\Users\Sebastian\Desktop\ComboFix.exe
2012-06-15 07:30 - 2012-06-15 07:14 - 00000000 ____D C:\Users\Lars\AppData\Roaming\TeamViewer
2012-06-15 07:15 - 2009-09-05 04:37 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1767389403-1596513045-919892342-1006Core.job
2012-06-15 07:10 - 2012-01-11 13:15 - 00000000 __SHD C:\Users\Sebastian\AppData\Local\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}
2012-06-15 07:02 - 2012-06-15 07:02 - 00001891 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk
2012-06-15 07:02 - 2012-06-15 07:02 - 00000000 ____D C:\Program Files\Adobe
2012-06-15 07:02 - 2008-08-06 01:35 - 00000000 ____D C:\Program Files\Common Files\Adobe
2012-06-15 07:02 - 2007-09-14 05:47 - 00000000 ____D C:\Users\All Users\Adobe
2012-06-15 06:59 - 2008-06-03 04:01 - 00000000 ____D C:\Program Files\Common Files\Java
2012-06-15 06:58 - 2012-06-15 06:58 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-15 06:58 - 2012-06-15 06:58 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-15 06:58 - 2012-06-15 06:58 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-15 06:58 - 2012-06-15 06:58 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-15 06:58 - 2010-05-09 06:24 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-06-15 06:58 - 2008-06-03 04:01 - 00000000 ____D C:\Program Files\Java
2012-06-15 06:47 - 2012-06-15 06:47 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-15 06:43 - 2012-06-15 06:42 - 10300288 ____A (Microsoft Corporation) C:\Users\Sebastian\Downloads\mseinstall.exe
2012-06-14 09:10 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2012-06-13 22:37 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2012-06-13 22:20 - 2006-11-02 04:47 - 00371144 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 22:11 - 2007-09-14 06:10 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-13 22:02 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-12 09:04 - 2007-09-14 06:18 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2012-06-12 09:04 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Registration
2012-06-11 09:02 - 2012-06-11 09:02 - 00138440 ____A C:\Windows\Minidump\Mini061112-01.dmp
2012-06-11 09:02 - 2010-02-01 12:48 - 00000000 ____D C:\Windows\Minidump
2012-06-11 09:02 - 2010-02-01 12:47 - 273373505 ____A C:\Windows\MEMORY.DMP
2012-06-11 03:58 - 2012-06-11 03:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-04 07:09 - 2012-06-04 07:09 - 00138440 ____A C:\Windows\Minidump\Mini060412-01.dmp
2012-06-03 04:41 - 2009-09-05 04:45 - 00000000 ____D C:\Users\Lars\Tracing
2012-06-02 13:21 - 2012-06-02 13:10 - 00003584 ____A C:\Users\Lars\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-02 13:19 - 2012-06-02 13:19 - 00001768 ____A C:\Users\Lars\Desktop\Windows Movie Maker.lnk
2012-05-17 15:11 - 2012-06-13 09:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-13 09:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-13 09:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-13 09:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-13 09:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 09:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-13 09:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-13 09:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 09:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-13 09:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 09:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-13 09:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 09:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 09:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 11:51 - 2012-06-13 08:56 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 09:42 - 2006-11-02 04:37 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-11 09:24 - 2012-05-07 02:00 - 00000000 ____D C:\Users\All Users\F4D562BF00780F90013CF449570F1C8B
2012-05-11 09:02 - 2006-11-02 04:37 - 00000000 ____D C:\Windows\System32\XPSViewer
2012-05-07 02:03 - 2012-05-07 02:03 - 00001040 ____A C:\Users\Sebastian\Desktop\Smart Fortress 2012.lnk
2012-05-07 00:38 - 2010-09-20 08:32 - 00126016 ____A C:\Users\Sebastian\danid.log
2012-05-03 07:09 - 2009-09-05 04:07 - 00000000 ____D C:\Users\Lars\AppData\Local\Google
2012-05-03 07:08 - 2010-10-09 03:02 - 00002659 ____A C:\Users\Lars\Desktop\Microsoft Office Word 2007.lnk
2012-05-02 05:39 - 2012-06-02 23:39 - 04286643 ____A C:\Users\Lars\Desktop\Rasmus Seebach Million?r feat. Ankerstjerne - YouTube.mp3
2012-05-01 06:03 - 2012-06-13 08:56 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-24 09:02 - 2012-04-24 09:02 - 00138440 ____A C:\Windows\Minidump\Mini042412-01.dmp
2012-04-23 08:00 - 2012-06-13 08:56 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:00 - 2012-06-13 08:56 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:00 - 2012-06-13 08:56 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-16 02:48 - 2010-09-20 08:32 - 01060208 ____A C:\Users\Sebastian\danid.log.1
2012-04-14 09:02 - 2012-04-14 09:02 - 00138440 ____A C:\Windows\Minidump\Mini041412-01.dmp
2012-04-03 00:16 - 2012-05-10 23:20 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-10 23:20 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
ZeroAccess:
C:\Windows\Installer\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}
C:\Windows\Installer\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}\@
C:\Windows\Installer\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}\L
C:\Windows\Installer\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}\U
ZeroAccess:
C:\Users\Sebastian\AppData\Local\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}
C:\Users\Sebastian\AppData\Local\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}\@
C:\Users\Sebastian\AppData\Local\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}\L
C:\Users\Sebastian\AppData\Local\{df7afafe-cca6-9ebd-e886-e53ca2584d5e}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe
[2009-09-16 22:08] - [2009-04-10 22:27] - 2926592 ____A (Microsoft Corporation)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 13%
Total physical RAM: 2045.5 MB
Available physical RAM: 1762.11 MB
Total Pagefile: 1977.4 MB
Available Pagefile: 1837.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.35 MB
======================= Partitions =========================
1 Drive c: (ACER) (Fixed) (Total:111.57 GB) (Free:60.33 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:111.55 GB) (Free:97.65 GB) NTFS
4 Drive f: (KINGSTON) (Removable) (Total:7.31 GB) (Free:7.31 GB) FAT32
5 Drive x: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:3.31 GB) FAT32
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1177 KB
Disk 1 Online 7498 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 1024 KB
Partition 2 Primary 112 GB 10 GB
Partition 3 Primary 112 GB 121 GB
======================================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE FAT32 Partition 10 GB Healthy Hidden
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 112 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D DATA NTFS Partition 112 GB Healthy
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7494 MB 4032 KB
======================================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT32 Removable 7494 MB Healthy
======================================================================================================
==========================================================
Last Boot: 2012-06-22 11:28
======================= End Of Log ==========================
I hope for your help.
#2 ?
- Group: Malware Response Team
- Posts: 8,551
- Joined: 24-May 08
- Gender:Male
- Location:Bement, ILL
Posted Today, 03:42 PM
Hello pokkers,1.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
C:\Windows\Installer\{df7afafe-cca6-9ebd-e886-e53ca2584d5e} C:\Users\Sebastian\AppData\Local\{df7afafe-cca6-9ebd-e886-e53ca2584d5e} NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
2.
We need to find a clean file to replace the patched services.exe.... Do the following:
Boot to System Recovery Options and run FRST as you did to get the log.
Type the following in the box after "Search:".
services.exe;explorer.exe
Click Search button and post the log (Search.txt) it makes to your reply.
This post has been edited by fireman4it: Today, 03:43 PM
" Extinguishing Malware from the world"The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware! Just click 
Share this topic:
3 User(s) are reading this topic
0 members, 3 guests, 0 anonymous users
Source: http://www.bleepingcomputer.com/forums/topic458671.html
roseanne barr president green party day 26 gronkowski new hunger games trailer sasquatch david choe
No comments:
Post a Comment