Removal of Trojan.Small, Trojan.Sirefef, Rootkit.0Access

Emil_Svensson · June 6, 2012

Hi,

I've seen this topic pop up a whole lot in the last few days, but I reckon that since everyone needs personalized help, I'd start yet another one of these.

I'm trying to help my sister get rid of some malware. She's running Vista Home Basic 32-bit with SP1. There's a fair bit of bloatware on it but it came preinstalled and I've removed what I can (but that was a long, long time ago and unrelated to this).

I was temped to fiddle with Combofix and/or TDDS Killer as recommended elsewhere and post the logs in order to speed up the process, but I've also read the advice not to run any of those programs before any of the experts on here have had their say. So I'll just post the Anti-Malware information.

I'll post both a screenshot of the scan results, and the log.

http://h11.abload.de...rojans5skx0.jpg


Malwarebytes Anti-Malware 1.61.0.1400
[url="http://www.malwarebytes.orgDatabase"]www.malwarebytes.org[/url]
[url="http://www.malwarebytes.orgDatabase"]Database[/url] version: v2012.06.06.02
Windows Vista Service Pack 1 x86 FAT32
Internet Explorer 8.0.6001.19019
Hanna :: HANNA-DATOR [administrator]
2012-06-06 14:45:21
mbam-log-2012-06-06 (14-53-24).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188499
Time elapsed: 7 minute(s), 56 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\Installer\{87c5e1a2-c78b-5c48-7055-cb54cf2f0e42}\U\00000001.@ (Trojan.Small) -> No action taken.
C:\Windows\Installer\{87c5e1a2-c78b-5c48-7055-cb54cf2f0e42}\U\80000000.@ (Trojan.Sirefef) -> No action taken.
C:\Windows\Installer\{87c5e1a2-c78b-5c48-7055-cb54cf2f0e42}\U\800000cb.@ (Rootkit.0Access) -> No action taken.
(end)

gringo_pr · June 7, 2012

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
[*]Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
[*]Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
[*]Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Gringo

zia16sun · June 7, 2012

Hello Gringo. Per the instructions, the FRST log is pasted below. I'm working on a friend's computer and it looks to me like she's got about 5 Trojans at this point, which I can start eliminating as soon as this sirefef repeated rebooting issue is under control. Thanks in advance for your expertise!

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 06-06-2012 04

Ran by SYSTEM at 07-06-2012 11:37:22

Running from E:\

Windows Vista Home Basic Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [249856 2009-06-19] (Alps Electric Co., Ltd.)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [458844 2009-07-31] (IDT, Inc.)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-02-26] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-02-26] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-02-26] (Intel Corporation)

HKLM\...\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-02-11] (Intel Corporation)

HKLM\...\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [657920 2009-11-02] (Dell Inc.)

HKLM\...\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [147328 2010-01-05] (Wave Systems Corp.)

HKLM\...\Run: [uSCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-01-05] (Broadcom Corporation)

HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981680 2012-04-04] (Malwarebytes Corporation)

HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)

HKU\Crys\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)

HKU\Crys\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-14] (Google Inc.)

HKU\Crys\...\Policies\system: [LogonHoursAction] 2

HKU\Crys\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

HKU\Guest\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-14] (Google Inc.)

HKU\Michael\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-14] (Google Inc.)

HKU\Michael\...\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent [x]

HKU\Michael\...\Policies\system: [LogonHoursAction] 2

HKU\Michael\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 208.67.222.222

Lsa: [Authentication Packages] msv1_0

wvauth

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk

ShortcutTarget: Dell ControlPoint System Manager.lnk -> C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk

ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\TdmNotify.lnk

ShortcutTarget: TdmNotify.lnk -> C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

ShortcutTarget: WDSmartWare.lnk -> C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)

Startup: C:\Users\Michael\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [257696 2012-05-04] (Adobe Systems Incorporated)

2 alssvc; "C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe" [382232 2008-06-03] (Dell Inc.)

2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1803512 2009-05-15] (AuthenTec, Inc.)

2 buttonsvc32; "C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe" [278304 2009-11-20] (Dell Inc.)

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)

3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2010-12-27] (Acresso Software Inc.)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)

4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [124240 2010-03-18] (Microsoft Corporation)

4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

2 Secunia PSI Agent; "C:\Program Files\Secunia\PSI\PSIA.exe" --start-service [993848 2011-04-18] (Secunia)

2 Secunia Update Agent; "C:\Program Files\Secunia\PSI\sua.exe" --start-service [399416 2011-04-18] (Secunia)

3 SecureStorageService; "C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [1032192 2009-11-18] (Wave Systems Corp.)

2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3063968 2012-04-09] (Skype Technologies S.A.)

2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-04-05] (Skype Technologies)

2 sprtlisten; C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe /identity QUICKASSIST [1213728 2008-01-08] (SupportSoft, Inc.)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe [221266 2009-07-31] (IDT, Inc.)

3 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [394608 2008-01-08] (SupportSoft, Inc.)

2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1273856 2008-11-12] ()

2 TdmService; "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" [1148264 2009-11-24] (Wave Systems Corp.)

2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe" [110592 2009-11-13] (WDC)

2 WDSmartWareBackgroundService; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe" [20480 2009-06-16] (Memeo)

2 dcpsysmgrsvc; "c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe" [x]

2 EvtEng; c:\Program Files\Intel\WiFi\bin\EvtEng.exe [x]

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]

4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]

3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

2 RegSrvc; c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [x]

4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]

4 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]

2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 ApfiltrService; C:\Windows\System32\DRIVERS\Apfiltr.sys [217136 2009-11-24] (Alps Electric Co., Ltd.)

3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [112128 2009-02-26] (Intel® Corporation)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)

3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-06-07] (Malwarebytes Corporation)

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)

1 MpKsl77c026b2; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4DDCD221-1D60-492B-91EB-92D7C46B40B6}\MpKsl77c026b2.sys [29904 2012-06-05] (Microsoft Corporation)

3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [74112 2012-03-20] (Microsoft Corporation)

0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)

3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)

4 rimspci; C:\Windows\system32\drivers\rimspe86.sys [45056 2009-04-03] (REDC)

4 risdpcie; C:\Windows\system32\drivers\risdpe86.sys [48640 2009-04-03] (REDC)

4 rixdpcie; C:\Windows\system32\drivers\rixdpe86.sys [38400 2009-04-03] (REDC)

4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-30] (Microsoft Corporation)

2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [211328 2010-01-05] (Wave Systems Corp.)

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NvtSp50; C:\Windows\System32\Drivers\NvtSp50.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-07 11:37 - 2012-06-07 11:37 - 00000000 ____D C:\FRST

2012-06-05 09:35 - 2012-06-07 09:29 - 3174215680 __ASH C:\hiberfil.sys

2012-06-05 09:10 - 2012-06-07 07:46 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2012-06-03 09:28 - 2012-06-03 09:28 - 00002154 ____A C:\Windows\epplauncher.mif

2012-06-03 09:27 - 2012-06-03 09:28 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-06-03 09:27 - 2010-04-05 12:00 - 00221568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-06-02 16:31 - 2012-06-05 09:19 - 00000000 ____D C:\Users\Crys\AppData\Local\LogMeIn Rescue Applet

2012-06-02 10:44 - 2012-06-02 10:44 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-05-26 09:20 - 2012-05-28 16:05 - 00010578 ____A C:\Users\Crys\Documents\Nutrition.xlsx

2012-05-26 09:16 - 2012-05-26 09:16 - 00000000 ____D C:\Users\Crys\Desktop\MMA

2012-05-11 17:21 - 2012-03-30 04:39 - 00914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-05-11 17:21 - 2012-03-29 05:39 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-05-11 17:21 - 2012-03-20 15:28 - 00053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-05-11 17:21 - 2012-03-01 06:46 - 00219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2012-05-11 17:21 - 2012-03-01 06:46 - 00160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2012-05-11 17:21 - 2012-02-29 06:08 - 01172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2012-05-11 17:21 - 2012-02-29 05:44 - 00683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2012-05-11 17:21 - 2012-02-29 05:41 - 01069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-05-11 17:20 - 2012-04-03 00:16 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-05-11 17:20 - 2012-04-03 00:16 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-11 17:20 - 2012-04-02 05:36 - 02044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

============ 3 Months Modified Files and Folders ===============

2012-06-07 09:29 - 2012-06-05 09:35 - 3174215680 __ASH C:\hiberfil.sys

2012-06-07 09:29 - 2006-11-02 04:58 - 0032596 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-06-07 09:29 - 2006-11-02 04:58 - 0000006 ___AH C:\Windows\Tasks\SA.DAT

2012-06-07 09:29 - 2006-11-02 04:45 - 0003664 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-06-07 09:29 - 2006-11-02 04:45 - 0003664 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-06-07 09:22 - 2009-04-11 05:18 - 0279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-06-07 08:34 - 2010-08-14 12:20 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-06-07 07:46 - 2012-06-05 09:10 - 0040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2012-06-07 07:46 - 2012-03-29 07:24 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-06-07 07:46 - 2010-04-12 19:43 - 0000000 ____A C:\Users\Crys\AppData\Local\WavXMapDrive.bat

2012-06-07 07:45 - 2010-08-14 12:20 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-06-05 09:35 - 2012-05-05 13:11 - 0000000 ____D C:\Users\All Users\boost_interprocess

2012-06-05 09:33 - 2010-04-06 19:25 - 1944952 ____A C:\Windows\WindowsUpdate.log

2012-06-05 09:32 - 2010-09-20 14:50 - 0889192 ____A C:\Windows\ntbtlog.txt

2012-06-05 09:19 - 2012-06-02 16:31 - 0000000 ____D C:\Users\Crys\AppData\Local\LogMeIn Rescue Applet

2012-06-05 09:17 - 2008-01-20 19:02 - 0055636 ____A C:\Windows\PFRO.log

2012-06-03 09:28 - 2012-06-03 09:28 - 0002154 ____A C:\Windows\epplauncher.mif

2012-06-03 09:28 - 2012-06-03 09:27 - 0000000 ____D C:\Program Files\Microsoft Security Client

2012-06-03 09:28 - 2006-11-02 02:33 - 0866950 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-03 09:21 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration

2012-06-03 09:19 - 2010-04-12 20:10 - 0000000 ____D C:\Users\All Users\Symantec

2012-06-03 09:15 - 2012-01-19 05:25 - 0000000 __SHD C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}

2012-06-02 16:45 - 2010-12-31 14:22 - 0000000 ____D C:\Windows\symbols

2012-06-02 16:27 - 2010-08-14 12:17 - 0000000 ____D C:\Users\Crys\AppData\Roaming\Skype

2012-06-02 10:44 - 2012-06-02 10:44 - 0000000 __SHD C:\Windows\System32\%APPDATA%

2012-05-28 16:05 - 2012-05-26 09:20 - 0010578 ____A C:\Users\Crys\Documents\Nutrition.xlsx

2012-05-26 09:16 - 2012-05-26 09:16 - 0000000 ____D C:\Users\Crys\Desktop\MMA

2012-05-23 04:54 - 2010-04-07 01:01 - 0000000 ____D C:\Program Files\Microsoft Silverlight

2012-05-16 06:05 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET

2012-05-13 12:42 - 2006-11-02 04:44 - 2303584 ____A C:\Windows\System32\FNTCACHE.DAT

2012-05-12 12:33 - 2010-05-25 08:02 - 0000000 ____D C:\Users\All Users\Microsoft Help

2012-05-12 12:29 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-05-12 12:03 - 2006-11-02 04:35 - 0000000 ____D C:\Windows\System32\XPSViewer

2012-05-07 05:16 - 2012-05-07 05:16 - 0000000 ____D C:\Users\Crys\AppData\Roaming\Foxit Software

2012-05-07 05:13 - 2010-04-12 20:15 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-05-07 05:12 - 2012-05-07 05:12 - 0000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-05-05 13:11 - 2012-05-05 13:10 - 0000000 ___RD C:\Program Files\Skype

2012-05-05 13:11 - 2010-08-14 12:14 - 0000000 ____D C:\Users\All Users\Skype

2012-05-05 13:10 - 2012-05-05 13:10 - 0001878 ____A C:\Users\Public\Desktop\Skype.lnk

2012-05-05 13:10 - 2012-05-05 13:10 - 0000000 ____D C:\Program Files\Common Files\Skype

2012-05-04 16:46 - 2012-03-29 07:24 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-05-04 16:46 - 2011-05-15 11:55 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-04-29 06:37 - 2006-11-02 04:49 - 0147796 ____A C:\Windows\setupact.log

2012-04-20 07:51 - 2012-04-20 07:39 - 0034901 ____A C:\Users\Crys\Desktop\lyrics.docx

2012-04-04 13:56 - 2010-04-12 20:15 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-04-03 00:16 - 2012-05-11 17:20 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-04-03 00:16 - 2012-05-11 17:20 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-04-02 05:36 - 2012-05-11 17:20 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-03-30 11:57 - 2012-03-30 11:57 - 0001666 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-03-30 11:57 - 2012-03-09 12:53 - 0000000 ____D C:\Program Files\iTunes

2012-03-30 11:56 - 2012-03-30 11:56 - 0000000 ____D C:\Program Files\iPod

2012-03-30 11:56 - 2010-06-01 13:54 - 0000000 ____D C:\Program Files\Common Files\Apple

2012-03-30 04:39 - 2012-05-11 17:21 - 0914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-03-29 09:21 - 2012-03-29 09:21 - 313700803 ____A C:\Windows\MEMORY.DMP

2012-03-29 09:21 - 2012-03-29 09:21 - 0144744 ____A C:\Windows\Minidump\Mini032912-01.dmp

2012-03-29 09:21 - 2012-03-29 09:21 - 0000000 ____D C:\Windows\Minidump

2012-03-29 05:39 - 2012-05-11 17:21 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-03-28 06:07 - 2011-04-13 15:53 - 0000861 ____A C:\Users\Public\Desktop\VLC media player.lnk

2012-03-20 18:44 - 2012-03-20 18:44 - 0171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys

2012-03-20 18:44 - 2012-03-20 18:44 - 0074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys

2012-03-20 15:28 - 2012-05-11 17:21 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-03-15 09:25 - 2012-01-22 06:32 - 0008518 ____A C:\Users\Crys\Documents\Car Loan.xlsx

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\00000001.@

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\800000cb.@

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe

[2009-04-11 05:18] - [2012-06-07 09:22] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%

Total physical RAM: 3026.43 MB

Available physical RAM: 2715.28 MB

Total Pagefile: 2925.83 MB

Available Pagefile: 2792.34 MB

Total Virtual: 2047.88 MB

Available Virtual: 1974.32 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:102.99 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: () (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32

4 Drive x: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.69 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 0 B

Disk 1 Online 3827 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 32 KB

Partition 2 Primary 15 GB 40 MB

Partition 3 Primary 218 GB 15 GB

======================================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 X RECOVERY NTFS Partition 15 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 218 GB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3827 MB 16 KB

======================================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FAT32 Removable 3827 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-03 09:49

======================= End Of Log ==========================

gringo_pr · June 7, 2012

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}
C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@
C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L
C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U
C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\00000001.@
C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\800000cb.@
C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}
C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@
C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L
C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

On Windows XP: Now please boot into the BartPE CD.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo

zia16sun · June 7, 2012

Thank you. The fix log is as follows:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 06-06-2012 04

Ran by SYSTEM at 2012-06-07 12:39:07 Run:1

Running from E:\

==============================================

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50} moved successfully.

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@ not found.

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L not found.

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U not found.

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\00000001.@ not found.

C:\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\800000cb.@ not found.

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50} moved successfully.

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@ not found.

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L not found.

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U not found.

==== End of Fixlog ====

gringo_pr · June 7, 2012

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

zia16sun · June 7, 2012

Unfortunately, the incessant restarting issue won't let me stay on the system long enough to prepare the computer for running Combofix. I still get the "Windows has encountered a critical problem and will restart automatically in one minute" message. This is the case despite my attempts to start in safe mode, to Disable Automatic Restart on System Failure or to boot with the Last Known Good Configuration.

If it helps, I can provide a boot log, which but it is excessively long and pasting it here gives the error of "post too long", so I would either have to attach or post in multiple messages. Please advise your preferences in this situation. Thanks!

gringo_pr · June 7, 2012

Greetings

I would like to have a new scan from FRST and send me the report

gringo

gringo_pr · June 10, 2012

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

zia16sun · June 11, 2012

Thank you, Gringo. When I checked back on Thursday after you responded, for some reason I was no longer allowed to respond to this thread (presumably because as a newbie to the forum when I originally sent my help request to you, I didn't realize that the searches that brought me to this thread took me to your response to Emil_Svensson, and I falsely assumed that the post I was reading from you was some sort of general assistance starting point. My apologies to Emil_Svensson for taking over this thread. On the same note, if you prefer that I start a new thread of my own to continue this process, I'm happy to do so. I was planning on doing so today since I couldn't respond to this thread on Friday and was traveling cross country all weekend).

Anyway, the FRST log from Thursday afternoon is as follows:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 06-06-2012 04

Ran by SYSTEM at 07-06-2012 15:50:49

Running from E:\

Windows Vista Home Basic Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet002