TechSpot

Iexplorer.exe keeps popping up, 6 steps followed. Logs attached

By gubbe72
Jul 20, 2010
  1. So, I recently noticed in my task manager that iexplorer.exe kept popping up, in 2-4 instances. Weird, since I only use Chrome for browsing.
    I tried to shut them down, but they kept popping up.
    Looked here for suggestions, and found this thread.

    After scanning with avast, i found "win32:unrury-j [drp]" which was put in quaranteen.
    Did the rest of the steps, and attaching logs here.
    (mbam log was clean, so I did not attach that)
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  3. gubbe72

    gubbe72 TS Rookie Topic Starter

    This doesnt look good.

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive1
    MD5: b19ee33a0168d5f0bb9afbe12e2bc035
    \\.\D: -> \\.\PhysicalDrive0
    MD5: b19ee33a0168d5f0bb9afbe12e2bc035
    \\.\E: -> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive1 Unknown boot code
    149 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...

    (Thank you for extremely quick reply btw)
     
  4. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    remover.exe fix \\.\PhysicalDrive1
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.
     
  5. gubbe72

    gubbe72 TS Rookie Topic Starter

    It actually didnt want to boot up at all now. Had to start with cd-rom boot, press esc, and boot from there.
    Anyway, here is the result:


    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive1
    MD5: b19ee33a0168d5f0bb9afbe12e2bc035
    \\.\D: -> \\.\PhysicalDrive0
    MD5: bb4f1627d8b9beda49ac0d010229f3ff
    \\.\E: -> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive1 Unknown boot code
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  6. gubbe72

    gubbe72 TS Rookie Topic Starter

    (im sorry if this is a double post now, didnt see the last reply)


    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive1
    MD5: b19ee33a0168d5f0bb9afbe12e2bc035
    \\.\D: -> \\.\PhysicalDrive0
    MD5: bb4f1627d8b9beda49ac0d010229f3ff
    \\.\E: -> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive1 Unknown boot code
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...

    The computer didn't want to boot this time.
    I had to boot from cd, <esc>, and go from there.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    I didn't ask for rebooting for a reason....

    MBR on disk D has been fixed, but not the one on drive C.
    Let's retry...

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive1
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.
     
  8. gubbe72

    gubbe72 TS Rookie Topic Starter

    Yes, sorry about that reboot thing. The program suggested I'd do it to prevent the culprit to rewrite the code, heh.

    Looks good now though.


    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive1
    MD5: bb4f1627d8b9beda49ac0d010229f3ff
    \\.\D: -> \\.\PhysicalDrive0
    MD5: bb4f1627d8b9beda49ac0d010229f3ff
    \\.\E: -> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Press any key to quit...
     
  9. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Looks good :)
    Now, you can reboot and report on issues status.
     
  10. gubbe72

    gubbe72 TS Rookie Topic Starter

    Phew.
    After the reboot, it seems the new MBR wasn't good after all, so
    I had to use the repair tools on the Win 7 dvd.
    After some (elsewhere) online searching I found the right way, managed to get the MBR restored, and now when rebooted, the iexplorer-things are gone.

    I think you fixed it :)
    Thanks a lot!
    I'll bookmark this thread though if something connected to it happens.
     
  11. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    I'm glad, your issue has been fixed, but we need to run couple more scans to make sure, your computer is 100% clean.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  12. gubbe72

    gubbe72 TS Rookie Topic Starter

    Allright, it did it's thing, here's the log:

    ComboFix 10-07-21.02 - Adde 2010-07-22 14:07:17.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.46.1033.18.2047.1286 [GMT 2:00]
    Körs från: c:\users\Adde\Desktop\ComboFix.exe
    * Skapade en ny återställningspunkt
    .

    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\settings.reg
    c:\windows\system32\%appdata%
    c:\windows\system32\msvcsv60.dll

    .
    (((((((((((((((((((((((( Filer Skapade från 2010-06-22 till 2010-07-22 ))))))))))))))))))))))))))))))
    .

    2010-07-22 12:13 . 2010-07-22 12:14 -------- d-----w- c:\users\Adde\AppData\Local\temp
    2010-07-21 03:00 . 2010-07-21 03:00 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\users\Adde\AppData\Roaming\Malwarebytes
    2010-07-21 02:57 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\programdata\Malwarebytes
    2010-07-21 02:57 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-20 19:59 . 2010-07-20 20:03 -------- d-----w- c:\program files\a-squared Free
    2010-07-11 15:30 . 2010-07-11 15:30 -------- d-----w- c:\users\Adde\AppData\Roaming\XRay Engine
    2010-07-04 07:35 . 2010-07-04 07:35 -------- d-----w- c:\program files\AC3Filter
    2010-06-30 13:29 . 2010-06-30 13:29 -------- d-----w- c:\programdata\Blizzard Entertainment
    2010-06-30 07:13 . 2010-06-30 09:49 -------- d-----w- c:\users\Adde\AppData\Roaming\Xfire
    2010-06-30 07:12 . 2010-06-30 07:15 -------- d-----w- c:\programdata\Xfire
    2010-06-30 07:12 . 2010-06-30 07:13 -------- d-----w- c:\program files\Xfire
    2010-06-29 21:27 . 2010-06-29 21:34 -------- d-----w- c:\users\Adde\AppData\Roaming\dp3d
    2010-06-29 15:51 . 2010-07-06 22:38 16 ----a-w- c:\windows\msocreg32.dat
    2010-06-29 10:31 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-06-26 01:01 . 2010-06-26 01:01 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-25 02:28 . 2010-06-25 02:28 -------- d-----w- c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
    2010-06-23 01:01 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 01:01 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 01:01 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 01:01 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 01:01 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-06-22 22:44 . 2010-06-22 22:44 -------- d-----w- C:\PFiles
    2010-06-22 19:26 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
    2010-06-22 19:26 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-06-22 19:26 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-22 12:15 . 2010-03-13 20:31 -------- d-----w- c:\users\Adde\AppData\Roaming\uTorrent
    2010-07-22 10:51 . 2010-03-15 01:22 -------- d-----w- c:\users\Adde\AppData\Roaming\vlc
    2010-07-18 22:47 . 2010-05-10 18:41 -------- d-----w- c:\users\Adde\AppData\Roaming\Skype
    2010-07-18 22:47 . 2010-05-10 18:43 -------- d-----w- c:\users\Adde\AppData\Roaming\skypePM
    2010-07-07 17:28 . 2010-04-12 08:02 -------- d-----w- c:\users\Adde\AppData\Roaming\dvdcss
    2010-06-28 20:57 . 2010-03-13 20:45 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-13 20:46 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-13 20:46 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-13 20:46 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-13 20:46 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-06-28 20:32 . 2010-03-13 20:46 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 08:40 . 2010-03-14 13:09 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-25 02:28 . 2010-03-13 21:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-06-24 22:26 . 2010-03-14 18:09 -------- d-----w- c:\program files\DivX
    2010-06-20 14:24 . 2010-06-20 14:24 -------- d-----w- c:\programdata\Steam
    2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSBW_01_00_00.Wdf
    2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSQVGA_01_00_00.Wdf
    2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\programdata\Logitech
    2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\program files\Logitech
    2010-06-05 00:29 . 2010-06-05 00:29 -------- d-----w- c:\users\Adde\AppData\Roaming\Octoshape
    2010-06-04 18:59 . 2010-06-04 18:59 -------- d-----w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information
    2010-06-04 18:58 . 2010-06-04 18:59 331776 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\setup.exe
    2010-06-04 18:58 . 2010-06-04 18:59 2010726 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\ISSetup.dll
    2010-06-04 06:35 . 2010-05-15 11:13 -------- d-----w- c:\program files\uTorrent2
    2010-06-04 06:35 . 2010-05-09 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-04 06:34 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
    2010-06-04 06:34 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
    2010-06-04 06:34 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll
    2010-06-01 20:43 . 2010-03-29 11:07 -------- d-----w- c:\program files\Autodesk
    2010-06-01 16:54 . 2010-03-13 20:32 -------- d-----w- c:\program files\uTorrent
    2010-05-29 15:29 . 2010-05-29 15:29 -------- d-----w- c:\programdata\SEGA Corporation
    2010-05-28 00:04 . 2010-05-28 00:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
    2010-05-27 07:24 . 2010-06-08 18:43 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-08 18:43 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-26 23:00 . 2010-05-26 23:00 -------- d-----w- c:\users\Adde\AppData\Roaming\bizarre creations
    2010-05-22 23:57 . 2010-03-13 20:34 57560 ----a-w- c:\users\Adde\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-21 12:14 . 2010-02-10 05:47 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-21 05:18 . 2010-06-08 18:43 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-10 18:43 . 2010-05-10 18:43 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2010-05-06 00:06 . 2010-05-06 00:06 1879 ----a-w- c:\programdata\xml7DD8.tmp
    2010-05-06 00:06 . 2010-05-06 00:06 13445 ----a-w- c:\programdata\xml7D1B.tmp
    2010-05-06 00:06 . 2010-05-06 00:06 9521 ----a-w- c:\programdata\xml7B36.tmp
    2010-05-01 14:49 . 2010-06-08 18:43 2326528 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 13:37 . 2010-04-29 13:37 230 ----a-w- c:\windows\ctrunonce.reg
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ------- Sigcheck -------

    [-] 2010-06-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "uTorrent"="c:\program files\uTorrent2\uTorrent.exe" [2010-06-04 322352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
    "JulaPAN.exe"="JulaPAN.exe" [2010-03-13 495648]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisableThumbnails"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer6"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-21 23:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
    2009-06-03 22:55 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e-kort]
    2008-12-11 12:14 377856 ----a-w- c:\progra~1\ekort\ekort.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-13 20:34 135664 ----atw- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
    2009-09-21 17:40 1681408 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPAN.exe]
    2010-03-13 20:39 495648 ----a-w- c:\windows\System32\JulaPAN.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "uTorrent"="c:\program files\uTorrent2\uTorrent.exe"
    "Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
    "Octoshape Streaming Services"="c:\users\Adde\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "P17RunE"=RunDll32 P17RunE.dll,RunDLLEntry
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

    R1 Jula.sys;Service for Juli@ Audio Driver EWDM;c:\windows\system32\DRIVERS\Jula.sys [2010-03-13 48160]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-04-29 79360]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 171032]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 171032]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]
    R3 JulaWDM.sys;Service for Juli@ WDM;c:\windows\system32\DRIVERS\JulaWDM.sys [2010-03-13 35872]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
    R3 MADFUMIDISPORT2010;Service for M-Audio MIDISPORT DFU;c:\windows\system32\DRIVERS\MAudioMIDISPORT_DFU.sys [2010-02-03 23304]
    R3 MAUSBMIDISPORT;Service for M-Audio MIDISPORT;c:\windows\system32\DRIVERS\MAudioMIDISPORT.sys [2010-02-03 166920]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-02 1343400]
    R4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-04-15 1872320]
    R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\spel\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-14 691696]
    S1 aswSP;aswSP; [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 172032]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 5430272]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 157184]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Innehållet i mappen 'Schemalagda aktiviteter':

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001Core.job
    - c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001UA.job
    - c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]
    .
    .
    ------- Extra genomsökning -------
    .
    Trusted Zone: com\www.msi
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\AUDIODG.EXE
    c:\windows\system32\atieclxx.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\taskhost.exe
    c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Sluttid: 2010-07-22 14:18:26 - datorn startades om.
    ComboFix-quarantined-files.txt 2010-07-22 12:18

    Före genomsökningen: 70*421*422*080 bytes free
    Efter genomsökningen: 70*369*628*160 bytes free

    - - End Of File - - C04BB425ECE12E02C4B05E4AF4479611
     
  13. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
    c:\programdata\xml7B36.tmp
    c:\programdata\xml7D1B.tmp
    c:\programdata\xml7DD8.tmp
    c:\windows\system32\ezsidmv.dat
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. gubbe72

    gubbe72 TS Rookie Topic Starter

    Here we go:
    (not following here. Were those infected, or viruses, or something?)


    ComboFix 10-07-21.02 - Adde 2010-07-23 0:23.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.46.1033.18.2047.1374 [GMT 2:00]
    Körs från: c:\users\Adde\Desktop\ComboFix.exe
    Använda kommandoväxlar :: c:\users\Adde\Desktop\CFScript.txt
    * Skapade en ny återställningspunkt

    FILE ::
    "c:\programdata\xml7B36.tmp"
    "c:\programdata\xml7D1B.tmp"
    "c:\programdata\xml7DD8.tmp"
    "c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP"
    "c:\windows\system32\ezsidmv.dat"
    .

    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\xml7B36.tmp
    c:\programdata\xml7D1B.tmp
    c:\programdata\xml7DD8.tmp
    c:\windows\system32\ezsidmv.dat

    .
    (((((((((((((((((((((((( Filer Skapade från 2010-06-22 till 2010-07-22 ))))))))))))))))))))))))))))))
    .

    2010-07-22 22:31 . 2010-07-22 22:31 -------- d-----w- c:\users\Adde\AppData\Local\temp
    2010-07-22 22:31 . 2010-07-22 22:31 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-07-22 22:31 . 2010-07-22 22:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-21 03:00 . 2010-07-21 03:00 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\users\Adde\AppData\Roaming\Malwarebytes
    2010-07-21 02:57 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\programdata\Malwarebytes
    2010-07-21 02:57 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-20 19:59 . 2010-07-20 20:03 -------- d-----w- c:\program files\a-squared Free
    2010-07-11 15:30 . 2010-07-11 15:30 -------- d-----w- c:\users\Adde\AppData\Roaming\XRay Engine
    2010-07-04 07:35 . 2010-07-04 07:35 -------- d-----w- c:\program files\AC3Filter
    2010-06-30 13:29 . 2010-06-30 13:29 -------- d-----w- c:\programdata\Blizzard Entertainment
    2010-06-30 07:13 . 2010-06-30 09:49 -------- d-----w- c:\users\Adde\AppData\Roaming\Xfire
    2010-06-30 07:12 . 2010-06-30 07:15 -------- d-----w- c:\programdata\Xfire
    2010-06-30 07:12 . 2010-06-30 07:13 -------- d-----w- c:\program files\Xfire
    2010-06-29 21:27 . 2010-06-29 21:34 -------- d-----w- c:\users\Adde\AppData\Roaming\dp3d
    2010-06-29 15:51 . 2010-07-06 22:38 16 ----a-w- c:\windows\msocreg32.dat
    2010-06-29 10:31 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-06-26 01:01 . 2010-06-26 01:01 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-25 02:28 . 2010-06-25 02:28 -------- d-----w- c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
    2010-06-23 01:01 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 01:01 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 01:01 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 01:01 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 01:01 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-06-22 22:44 . 2010-06-22 22:44 -------- d-----w- C:\PFiles

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-22 19:40 . 2010-03-13 20:31 -------- d-----w- c:\users\Adde\AppData\Roaming\uTorrent
    2010-07-22 10:51 . 2010-03-15 01:22 -------- d-----w- c:\users\Adde\AppData\Roaming\vlc
    2010-07-18 22:47 . 2010-05-10 18:41 -------- d-----w- c:\users\Adde\AppData\Roaming\Skype
    2010-07-18 22:47 . 2010-05-10 18:43 -------- d-----w- c:\users\Adde\AppData\Roaming\skypePM
    2010-07-07 17:28 . 2010-04-12 08:02 -------- d-----w- c:\users\Adde\AppData\Roaming\dvdcss
    2010-06-28 20:57 . 2010-03-13 20:45 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-13 20:46 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-13 20:46 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-13 20:46 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-13 20:46 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-06-28 20:32 . 2010-03-13 20:46 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 08:40 . 2010-03-14 13:09 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-25 02:28 . 2010-03-13 21:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-06-24 22:26 . 2010-03-14 18:09 -------- d-----w- c:\program files\DivX
    2010-06-20 14:24 . 2010-06-20 14:24 -------- d-----w- c:\programdata\Steam
    2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSBW_01_00_00.Wdf
    2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSQVGA_01_00_00.Wdf
    2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\programdata\Logitech
    2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\program files\Logitech
    2010-06-05 00:29 . 2010-06-05 00:29 -------- d-----w- c:\users\Adde\AppData\Roaming\Octoshape
    2010-06-04 18:59 . 2010-06-04 18:59 -------- d-----w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information
    2010-06-04 18:58 . 2010-06-04 18:59 331776 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\setup.exe
    2010-06-04 18:58 . 2010-06-04 18:59 2010726 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\ISSetup.dll
    2010-06-04 06:35 . 2010-05-15 11:13 -------- d-----w- c:\program files\uTorrent2
    2010-06-04 06:35 . 2010-05-09 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-04 06:34 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
    2010-06-04 06:34 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
    2010-06-04 06:34 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll
    2010-06-01 20:43 . 2010-03-29 11:07 -------- d-----w- c:\program files\Autodesk
    2010-06-01 16:54 . 2010-03-13 20:32 -------- d-----w- c:\program files\uTorrent
    2010-05-29 15:29 . 2010-05-29 15:29 -------- d-----w- c:\programdata\SEGA Corporation
    2010-05-28 00:04 . 2010-05-28 00:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
    2010-05-27 07:24 . 2010-06-08 18:43 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-08 18:43 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-26 23:00 . 2010-05-26 23:00 -------- d-----w- c:\users\Adde\AppData\Roaming\bizarre creations
    2010-05-22 23:57 . 2010-03-13 20:34 57560 ----a-w- c:\users\Adde\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-21 12:14 . 2010-02-10 05:47 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-21 05:18 . 2010-06-08 18:43 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-09 09:14 . 2010-06-22 19:26 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-05-09 09:14 . 2010-06-22 19:26 417792 ----a-w- c:\windows\system32\msdri.dll
    2010-05-01 14:49 . 2010-06-08 18:43 2326528 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 13:37 . 2010-04-29 13:37 230 ----a-w- c:\windows\ctrunonce.reg
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ------- Sigcheck -------

    [-] 2010-06-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "uTorrent"="c:\program files\uTorrent2\uTorrent.exe" [2010-06-04 322352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
    "JulaPAN.exe"="JulaPAN.exe" [2010-03-13 495648]

    c:\users\Adde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    CurseClientStartup.ccip [2010-7-22 0]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisableThumbnails"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer6"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-21 23:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
    2009-06-03 22:55 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e-kort]
    2008-12-11 12:14 377856 ----a-w- c:\progra~1\ekort\ekort.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-13 20:34 135664 ----atw- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
    2009-09-21 17:40 1681408 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPAN.exe]
    2010-03-13 20:39 495648 ----a-w- c:\windows\System32\JulaPAN.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "uTorrent"="c:\program files\uTorrent2\uTorrent.exe"
    "Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
    "Octoshape Streaming Services"="c:\users\Adde\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "P17RunE"=RunDll32 P17RunE.dll,RunDLLEntry
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

    R1 Jula.sys;Service for Juli@ Audio Driver EWDM;c:\windows\system32\DRIVERS\Jula.sys [2010-03-13 48160]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-04-29 79360]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 171032]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 171032]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]
    R3 JulaWDM.sys;Service for Juli@ WDM;c:\windows\system32\DRIVERS\JulaWDM.sys [2010-03-13 35872]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
    R3 MADFUMIDISPORT2010;Service for M-Audio MIDISPORT DFU;c:\windows\system32\DRIVERS\MAudioMIDISPORT_DFU.sys [2010-02-03 23304]
    R3 MAUSBMIDISPORT;Service for M-Audio MIDISPORT;c:\windows\system32\DRIVERS\MAudioMIDISPORT.sys [2010-02-03 166920]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-02 1343400]
    R4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-04-15 1872320]
    R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\spel\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-14 691696]
    S1 aswSP;aswSP; [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 172032]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 5430272]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 157184]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Innehållet i mappen 'Schemalagda aktiviteter':

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001Core.job
    - c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001UA.job
    - c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]
    .
    .
    ------- Extra genomsökning -------
    .
    Trusted Zone: com\www.msi
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Sluttid: 2010-07-23 00:33:05
    ComboFix-quarantined-files.txt 2010-07-22 22:33
    ComboFix2.txt 2010-07-22 12:18

    Före genomsökningen: 72*891*400*192 bytes free
    Efter genomsökningen: 72*615*366*656 bytes free

    - - End Of File - - 06D9EF0AA9BAF114F662D68BC34CF114
     
  15. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  16. gubbe72

    gubbe72 TS Rookie Topic Starter

    OTL.txt was huge, and since the forum limit is 20k chars, it would take 4 posts to fit that. I zipped it instead. Hope you dont mind.

    Extras.txt:

    OTL Extras logfile created on: 2010-07-23 08:18:57 - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Adde\Desktop
    Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 0000041d | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

    2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 73,00% Memory free
    4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 232,88 Gb Total Space | 67,72 Gb Free Space | 29,08% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    Drive E: | 149,04 Gb Total Space | 58,57 Gb Free Space | 39,30% Space Free | Partition Type: NTFS
    Drive F: | 2,49 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ADDE-PC
    Current User Name: Adde
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- C:\Users\Adde\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
    Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
    Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{009AC76E-1A66-4682-82B7-417E77F3C648}" = Superior Drummer Installer
    "{03B0D67B-36C9-C2CD-B63B-7B526138BA52}" = ccc-utility
    "{04FC2E4C-0E41-9D39-4E58-1EF29D4EF09D}" = ccc-core-static
    "{0949C078-58B4-CAF1-9A63-A4545145806D}" = Catalyst Control Center Graphics Previews Common
    "{0E93710D-31E5-477C-8A4B-5032B484BE74}" = Windows Live inloggningsassistenten
    "{109945A8-D8D5-48B8-B4A5-195D3F99B56D}" = Logitech GamePanel Software 3.04.143
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
    "{38D9575F-6228-6A54-3A92-D902739B6541}" = Catalyst Control Center InstallProxy
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3FAD68D9-1FA1-4871-9ADF-9151D969E943}" = Activision(R)
    "{406FB8A4-F539-48A9-809C-F94706F9C9F6}_is1" = S.T.A.L.K.E.R. - Call of Pripyat [v1.6.02]
    "{490BF87E-1F75-4453-BF55-9F540543A3CA}" = Steinberg Drum Loop Expansion 01
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}" = Steinberg Cubase 5
    "{4D454CF8-12FD-464D-B57B-B46FE27B78BB}" = Steinberg LoopMash Content
    "{4D87DC92-C328-46EC-A7B4-9C88129DC696}" = Dead Space™
    "{532B917B-8235-4FA5-BE36-643A8BB053A5}" = Steinberg REVerence Content 01
    "{54194F60-988C-4D03-B922-C2B00EFDA39A}" = NVIDIA PhysX
    "{57314F10-7B0A-4D5B-BB1A-7F606498816F}" = Windows 7 Manager
    "{573F1931-08F7-9222-704E-841C391794C5}" = ATI Catalyst Install Manager
    "{589A63D3-89E1-4D9B-8DBC-6039BB27289E}" = Activision(R)
    "{5A70922D-9365-43CC-ADA9-CB84E4A54E4E}" = Windows Live Essentials
    "{5E8B45A0-072C-91F7-BC80-29374194B452}" = Catalyst Control Center Graphics Previews Vista
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{6530FDAA-5B1F-4830-95BB-650E9804D239}" = UE3Redist
    "{67574624-BF0F-0409-AF6D-19FBD86FF7F7}" = Autodesk 3ds Max 2011 32-bit
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{6B99E90E-2AC4-4D72-8D88-39030783172B}" = e-kort
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
    "{7BA01D2D-E25C-0C2C-5779-7A8E02A4BE7D}" = Catalyst Control Center Core Implementation
    "{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}" = 3dsmax ancillary install
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}" = Steinberg HALionOne Studio Drum Set
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
    "{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
    "{8FF4E834-DCAD-29E7-1EE8-9D817A3FA15B}" = CCC Help English
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BBE7AA1-AFA8-4D76-8FC2-1FDFD9BD3371}" = Windows Live Mail
    "{9DEABCB6-B759-4D52-92F8-51B34A2B4D40}" = Autodesk Material Library 2011
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
    "{AC997F93-0757-4ED4-A701-F40C2D654D09}" = Steinberg HALionOne GM Drum Set
    "{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
    "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
    "{B7F293A4-8666-6410-36F4-E47EB2029CCB}" = AMD Drag and Drop Transcoding
    "{BA9632CB-2B93-4FD6-905C-BB325CE1C4DD}" = e-kort
    "{BD86F1AC-B594-46E4-85DC-1258AC9E2232}" = Steinberg Groove Agent ONE Content
    "{C03A56EE-2715-5F54-69C4-A1CDB7602354}" = Catalyst Control Center Graphics Full New
    "{C307DD64-1C69-8C52-D2C9-02D38995A269}" = Catalyst Control Center HydraVision Full
    "{C3113E55-7BCB-4de3-8EBF-60E6CE6B2096}_is1" = SiSoftware Sandra Engineer XII
    "{CF1D7323-8A0A-49C7-83B0-088DB90721E2}" = AmpegSVX
    "{D0E565B0-03A0-40D9-A514-000634AA58C6}" = KORG Legacy Collection - DIGITAL EDITION
    "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
    "{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}" = Steinberg HALionOne Studio Set
    "{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
    "{D37FE0E3-B1A9-4E41-AB5D-DA62E04D2C42}" = Alpha Protocol
    "{D82CDA0D-C182-42C8-8FF2-5649C98D6003}" = Steinberg HALionOne Pro Set
    "{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}" = Steinberg HALionOne Expression Set
    "{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
    "{E3E1398E-8FF2-0154-6D8F-7FC26299EBED}" = Catalyst Control Center Graphics Full Existing
    "{E70E7159-93B1-470D-9FBD-D8E9EF34B538}" = Steinberg HALionOne
    "{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
    "{EC928237-A3BD-4640-ABD0-E49E758F2315}" = Windows Live Messenger
    "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
    "{F057965A-D974-4C64-ADB1-4381CD4B8956}" = Steinberg HALionOne GM Set
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}" = Steinberg HALionOne Additional Content Set 01
    "{FBEF69BB-829C-8D4D-B299-497147916039}" = Catalyst Control Center Graphics Light
    "{FE3997D3-6B56-4AC4-A99C-9DDFC45359BF}" = TuneUp Utilities Language Pack (en-US)
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "AC3Filter" = AC3Filter (remove only)
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Alien Breed: Impact_is1" = Alien Breed: Impact
    "a-squared Free_is1" = a-squared Free 4.5
    "Autodesk FBX Plug-in 2011.1 - 3ds Max 2011" = Autodesk FBX Plug-in 2011.1 - 3ds Max 2011
    "avast5" = avast! Free Antivirus
    "Dream Pinball 3D" = Dream Pinball 3D
    "FBX Plugin 2006.08 for Max 9.0" = FBX Plugin 2006.08 for Max 9.0
    "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Plattform för enhetshanterare
    "InstallShield_{3FAD68D9-1FA1-4871-9ADF-9151D969E943}" = Singularity(TM)
    "InstallShield_{589A63D3-89E1-4D9B-8DBC-6039BB27289E}" = Blur(TM)
    "KeyTweak" = KeyTweak - Keyboard Remapper (remove only)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "OpenAL" = OpenAL
    "Peggle Deluxe" = Peggle Deluxe
    "Peggle Nights" = Peggle Nights
    "ReValver Mk III_is1" = ReValver Mk III
    "S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
    "TeamSpeak 3 Client" = TeamSpeak 3 Client
    "TuneUp Utilities" = TuneUp Utilities
    "uTorrent" = µTorrent
    "WhoCrashed_is1" = WhoCrashed 2.10
    "Winamp" = Winamp
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "VLC media player" = VLC media player 1.0.5
    "Xfire" = Xfire (remove only)

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "090215de958f1060" = Curse Client
    "Google Chrome" = Google Chrome
    "InstallShield_{6530FDAA-5B1F-4830-95BB-650E9804D239}" = UE3Redist

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 2010-07-18 23:11:50 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception
    code: 0xc0000005 Fault offset: 0x00404735 Faulting process id: 0xd80 Faulting application
    start time: 0x01cb26b90389d670 Faulting application path: C:\Windows\system32\svchost.exe
    Faulting
    module path: unknown Report Id: 5f4ffa50-92e3-11df-904e-001966cf8c12

    Error - 2010-07-18 23:24:52 | Computer Name = Adde-PC | Source = Software Protection Platform Service | ID = 8193
    Description = License Activation Scheduler (sppuinotify.dll) failed with the following
    error code: 0x80070005

    Error - 2010-07-19 00:08:07 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception
    code: 0xc0000005 Fault offset: 0x00404735 Faulting process id: 0x1484 Faulting application
    start time: 0x01cb26f0342672a2 Faulting application path: C:\Windows\system32\svchost.exe
    Faulting
    module path: unknown Report Id: 3bfeaac7-92eb-11df-904e-001966cf8c12

    Error - 2010-07-19 00:10:41 | Computer Name = Adde-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 2010-07-19 00:10:41 | Computer Name = Adde-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 2010-07-19 00:10:56 | Computer Name = Adde-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 2010-07-19 00:24:52 | Computer Name = Adde-PC | Source = Software Protection Platform Service | ID = 8193
    Description = License Activation Scheduler (sppuinotify.dll) failed with the following
    error code: 0x80070005

    Error - 2010-07-19 01:23:17 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception
    code: 0xc0000005 Fault offset: 0x00404735 Faulting process id: 0x14a4 Faulting application
    start time: 0x01cb26f8107b6e9f Faulting application path: C:\Windows\system32\svchost.exe
    Faulting
    module path: unknown Report Id: bc50cbfe-92f5-11df-904e-001966cf8c12

    Error - 2010-07-19 01:24:52 | Computer Name = Adde-PC | Source = Software Protection Platform Service | ID = 8193
    Description = License Activation Scheduler (sppuinotify.dll) failed with the following
    error code: 0x80070005

    Error - 2010-07-19 01:28:33 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception
    code: 0xc0000005 Fault offset: 0x00064735 Faulting process id: 0x15a0 Faulting application
    start time: 0x01cb2702913414f3 Faulting application path: C:\Windows\system32\svchost.exe
    Faulting
    module path: unknown Report Id: 78823029-92f6-11df-904e-001966cf8c12

    [ System Events ]
    Error - 2010-07-20 17:15:40 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7031
    Description = The Power service terminated unexpectedly. It has done this 1 time(s).
    The following corrective action will be taken in 60000 milliseconds: Reboot the
    machine.

    Error - 2010-07-20 17:15:41 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7032
    Description = The Service Control Manager tried to take a corrective action (Reboot
    the machine) after the unexpected termination of the Power service, but this action
    failed with the following error: %%1190

    Error - 2010-07-20 17:15:41 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7032
    Description = The Service Control Manager tried to take a corrective action (Reboot
    the machine) after the unexpected termination of the Plug and Play service, but
    this action failed with the following error: %%1190

    Error - 2010-07-20 17:26:11 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7031
    Description = The a-squared Free Service service terminated unexpectedly. It has
    done this 1 time(s). The following corrective action will be taken in 0 milliseconds:
    Restart the service.

    Error - 2010-07-20 17:26:11 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7032
    Description = The Service Control Manager tried to take a corrective action (Restart
    the service) after the unexpected termination of the a-squared Free Service service,
    but this action failed with the following error: %%1058

    Error - 2010-07-20 23:29:50 | Computer Name = Adde-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 05:23:51 on ?2010-?07-?21 was unexpected.

    Error - 2010-07-20 23:30:05 | Computer Name = Adde-PC | Source = BugCheck | ID = 1001
    Description =

    Error - 2010-07-21 00:15:31 | Computer Name = Adde-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 06:10:40 on ?2010-?07-?21 was unexpected.

    Error - 2010-07-21 06:48:30 | Computer Name = Adde-PC | Source = DCOM | ID = 10001
    Description =

    Error - 2010-07-21 12:49:52 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Jula.sys


    < End of report >
     

    Attached Files:

    • OTL.zip
      File size:
      16 KB
      Views:
      1
  17. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Never zip any logs.
     

    Attached Files:

    • OTL.Txt
      File size:
      118.9 KB
      Views:
      1
  18. gubbe72

    gubbe72 TS Rookie Topic Starter

    Allright. Kinda new to this stuff. Not sure what to/what not to do really.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    =========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Adde\AppData\Local\Temp\catchme.sys -- (catchme)
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
      O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab (Reg Error: Key error.)
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2010-07-23 08:14:02 | 000,000,000 | --SD | C] -- C:\ComboFix
      [2010-06-25 04:28:29 | 000,000,000 | ---D | C] -- C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
      [2010-05-30 07:04:27 | 000,000,000 | ---D | C] -- C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  20. gubbe72

    gubbe72 TS Rookie Topic Starter

    Java updated.

    "run fix" log:

    All processes killed
    Error: Unable to interpret <Code:> in the current context!
    ========== OTL ==========
    Service catchme stopped successfully!
    Service catchme deleted successfully!
    File C:\Users\Adde\AppData\Local\Temp\catchme.sys not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
    Starting removal of ActiveX control {F6ACF75C-C32C-447B-9BEF-46B766368D29}
    C:\Windows\Downloaded Program Files\CTPID.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\ComboFix folder moved successfully.
    C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP folder moved successfully.
    C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Adde
    ->Temp folder emptied: 2266141 bytes
    ->Temporary Internet Files folder emptied: 7691346 bytes
    ->Java cache emptied: 1554114 bytes
    ->Google Chrome cache emptied: 423299875 bytes
    ->Flash cache emptied: 7803 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 557056 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 11596 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 415,00 mb


    [EMPTYFLASH]

    User: Adde
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Public

    Total Flash Files Cleaned = 0,00 mb
     

    Attached Files:

    • OTL.Txt
      File size:
      105 KB
      Views:
      1
  21. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  22. gubbe72

    gubbe72 TS Rookie Topic Starter

    Objects scanned: 117788

    Threats found: 0

    Infected objects found: 0

    Suspicious objects found: 0

    Awesome :)
    Thanks a bunch!

    You lost me half way though, Were there lots of infected files?
    Any clue what caused it, so I know what not to do again?
     
  23. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Great!
    Your main infection was a rootkit.
    Where did it come from? I have no idea and nobody will ever know for sure.
    Below, you'll find some hints how to avoid infections in the future.

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  24. gubbe72

    gubbe72 TS Rookie Topic Starter

    Did as you instructed, so I feel safe for now. Again, thanks for all your help.
     
  25. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    You're very welcome [​IMG]

    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...