TechSpot

Sirefef won't go away - please help!

Solved
By cschrille
Jun 2, 2012
  1. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    ========== Files - Modified Within 30 Days ==========

    [2012-06-03 19:36:13 | 000,017,168 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012-06-03 19:36:13 | 000,017,168 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012-06-03 19:35:41 | 001,466,438 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012-06-03 19:35:41 | 000,625,534 | ---- | M] () -- C:\Windows\SysNative\perfh01D.dat
    [2012-06-03 19:35:41 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012-06-03 19:35:41 | 000,123,688 | ---- | M] () -- C:\Windows\SysNative\perfc01D.dat
    [2012-06-03 19:35:41 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012-06-03 19:28:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012-06-03 19:28:35 | 2132,725,759 | -HS- | M] () -- C:\hiberfil.sys
    [2012-06-03 19:23:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012-06-03 18:37:45 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\your_name.exe
    [2012-06-03 18:12:19 | 001,012,656 | ---- | M] () -- C:\Users\Ägaren\Desktop\rkill.scr
    [2012-06-03 18:08:58 | 001,012,656 | ---- | M] () -- C:\Users\Ägaren\Desktop\rkill.exe
    [2012-06-03 18:08:19 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\something.exe
    [2012-06-03 18:04:53 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\ComboFix.exe
    [2012-06-03 17:50:16 | 000,003,211 | ---- | M] () -- C:\Users\Ägaren\Desktop\Sophos Virus Removal Tool.lnk
    [2012-06-03 16:20:55 | 000,000,512 | ---- | M] () -- C:\Users\Ägaren\Documents\MBR.dat
    [2012-06-03 12:47:49 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\Need For Speed World.lnk
    [2012-06-03 11:45:55 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\Combo--Fix.exe
    [2012-06-03 10:18:40 | 000,442,883 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012-06-03 10:15:15 | 000,001,292 | ---- | M] () -- C:\Users\Ägaren\Desktop\Spybot - Search & Destroy.lnk
    [2012-06-03 01:04:26 | 004,534,467 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\Combo-Fix.exe
    [2012-06-03 01:00:09 | 000,001,747 | ---- | M] () -- C:\Users\Ägaren\Documents\Attach.zip
    [2012-06-03 00:59:34 | 000,001,712 | ---- | M] () -- C:\Users\Ägaren\Documents\Attach.rar
    [2012-06-02 22:28:48 | 000,000,933 | ---- | M] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
    [2012-06-02 22:17:52 | 000,000,973 | ---- | M] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_39377219.lnk
    [2012-06-02 22:17:50 | 000,460,888 | ---- | M] (Kaspersky Lab ZAO) -- C:\Windows\SysNative\drivers\39377219.sys
    [2012-06-02 19:37:28 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012-06-02 13:10:43 | 000,000,929 | ---- | M] () -- C:\Users\Public\Desktop\Max Payne 3.lnk
    [2012-06-01 14:10:00 | 000,000,986 | ---- | M] () -- C:\Users\Ägaren\Desktop\European Bus Simulator High 2012.lnk
    [2012-06-01 14:10:00 | 000,000,986 | ---- | M] () -- C:\Users\Ägaren\Desktop\European Bus Simulator Basic 2012.lnk
    [2012-06-01 12:35:43 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
    [2012-06-01 12:35:43 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2012-05-30 21:23:13 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
    [2012-05-29 16:11:20 | 000,000,945 | ---- | M] () -- C:\Users\Public\Desktop\Ship Simulator Extremes.lnk
    [2012-05-29 14:21:57 | 000,001,208 | ---- | M] () -- C:\Users\Public\Desktop\Off-Road Drive.lnk
    [2012-05-29 13:57:20 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\MOTORM4X.lnk
    [2012-05-28 17:51:17 | 000,466,456 | ---- | M] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
    [2012-05-28 17:51:16 | 000,444,952 | ---- | M] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
    [2012-05-27 22:33:24 | 000,000,999 | ---- | M] () -- C:\Users\Ägaren\Desktop\NodLogin Force.lnk
    [2012-05-27 22:33:24 | 000,000,985 | ---- | M] () -- C:\Users\Ägaren\Desktop\NodLogin normal.lnk
    [2012-05-27 22:21:29 | 000,184,805 | ---- | M] () -- C:\ProgramData\1338149966.bdinstall.bin
    [2012-05-26 22:02:13 | 000,000,250 | ---- | M] () -- C:\Users\Ägaren\Documents\rendersettings.ini
    [2012-05-26 20:11:53 | 000,000,207 | ---- | M] () -- C:\Users\Ägaren\Desktop\Dota 2.url
    [2012-05-26 18:26:40 | 000,000,798 | ---- | M] () -- C:\Users\Ägaren\Desktop\DiRT Showdown.lnk
    [2012-05-26 17:55:38 | 000,001,090 | ---- | M] () -- C:\Users\Ägaren\Desktop\MSI Afterburner.lnk
    [2012-05-25 13:25:23 | 000,000,323 | ---- | M] () -- C:\Windows\SysNative\checkdnsid.xml
    [2012-05-24 16:20:52 | 000,000,869 | ---- | M] () -- C:\Users\Public\Desktop\CPUID CPU-Z.lnk
    [2012-05-24 13:42:57 | 000,000,796 | ---- | M] () -- C:\Users\Public\Desktop\Speccy.lnk
    [2012-05-23 13:59:26 | 000,001,954 | ---- | M] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
    [2012-05-23 13:58:41 | 000,283,200 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
    [2012-05-21 15:59:27 | 000,293,040 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012-05-20 18:20:27 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2012-05-20 16:41:31 | 000,001,168 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk
    [2012-05-19 15:56:28 | 000,000,207 | ---- | M] () -- C:\Users\Ägaren\Desktop\Counter-Strike Global Offensive Beta.url
    [2012-05-18 23:51:59 | 000,001,174 | ---- | M] () -- C:\Users\Public\Desktop\Battlefield 3.lnk
    [2012-05-18 21:54:35 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Origin.lnk
    [2012-05-17 23:34:19 | 000,000,929 | ---- | M] () -- C:\Users\Public\Desktop\Diablo III.lnk
    [2012-05-17 10:55:25 | 000,000,385 | ---- | M] () -- C:\Windows\SysNative\user_gensett.xml
    [2012-05-16 21:28:55 | 000,002,019 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
    [2012-05-16 17:59:23 | 000,000,071 | ---- | M] () -- C:\Users\Ägaren\AppData\Roaming\programs.vc
    [2012-05-16 17:19:48 | 000,203,746 | ---- | M] () -- C:\ProgramData\1337181385.bdinstall.bin
    [2012-05-16 17:18:53 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_avchv_01009.Wdf
    [2012-05-16 17:12:32 | 000,000,473 | ---- | M] () -- C:\Users\Ägaren\Documents\rarreg.key
    [2012-05-16 13:16:40 | 000,000,967 | ---- | M] () -- C:\Users\Public\Desktop\BitTorrent.lnk
    [2012-05-15 22:52:47 | 000,001,070 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
    [2012-05-15 22:52:47 | 000,000,027 | ---- | M] () -- C:\Program Files\plugins.dat
    [2012-05-15 22:47:51 | 000,002,012 | ---- | M] () -- C:\Users\Ägaren\Desktop\Media Player Classic - Home Cinema x64.lnk
    [2012-05-15 22:08:21 | 000,001,011 | ---- | M] () -- C:\Users\Ägaren\Desktop\VPNCheck.lnk
    [2012-05-15 22:02:05 | 000,001,129 | ---- | M] () -- C:\Users\Public\Desktop\OpenVPN GUI.lnk
    [2012-05-15 21:17:58 | 000,001,134 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012-05-15 14:55:12 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
    [2012-05-15 14:55:11 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
    [2012-05-15 13:14:58 | 000,001,769 | ---- | M] () -- C:\Windows\Language_trs.ini
    [2012-05-15 13:11:52 | 000,016,896 | ---- | M] (ASUS) -- C:\Windows\AsTaskSched.dll
    [2012-05-15 13:09:52 | 000,028,660 | ---- | M] () -- C:\Windows\Ascd_tmp.ini
    [2012-05-15 12:57:43 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
    [2012-05-15 12:48:00 | 000,068,928 | ---- | M] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
    [2012-05-15 12:48:00 | 000,061,248 | ---- | M] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
    [2012-05-15 12:48:00 | 000,014,324 | ---- | M] () -- C:\Windows\SysNative\nvinfo.pb
    [2012-05-15 12:45:18 | 000,050,658 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
    [2012-05-15 12:45:18 | 000,050,658 | ---- | M] () -- C:\Windows\SysNative\license.rtf
    [2012-05-15 11:29:45 | 002,621,723 | ---- | M] () -- C:\Windows\SysNative\nvcoproc.bin
    [2012-05-15 02:21:50 | 000,423,744 | ---- | M] () -- C:\Windows\SysWow64\nvStreaming.exe
    [2012-05-12 23:56:36 | 000,000,659 | ---- | M] () -- C:\Users\Public\Desktop\Launch Hitman Blood Money.lnk
    [2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012-06-03 18:12:13 | 001,012,656 | ---- | C] () -- C:\Users\Ägaren\Desktop\rkill.scr
    [2012-06-03 18:08:52 | 001,012,656 | ---- | C] () -- C:\Users\Ägaren\Desktop\rkill.exe
    [2012-06-03 17:50:16 | 000,003,211 | ---- | C] () -- C:\Users\Ägaren\Desktop\Sophos Virus Removal Tool.lnk
    [2012-06-03 16:20:55 | 000,000,512 | ---- | C] () -- C:\Users\Ägaren\Documents\MBR.dat
    [2012-06-03 12:47:49 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\Need For Speed World.lnk
    [2012-06-03 10:12:35 | 000,001,292 | ---- | C] () -- C:\Users\Ägaren\Desktop\Spybot - Search & Destroy.lnk
    [2012-06-03 01:00:09 | 000,001,747 | ---- | C] () -- C:\Users\Ägaren\Documents\Attach.zip
    [2012-06-03 00:59:34 | 000,001,712 | ---- | C] () -- C:\Users\Ägaren\Documents\Attach.rar
    [2012-06-02 22:28:48 | 000,000,933 | ---- | C] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
    [2012-06-02 22:17:52 | 000,000,973 | ---- | C] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_39377219.lnk
    [2012-06-02 19:35:06 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012-06-02 13:10:43 | 000,000,929 | ---- | C] () -- C:\Users\Public\Desktop\Max Payne 3.lnk
    [2012-06-01 14:10:00 | 000,000,986 | ---- | C] () -- C:\Users\Ägaren\Desktop\European Bus Simulator High 2012.lnk
    [2012-06-01 14:10:00 | 000,000,986 | ---- | C] () -- C:\Users\Ägaren\Desktop\European Bus Simulator Basic 2012.lnk
    [2012-05-29 16:11:20 | 000,000,945 | ---- | C] () -- C:\Users\Public\Desktop\Ship Simulator Extremes.lnk
    [2012-05-29 14:21:57 | 000,001,208 | ---- | C] () -- C:\Users\Public\Desktop\Off-Road Drive.lnk
    [2012-05-29 13:57:20 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\MOTORM4X.lnk
    [2012-05-27 22:33:24 | 000,000,999 | ---- | C] () -- C:\Users\Ägaren\Desktop\NodLogin Force.lnk
    [2012-05-27 22:33:24 | 000,000,985 | ---- | C] () -- C:\Users\Ägaren\Desktop\NodLogin normal.lnk
    [2012-05-27 22:21:29 | 000,184,805 | ---- | C] () -- C:\ProgramData\1338149966.bdinstall.bin
    [2012-05-26 22:02:09 | 000,000,250 | ---- | C] () -- C:\Users\Ägaren\Documents\rendersettings.ini
    [2012-05-26 20:11:53 | 000,000,207 | ---- | C] () -- C:\Users\Ägaren\Desktop\Dota 2.url
    [2012-05-26 18:26:39 | 000,000,798 | ---- | C] () -- C:\Users\Ägaren\Desktop\DiRT Showdown.lnk
    [2012-05-26 17:55:38 | 000,001,090 | ---- | C] () -- C:\Users\Ägaren\Desktop\MSI Afterburner.lnk
    [2012-05-24 16:20:52 | 000,000,869 | ---- | C] () -- C:\Users\Public\Desktop\CPUID CPU-Z.lnk
    [2012-05-24 13:42:57 | 000,000,796 | ---- | C] () -- C:\Users\Public\Desktop\Speccy.lnk
    [2012-05-23 13:59:26 | 000,001,954 | ---- | C] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
    [2012-05-21 16:15:04 | 000,000,323 | ---- | C] () -- C:\Windows\SysNative\checkdnsid.xml
    [2012-05-20 16:41:31 | 000,001,168 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk
    [2012-05-20 11:53:20 | 000,280,904 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.xtr
    [2012-05-19 15:56:28 | 000,000,207 | ---- | C] () -- C:\Users\Ägaren\Desktop\Counter-Strike Global Offensive Beta.url
    [2012-05-18 23:51:29 | 000,283,304 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.ex0
    [2012-05-18 23:51:29 | 000,280,904 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2012-05-18 23:51:28 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2012-05-17 23:22:01 | 000,000,929 | ---- | C] () -- C:\Users\Public\Desktop\Diablo III.lnk
    [2012-05-17 10:55:25 | 000,000,385 | ---- | C] () -- C:\Windows\SysNative\user_gensett.xml
    [2012-05-16 21:28:55 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
    [2012-05-16 17:19:48 | 000,203,746 | ---- | C] () -- C:\ProgramData\1337181385.bdinstall.bin
    [2012-05-16 17:18:53 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_avchv_01009.Wdf
    [2012-05-16 17:12:32 | 000,000,473 | ---- | C] () -- C:\Users\Ägaren\Documents\rarreg.key
    [2012-05-15 22:52:47 | 000,000,027 | ---- | C] () -- C:\Program Files\plugins.dat
    [2012-05-15 22:50:19 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
    [2012-05-15 22:47:51 | 000,002,012 | ---- | C] () -- C:\Users\Ägaren\Desktop\Media Player Classic - Home Cinema x64.lnk
    [2012-05-15 22:08:35 | 000,000,071 | ---- | C] () -- C:\Users\Ägaren\AppData\Roaming\programs.vc
    [2012-05-15 22:08:21 | 000,001,011 | ---- | C] () -- C:\Users\Ägaren\Desktop\VPNCheck.lnk
    [2012-05-15 21:17:58 | 000,001,146 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    [2012-05-15 21:17:58 | 000,001,134 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012-05-15 21:03:05 | 000,000,032 | ---- | C] () -- C:\Program Files\plugins-04041e-1f8.dat
    [2012-05-15 21:00:54 | 000,002,617 | ---- | C] () -- C:\Users\Public\Desktop\Brave Arms.lnk
    [2012-05-15 21:00:54 | 000,002,383 | ---- | C] () -- C:\Users\Public\Desktop\HDDlife Pro.lnk
    [2012-05-15 21:00:54 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
    [2012-05-15 21:00:54 | 000,002,010 | ---- | C] () -- C:\Users\Public\Desktop\Evolve.lnk
    [2012-05-15 21:00:54 | 000,001,750 | ---- | C] () -- C:\Users\Public\Desktop\Eraser.lnk
    [2012-05-15 21:00:54 | 000,001,174 | ---- | C] () -- C:\Users\Public\Desktop\Battlefield 3.lnk
    [2012-05-15 21:00:54 | 000,001,129 | ---- | C] () -- C:\Users\Public\Desktop\OpenVPN GUI.lnk
    [2012-05-15 21:00:54 | 000,001,070 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
    [2012-05-15 21:00:54 | 000,001,068 | ---- | C] () -- C:\Users\Public\Desktop\Project CARS -DX11.lnk
    [2012-05-15 21:00:54 | 000,001,061 | ---- | C] () -- C:\Users\Public\Desktop\ACR Launcher.lnk
    [2012-05-15 21:00:54 | 000,001,056 | ---- | C] () -- C:\Users\Public\Desktop\Project CARS.lnk
    [2012-05-15 21:00:54 | 000,001,018 | ---- | C] () -- C:\Users\Public\Desktop\3D Èíñòðóêòîð 2.2. Äîìàøíÿÿ âåðñèÿ.lnk
    [2012-05-15 21:00:54 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Sniper Elite V2.lnk
    [2012-05-15 21:00:54 | 000,000,998 | ---- | C] () -- C:\Users\Public\Desktop\eMule.lnk
    [2012-05-15 21:00:54 | 000,000,984 | ---- | C] () -- C:\Users\Public\Desktop\City Car Driving.lnk
    [2012-05-15 21:00:54 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Origin.lnk
    [2012-05-15 21:00:54 | 000,000,982 | ---- | C] () -- C:\Users\Public\Desktop\GetNZB.lnk
    [2012-05-15 21:00:54 | 000,000,967 | ---- | C] () -- C:\Users\Public\Desktop\BitTorrent.lnk
    [2012-05-15 21:00:54 | 000,000,932 | ---- | C] () -- C:\Users\Public\Desktop\Tunngle beta.lnk
    [2012-05-15 21:00:54 | 000,000,919 | ---- | C] () -- C:\Users\Public\Desktop\Ridge Racer Unbounded.lnk
    [2012-05-15 21:00:54 | 000,000,878 | ---- | C] () -- C:\Users\Public\Desktop\TrueCrypt.lnk
    [2012-05-15 21:00:54 | 000,000,866 | ---- | C] () -- C:\Users\Public\Desktop\Alan Wake.lnk
    [2012-05-15 21:00:54 | 000,000,842 | ---- | C] () -- C:\Users\Public\Desktop\Uninstall ACR.lnk
    [2012-05-15 21:00:54 | 000,000,825 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2012-05-15 21:00:54 | 000,000,755 | ---- | C] () -- C:\Users\Public\Desktop\Test Drive Unlimited 2.lnk
    [2012-05-15 21:00:54 | 000,000,659 | ---- | C] () -- C:\Users\Public\Desktop\Launch Hitman Blood Money.lnk
    [2012-05-15 21:00:54 | 000,000,651 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
    [2012-05-15 21:00:54 | 000,000,601 | ---- | C] () -- C:\Users\Public\Desktop\Addon characters MOD.lnk
    [2012-05-15 20:48:27 | 002,621,723 | ---- | C] () -- C:\Windows\SysNative\nvcoproc.bin
    [2012-05-15 20:21:04 | 000,001,024 | ---- | C] () -- C:\.rnd
    [2012-05-15 16:54:13 | 000,000,868 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012-05-15 15:43:44 | 000,095,744 | ---- | C] () -- C:\Windows\SysNative\RDVGHelper.exe
    [2012-05-15 15:43:35 | 000,347,904 | ---- | C] () -- C:\Windows\SysNative\systemsf.ebd
    [2012-05-15 15:42:39 | 000,010,429 | ---- | C] () -- C:\Windows\SysNative\ScavengeSpace.xml
    [2012-05-15 15:42:34 | 000,105,559 | ---- | C] () -- C:\Windows\SysWow64\RacRules.xml
    [2012-05-15 15:42:34 | 000,105,559 | ---- | C] () -- C:\Windows\SysNative\RacRules.xml
    [2012-05-15 15:42:30 | 000,146,389 | ---- | C] () -- C:\Windows\SysWow64\printmanagement.msc
    [2012-05-15 15:42:30 | 000,001,041 | ---- | C] () -- C:\Windows\SysWow64\tcpbidi.xml
    [2012-05-15 14:55:12 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
    [2012-05-15 14:55:11 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
    [2012-05-15 13:14:04 | 000,074,272 | ---- | C] () -- C:\Windows\SysNative\RtNicProp64.dll
    [2012-05-15 13:09:43 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
    [2012-05-15 13:09:38 | 000,028,660 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
    [2012-05-15 12:57:50 | 000,001,417 | ---- | C] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
    [2012-05-15 12:57:47 | 000,001,451 | ---- | C] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    [2012-05-15 12:57:43 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
    [2012-05-15 12:45:09 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
    [2012-05-15 12:45:09 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
    [2012-05-15 12:42:04 | 2132,725,759 | -HS- | C] () -- C:\hiberfil.sys
    [2012-05-15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
    [2011-09-19 15:03:40 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\rtvcvfw32.dll
    [2010-09-29 12:21:43 | 000,441,344 | ---- | C] ( ) -- C:\Windows\SetACL.exe

    ========== LOP Check ==========

    [2012-02-20 00:54:54 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\3G Studios
    [2012-05-15 20:24:17 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\BitTorrent
    [2012-05-15 20:24:19 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\DAEMON Tools Lite
    [2012-01-21 17:35:16 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\JAM Software
    [2012-05-15 20:24:29 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\NeoDownloader
    [2012-05-15 20:24:30 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\Notepad++
    [2012-01-21 18:10:46 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\OfficeRecovery
    [2012-05-15 20:24:30 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\OfficeRecovery.23629373
    [2012-05-15 20:24:30 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\Origin
    [2012-05-15 20:24:13 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\RotMG.Production
    [2012-05-15 20:24:54 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\Simraceway
    [2012-05-15 20:24:55 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\TeraCopy
    [2012-02-11 21:45:08 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\thriXXX
    [2012-05-15 20:24:55 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\TrueCrypt
    [2012-05-15 20:24:55 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\Tunngle
    [2012-02-09 16:13:02 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\Unity
    [2012-05-15 20:24:55 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\’O‰ºŒ“¬‹äŠy•”
    [2012-05-20 11:56:00 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\.minecraft
    [2012-06-03 19:05:46 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\BitTorrent
    [2012-06-02 23:33:05 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\DAEMON Tools Lite
    [2012-05-25 20:17:32 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\FlashGet
    [2012-06-03 13:03:37 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\Need for Speed World
    [2012-05-22 17:14:08 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\NeoDownloader
    [2012-05-21 21:27:14 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\Notepad++
    [2012-05-20 16:41:51 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\OpenOffice.org
    [2012-05-18 21:55:38 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\Origin
    [2012-05-29 16:31:37 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\Quest3D
    [2012-05-16 17:16:38 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\QuickScan
    [2012-05-29 16:31:37 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\Roaming
    [2012-05-15 20:18:31 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\TeraCopy
    [2012-05-19 18:30:32 | 000,000,000 | ---D | M] -- C:\Users\Ägaren\AppData\Roaming\Unity
    [2012-06-03 19:24:03 | 000,012,926 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2012-03-06 19:41:46 | 000,001,024 | ---- | M] () -- C:\.rnd
    [2012-05-27 22:19:40 | 000,007,042 | ---- | M] () -- C:\bdlog.txt
    [2008-04-11 10:07:18 | 000,003,820 | ---- | M] () -- C:\eula.1028.txt
    [2008-04-11 10:07:18 | 000,015,428 | ---- | M] () -- C:\eula.1031.txt
    [2008-04-11 10:07:18 | 000,010,058 | ---- | M] () -- C:\eula.1033.txt
    [2008-04-11 10:07:18 | 000,012,246 | ---- | M] () -- C:\eula.1036.txt
    [2008-04-11 10:07:18 | 000,013,912 | ---- | M] () -- C:\eula.1040.txt
    [2008-04-11 10:07:18 | 000,005,868 | ---- | M] () -- C:\eula.1041.txt
    [2008-04-11 10:07:18 | 000,005,970 | ---- | M] () -- C:\eula.1042.txt
    [2008-04-11 10:07:18 | 000,010,134 | ---- | M] () -- C:\eula.1049.txt
    [2008-04-11 10:07:18 | 000,003,814 | ---- | M] () -- C:\eula.2052.txt
    [2008-04-11 10:07:18 | 000,012,936 | ---- | M] () -- C:\eula.3082.txt
    [2008-04-11 10:07:18 | 000,001,110 | ---- | M] () -- C:\globdata.ini
    [2012-06-03 19:28:35 | 2132,725,759 | -HS- | M] () -- C:\hiberfil.sys
    [2008-04-11 08:03:48 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
    [2008-04-11 10:07:18 | 000,000,843 | ---- | M] () -- C:\install.ini
    [2008-04-11 08:03:48 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
    [2008-04-11 08:03:48 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
    [2008-04-11 08:03:48 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
    [2008-04-11 08:03:48 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
    [2008-04-11 08:03:48 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
    [2008-04-11 08:03:48 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
    [2008-04-11 08:03:48 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
    [2008-04-11 10:09:24 | 000,093,200 | ---- | M] (Microsoft Corporation) -- C:\install.res.1049.dll
    [2008-04-11 08:03:48 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
    [2008-04-11 08:03:48 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
    [2012-06-03 19:28:36 | 4275,290,111 | -HS- | M] () -- C:\pagefile.sys
    [2012-06-03 18:39:07 | 000,000,392 | ---- | M] () -- C:\rkill.log
    [2012-04-16 20:57:09 | 000,053,650 | ---- | M] () -- C:\Simraceway.log
    [2012-03-21 18:23:43 | 000,081,300 | ---- | M] () -- C:\TDSSKiller.2.7.21.0_21.03.2012_17.21.00_log.txt
    [2012-06-02 22:48:58 | 000,120,102 | ---- | M] () -- C:\TDSSKiller.2.7.36.0_02.06.2012_22.48.30_log.txt
    [2012-06-03 19:03:15 | 000,121,622 | ---- | M] () -- C:\TDSSKiller.2.7.36.0_03.06.2012_18.58.54_log.txt
    [2008-04-11 10:07:18 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
    [2008-04-11 10:09:38 | 003,797,292 | ---- | M] () -- C:\VC_RED.cab
    [2008-04-11 10:11:40 | 000,233,472 | ---- | M] () -- C:\VC_RED.MSI

    < %systemroot%\Fonts\*.com >
    [2009-07-14 07:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009-07-14 07:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009-07-14 07:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009-07-14 07:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009-06-10 22:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009-07-14 06:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2012-05-15 15:28:15 | 000,000,221 | -HS- | M] () -- C:\Users\Ägaren\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012-06-03 11:45:55 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\Combo--Fix.exe
    [2012-06-03 01:04:26 | 004,534,467 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\Combo-Fix.exe
    [2012-06-03 18:04:53 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\ComboFix.exe
    [2012-06-03 18:08:58 | 001,012,656 | ---- | M] () -- C:\Users\Ägaren\Desktop\rkill.exe
    [2012-06-03 18:08:19 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\something.exe
    [2012-06-03 18:37:45 | 004,535,659 | R--- | M] (Swearware) -- C:\Users\Ägaren\Desktop\your_name.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012-06-03 19:23:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012-06-03 19:28:44 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2012-06-03 19:24:03 | 000,012,926 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >
    [2003-06-13 17:23:00 | 000,004,304 | ---- | M] () -- C:\Windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009-06-10 23:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2012-05-15 16:04:41 | 000,000,402 | -HS- | M] () -- C:\Users\Ägaren\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012-05-16 17:19:48 | 000,203,746 | ---- | M] () -- C:\ProgramData\1337181385.bdinstall.bin
    [2012-05-27 22:21:29 | 000,184,805 | ---- | M] () -- C:\ProgramData\1338149966.bdinstall.bin

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /I " " /c >
    No captured output from command...

    < dir /b "%systemroot%\*.exe" | find /I " " /c >
    No captured output from command...

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >
    [2003-06-13 17:23:06 | 000,050,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\AppPatch\AppLoc.exe
    [1 C:\Windows\AppPatch\*.tmp files -> C:\Windows\AppPatch\*.tmp -> ]

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

    < >

    < End of report >
     
  2. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    OTL Extras logfile created on: 2012-06-03 19:51:00 - Run 1
    OTL by OldTimer - Version 3.2.46.0 Folder = C:\Users\Ägaren\Downloads
    64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 0000041d | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

    7,98 Gb Total Physical Memory | 6,17 Gb Available Physical Memory | 77,27% Memory free
    15,96 Gb Paging File | 14,18 Gb Available in Paging File | 88,86% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 478,05 Gb Total Space | 346,55 Gb Free Space | 72,49% Space Free | Partition Type: NTFS
    Drive E: | 2,85 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
    Drive X: | 453,36 Gb Total Space | 60,05 Gb Free Space | 13,25% Space Free | Partition Type: NTFS

    Computer Name: ÄGAREN-DATOR | User Name: Ägaren | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl[@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-3856055600-2435477386-2425398921-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\SysWow64\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\SysWow64\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    ========== Authorized Applications List ==========


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{15AD6738-23E8-4AE6-93E9-434E717EECB2}" = System Requirements Lab CYRI (64-bit)
    "{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    "{26A24AE4-039D-4CA4-87B4-2F86417004FF}" = Java(TM) 7 Update 4 (64-bit)
    "{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = Media Player Classic - Home Cinema 1.6.1.4235 x64
    "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{8646190D-4E70-471A-8956-C8BEB67B22CF}" = ESET NOD32 Antivirus
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{96CC6DCC-8EBA-3F85-899B-933F599C4142}" = Microsoft .NET Framework 4 Client Profile SVE Language Pack
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision drivrutin 301.42
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIAs kontrollpanel 301.42
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafikdrivrutin 301.42
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision drivrutin för styrenhet 301.42
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX systemprogramvara 9.12.0213
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA-uppdatering 1.8.15
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD audiodrivrutin 1.3.16.0
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
    "CPUID CPU-Z_is1" = CPUID CPU-Z 1.60.1
    "European Bus Simulator 2012_is1" = European Bus Simulator 2012
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile SVE Language Pack" = Microsoft .NET Framework 4 Client Profile Language Pack - SVE
    "Speccy" = Speccy
    "TeraCopy_is1" = TeraCopy 2.27
    "WinRAR archiver" = WinRAR 4.11 (64-bit)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
    "{16D0F2D2-242C-4885-BEF1-4B1655C141AE}" = Bing Bar
    "{1AA94747-3BF6-4237-9E1A-7B3067738FE1}" = Max Payne 3
    "{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
    "{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale
    "{4343080E-91B7-4388-AB4D-FB1000008200}" = Dead Rising 2
    "{434D0FA0-1558-4D8E-AC3D-BD1000008200}" = DiRT 3
    "{47FA2C44-D148-4DBC-AF60-B91934AA4842}" = Adobe AIR
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51071D66-D034-4239-94E0-723FCA10B6FE}" = OpenOffice.org 3.4
    "{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{76285C16-411A-488A-BCE3-C83CB933D8CF}" = Battlefield 3™
    "{7B2CC3DF-64FA-44AE-8F57-B0F915147E4F}_is1" = Need For Speed™ World
    "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
    "{8CFA1D01-AECD-4913-9FB8-1E8A82F47824}_is1" = DNS Leak Fix for OpenVPN version 1.2
    "{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
    "{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{AC76BA86-7AD7-1053-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Svenska
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B829E117-D072-41EA-9606-9826A38D34C1}" = Sophos Virus Removal Tool
    "{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1" = Rapture3D 2.4.8 Game
    "{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX
    "{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}" = Asmedia ASM104x USB 3.0 Host Controller Driver
    "{E76CDDCE-EFC0-4FE5-9972-9489CE49AA55}_is1" = NeoDownloader 2.9.1
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F97E3841-CA9D-4964-9D64-26066241D26F}" = Microsoft Games for Windows - LIVE
    "7-Zip" = 7-Zip 9.20
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "Afterburner" = MSI Afterburner 2.2.1
    "Battlelog Web Plugins" = Battlelog Web Plugins
    "BitTorrent" = BitTorrent
    "DAEMON Tools Lite" = DAEMON Tools Lite
    "Diablo III" = Diablo III
    "DiRT Showdown_is1" = DiRT Showdown
    "ESN Sonar-0.70.4" = ESN Sonar
    "FlashGet" = FlashGet 1.9.6.1073
    "GFWL_{4343080E-91B7-4388-AB4D-FB1000008200}" = Dead Rising 2
    "GFWL_{434D0FA0-1558-4D8E-AC3D-BD1000008200}" = DiRT 3
    "KLiteCodecPack_is1" = K-Lite Codec Pack 8.7.0 (Full)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "MOTORM4X" = MOTORM4X
    "Mozilla Firefox 12.0 (x86 sv-SE)" = Mozilla Firefox 12.0 (x86 sv-SE)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "Notepad++" = Notepad++
    "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
    "Off-Road Drive_is1" = Off-Road Drive
    "OpenAL" = OpenAL
    "OpenVPN" = OpenVPN 2.2.1
    "Origin" = Origin
    "Picasa 3" = Picasa 3
    "PunkBusterSvc" = PunkBuster Services
    "Rigs of Rods 0.38.67" = Rigs of Rods 0.38.67
    "Rockstar Games Social Club" = Rockstar Games Social Club
    "Ship Simulator Extremes_is1" = Ship Simulator Extremes
    "Steam App 570" = Dota 2
    "Steam App 730" = Counter-Strike: Global Offensive Beta
    "VLC media player" = VLC media player 2.0.1
    "VPNCheck_is1" = VPNCheck 1.5

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3856055600-2435477386-2425398921-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "UnityWebPlayer" = Unity Web Player

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 2012-06-02 17:55:08 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 9000
    Description =

    Error - 2012-06-02 17:55:08 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 7040
    Description =

    Error - 2012-06-02 17:55:08 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 9002
    Description =

    Error - 2012-06-02 17:55:08 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 3029
    Description =

    Error - 2012-06-02 17:55:13 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 3029
    Description =

    Error - 2012-06-02 17:55:13 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 3028
    Description =

    Error - 2012-06-02 17:55:13 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 3058
    Description =

    Error - 2012-06-02 17:55:13 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 7010
    Description =

    Error - 2012-06-02 17:55:13 | Computer Name = Ägaren-Dator | Source = Windows Search Service | ID = 7042
    Description =

    Error - 2012-06-03 11:47:03 | Computer Name = Ägaren-Dator | Source = Application Error | ID = 1000
    Description = Felet uppstod I programmet med namn: fsbl.exe, version 2.2.1092.0,
    tidsstämpel 0x48a543e2 , felet uppstod I modulen med namn: unknown, version 0.0.0.0,
    tidsstämpel 0x00000000 Undantagskod: 0xc0000005 Felförskjutning: 0x000d0000 Process-ID:
    0xc34 Programmets starttid: 0x01cd41a019df5cd4 Sökväg till program: C:\Users\Ägaren\Downloads\fsbl.exe
    Sökväg
    till modul: unknown Rapport-ID: 5c9baa06-ad93-11e1-a136-14dae9ebf681

    [ System Events ]
    Error - 2012-06-03 13:28:47 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7003
    Description = Tjänsten epfwwfpr är beroende av följande tjänst: BFE. Tjänsten är
    kanske inte installerad.

    Error - 2012-06-03 13:28:47 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7003
    Description = Tjänsten IKE and AuthIP IPsec Keying Modules är beroende av följande
    tjänst: BFE. Tjänsten är kanske inte installerad.

    Error - 2012-06-03 13:28:48 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7003
    Description = Tjänsten IPsec Policy Agent är beroende av följande tjänst: BFE. Tjänsten
    är kanske inte installerad.

    Error - 2012-06-03 13:28:48 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7023
    Description = Tjänsten Windows Defender avbröts med följande fel: %%126

    Error - 2012-06-03 13:28:49 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7023
    Description = Tjänsten Computer Browser avbröts med följande fel: %%1060

    Error - 2012-06-03 13:29:06 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7034
    Description = Tjänsten PEVSystemStart avslutades oväntat. Detta har skett 1 gånger.

    Error - 2012-06-03 13:29:06 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7026
    Description = Följande start- eller systemstartdrivrutin(er) avbröts på grund av
    fel under start: 1052426drv

    Error - 2012-06-03 13:29:06 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7003
    Description = Tjänsten epfwwfpr är beroende av följande tjänst: BFE. Tjänsten är
    kanske inte installerad.

    Error - 2012-06-03 13:29:34 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7023
    Description = Tjänsten Function Discovery Resource Publication avbröts med följande
    fel: %%-2147024891

    Error - 2012-06-03 13:29:34 | Computer Name = Ägaren-Dator | Source = Service Control Manager | ID = 7001
    Description = Tjänsten HomeGroup Provider är beroende av tjänsten Function Discovery
    Resource Publication. Den sistnämnda kunde inte starta på grund av följande fel:
    %%-2147024891


    < End of report >
     
  3. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - [2011-06-26 08:45:56 | 000,256,000 | ---- | M] () [Auto | Stopped] -- C:\32788R22FWJFW\pev.3XE -- (PEVSystemStart)
      O4 - HKU\S-1-5-21-3856055600-2435477386-2425398921-1000..\Run: [VPNCheck] File not found
      O4 - HKU\S-1-5-21-3856055600-2435477386-2425398921-1001..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
      O4 - Startup: C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk = File not found
      O4 - Startup: C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_39377219.lnk = File not found
      O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
      O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
      [2012-05-15 20:24:55 | 000,000,000 | ---D | M] -- C:\Users\Chrilles\AppData\Roaming\’O‰ºŒ“¬‹äŠy•”
      
      
      :Services
      
      :Reg
      
      :Files
      C:\Windows\assembly\GAC_32\Desktop.ini
      C:\Windows\assembly\GAC_64\Desktop.ini
      C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000064.@
      C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000032.@
      C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000000.@
      C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\L\00000008.@
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===========================================================================

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  4. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    All processes killed
    ========== OTL ==========
    Service PEVSystemStart stopped successfully!
    Service PEVSystemStart deleted successfully!
    C:\32788R22FWJFW\pev.3XE moved successfully.
    Registry value HKEY_USERS\S-1-5-21-3856055600-2435477386-2425398921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\VPNCheck deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-3856055600-2435477386-2425398921-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
    C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk moved successfully.
    C:\Users\Ägaren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_39377219.lnk moved successfully.
    64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add to Google Photos Screensa&ver\ deleted successfully.
    64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
    C:\Users\Chrilles\AppData\Roaming\’O‰ºŒ“¬‹äŠy•”\LuckyCosplay folder moved successfully.
    C:\Users\Chrilles\AppData\Roaming\’O‰ºŒ“¬‹äŠy•” folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
    C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
    File\Folder C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000064.@ not found.
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000032.@ moved successfully.
    File\Folder C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000000.@ not found.
    File\Folder C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\L\00000008.@ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Chrilles
    ->Temp folder emptied: 3483332550 bytes
    ->Temporary Internet Files folder emptied: 4588117 bytes
    ->Java cache emptied: 3436302 bytes
    ->FireFox cache emptied: 515137509 bytes
    ->Google Chrome cache emptied: 105184914 bytes
    ->Flash cache emptied: 8575 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56502 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56466 bytes

    User: Ägaren
    ->Temp folder emptied: 1502405900 bytes
    ->Temporary Internet Files folder emptied: 59385828 bytes
    ->Java cache emptied: 981797 bytes
    ->FireFox cache emptied: 250942878 bytes
    ->Flash cache emptied: 60338 bytes

    User: �garen

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 1618992 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5140 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50416 bytes
    RecycleBin emptied: 48862408 bytes

    Total Files Cleaned = 5 699,00 mb


    [EMPTYJAVA]

    User: All Users

    User: Chrilles
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    User: UpdatusUser

    User: Ägaren
    ->Java cache emptied: 0 bytes

    User: �garen

    Total Java Files Cleaned = 0,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Chrilles
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: UpdatusUser
    ->Flash cache emptied: 0 bytes

    User: Ägaren
    ->Flash cache emptied: 0 bytes

    User: �garen

    Total Flash Files Cleaned = 0,00 mb


    OTL by OldTimer - Version 3.2.46.0 log created on 06032012_202914

    Files\Folders moved on Reboot...
    C:\Users\Ägaren\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
     
  5. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Sophos Virus Removal Tool
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    MVPS Hosts File
    Spybot - Search & Destroy
    JavaFX 2.1.0
    Java(TM) 7 Update 4
    Out of date Java installed!
    Adobe Flash Player 11.2.202.235
    Adobe Reader X (10.1.3)
    Mozilla Firefox (x86 sv-SE..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Malwarebytes' Anti-Malware mbamgui.exe
    ``````````End of Log````````````
     
  6. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Farbar Service Scanner Version: 27-05-2012
    Ran by Ägaren (administrator) on 03-06-2012 at 20:34:27
    Running from "C:\Users\Ägaren\Desktop"
    Microsoft Windows 7 Ultimate Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Attempt to access Yahoo.com returned error: Yahoo.com is offline


    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.

    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is OK.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  7. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    What happened to Eset AV?
     
  8. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    It takes forever to finish, I would estimate it to about 15 minutes left, dont worry.
     
  9. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    BTW, should I scan some of logs in my real ESET Nod32 AV aswell, or just from the online scanner?
     
  10. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Just online.
     
  11. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    C:\Users\Chrilles\Downloads\nbg12.rar a variant of Win32/Packed.ZipCoin.A application deleted - quarantined
    C:\Users\Chrilles\Downloads\shift2u.rar a variant of Win32/Packed.NoobyProtect.C application deleted - quarantined
    C:\Users\Chrilles\Downloads\Unlocker1.9.1-x64.exe a variant of Win32/Toolbar.Babylon application deleted - quarantined
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U\80000032.@ probably a variant of Win32/Sirefef.EU trojan cleaned by deleting - quarantined
    C:\_OTL\MovedFiles\06032012_202914\C_Windows\assembly\GAC_32\Desktop.ini Win32/Sirefef.EZ trojan deleted - quarantined
    C:\_OTL\MovedFiles\06032012_202914\C_Windows\assembly\GAC_64\Desktop.ini Win64/Sirefef.AD trojan deleted - quarantined
     
     
  12. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    You have couple registry keys missing.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on mpssvc.reg file and confirm the prompt.
    Double click on bfe.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
     
  13. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Farbar Service Scanner Version: 27-05-2012
    Ran by Ägaren (administrator) on 04-06-2012 at 00:08:42
    Running from "C:\Users\Ägaren\Desktop"
    Microsoft Windows 7 Ultimate Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Attempt to access Yahoo.com returned error: Yahoo.com is offline


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    The start type of bfe service is OK.
    The ImagePath of bfe service is OK.
    The ServiceDll of bfe service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is OK.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  14. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  15. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Is it really clean, cause Nod32 keeps blocking some Agent.ba and Sirefef located in C:\Windows\Installer\random numbers and letters. Says its in quarantine but I have 420+ Sirefef.AE trojans blocked from that location, 2 new blocks each minute.
     
  16. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    And it also keeps blocking my Nod32 Web and Email protection.
     
  17. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    This is what I mean, it keeps trying to insert itself to firefox.exe or something. Look at the count quarantined.[​IMG]
     
  18. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Run full scan with NOD32.
     
  19. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    We posted at the same time so read my previous reply.
     
  20. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Do you want me to complete all those steps again? Nod32 found some Rootkit.Dropper, that is probably what infected me with the Sirefef rootkit, right?
     
  21. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    No. I want you to run full scan with your NOD32 AV program and let me know exact results.
     
  22. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Operating memory » C:\Windows\assembly\GAC_32\Desktop.ini a variant of Win32/Sirefef.EZ trojan No action
    C:\Windows\assembly\GAC_32\Desktop.ini Win32/Sirefef.EZ trojan No action
    C:\Windows\assembly\GAC_64\Desktop.ini Win64/Sirefef.AD trojan No action

    These were found by full in-depth computer scan in Nod32 AV 5
     
  23. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Let's try Combofix again but this time be patient. Let it run.
    IMPORTANT! Delete your existing Combofix file and download new one....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  24. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    It wont go further than that. The green bar goes to the end but its like its not installing any other files, just says that.[​IMG]
     
  25. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    How long did you wait?

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop (be patient; it may take a while).
    • Accept license agreement and click "Start" button.
    • Click on Settings button [​IMG]
      • In Scan scope leave pre-checked items as they're and also checkmark My Computer
      • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
    • Click on Automatic Scan tab and then click on Start scanning button.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done NO log will be produced.
    • Click on Report button [​IMG] then on Automatic Scan report tab.
    • Right click anywhere within right pane, click Select All then right click again and click Copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.