TechSpot

Sirefef won't go away - please help!

Solved
By cschrille
Jun 2, 2012
  1. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
    NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

    bootrec /fixboot (<--- there is a "space" after "bootrec")

    exit

    Restart computer.

    Post new aswMBR log.
     
  2. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

     
  3. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    We posted at the same time.
    Read my previous reply.
     
  4. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Ok, this wont delete any of my files or anything, right?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    No, no. It'll reset your MBR (master boot record) and it may help with running Combofix.
     
  6. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Sweet, back in a few then.
     
  7. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-06-07 23:40:45
    -----------------------------
    23:40:45.926 OS Version: Windows x64 6.1.7601 Service Pack 1
    23:40:45.926 Number of processors: 4 586 0x2A07
    23:40:45.926 ComputerName: ÄGAREN-DATOR UserName: Ägaren
    23:40:47.049 Initialize success
    23:41:15.318 AVAST engine defs: 12060700
    23:43:17.653 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-7
    23:43:17.669 Disk 0 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953868MB BusType: 3
    23:43:17.669 Disk 0 MBR read successfully
    23:43:17.669 Disk 0 MBR scan
    23:43:17.669 Disk 0 Windows 7 default MBR code
    23:43:17.669 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    23:43:17.684 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 489525 MB offset 206848
    23:43:17.700 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464240 MB offset 1002754048
    23:43:17.747 Disk 0 scanning C:\Windows\system32\drivers
    23:43:23.316 Service scanning
    23:43:35.858 Modules scanning
    23:43:35.858 Disk 0 trace - called modules:
    23:43:35.858 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    23:43:35.874 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007800060]
    23:43:35.874 3 CLASSPNP.SYS[fffff880021c143f] -> nt!IofCallDriver -> [0xfffffa8007557580]
    23:43:35.889 5 ACPI.sys[fffff88000ec17a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-7[0xfffffa8007536060]
    23:43:38.463 AVAST engine scan C:\Windows
    23:43:44.001 AVAST engine scan C:\Windows\system32
    23:45:06.900 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    23:45:08.148 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    23:45:51.469 AVAST engine scan C:\Windows\system32\drivers
    23:46:04.511 AVAST engine scan C:\Users\Ägaren
    23:48:54.598 AVAST engine scan C:\ProgramData
    23:50:24.173 Scan finished successfully
    23:52:59.940 Disk 0 MBR has been saved successfully to "C:\Users\Ägaren\Desktop\MBR.dat"
    23:52:59.940 The log file has been saved successfully to "C:\Users\Ägaren\Desktop\aswMBR.txt"


    That was just quickscan, I can scan C:\ or entire pc if you want.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    That's fine.

    Let's check one more thing...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      svchost.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  9. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    SystemLook 30.07.11 by jpshortstuff
    Log created at 00:29 on 08/06/2012 by Ägaren
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "svchost.exe"
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [17:35 02/06/2012] [13:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
    C:\Windows\System32\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
    C:\Windows\SysWOW64\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
    C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
    C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

    -= EOF =-
     
  10. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    That looks fine.

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    DeleteFile: 
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\

    Then....

    Restart computer and post new aswMBR log.
     
  11. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    MoveFileOnReboot: sourceFile = "\??\c:\windows\assembly\gac_32\desktop.ini", destinationFile = "(null)", replaceWithDummy = 0
    RemoveFile: ZwDeleteFile failed: status = c0000034
    MoveFileOnReboot: sourceFile = "\??\c:\windows\assembly\gac_64\desktop.ini", destinationFile = "(null)", replaceWithDummy = 0
     
     
  12. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Hey I got Combofix running. It deleted the desktop.ini things I think cause Nod32 is 100% working again. However the viruses in Installer folder still exist, guess they are the last. You still want aswMBR log?

    Combofix log:
    ComboFix 12-06-06.02 - Ägaren 2012-06-08 0:48.2.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1053.18.8173.6431 [GMT 2:00]
    Körs från: c:\users\Ägaren\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\programdata\1337181385.bdinstall.bin
    c:\programdata\1338149966.bdinstall.bin
    c:\users\Chrilles\AppData\Local\TempDIR
    c:\windows\apppatch\AppLoc.exe
    c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-05-07 till 2012-06-07 ))))))))))))))))))))))))))))))
    .
    .
    2012-06-07 22:52 . 2012-06-07 22:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-07 22:52 . 2012-06-07 22:52 -------- d-----w- c:\users\Chrilles\AppData\Local\temp
    2012-06-07 18:23 . 2012-06-07 22:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-06-07 16:16 . 2012-06-07 16:16 -------- d-----w- c:\program files\Alex Feinman
    2012-06-05 23:50 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4552CAB4-0065-4371-B8ED-5513444AFBD7}\mpengine.dll
    2012-06-03 18:42 . 2012-06-03 18:42 -------- d-----w- c:\program files (x86)\ESET
    2012-06-03 18:29 . 2012-06-03 18:29 -------- d-----w- C:\_OTL
    2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\programdata\Sophos
    2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\program files (x86)\Sophos
    2012-06-03 12:49 . 2012-06-03 12:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-06-03 08:12 . 2012-06-07 00:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-03 08:12 . 2012-06-03 08:13 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-06-02 20:17 . 2012-06-02 20:17 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-06-02 20:17 . 2012-06-02 20:17 460888 ----a-w- c:\windows\system32\drivers\39377219.sys
    2012-06-02 17:35 . 2012-06-02 17:35 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-02 17:35 . 2012-04-04 13:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-02 17:35 . 2012-06-02 17:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-06-02 16:39 . 2012-06-02 16:39 -------- d-----w- c:\programdata\Rockstar Games
    2012-06-02 11:28 . 2012-06-02 11:28 -------- d-----w-aren c:\users\GAREN~2
    2012-06-02 11:14 . 2012-06-02 11:14 -------- d-----w- c:\program files (x86)\Rockstar Games
    2012-05-28 15:56 . 2012-05-28 15:56 -------- d-sh--w- c:\programdata\DSS
    2012-05-26 15:55 . 2012-05-26 22:38 -------- d-----w- c:\program files (x86)\MSI Afterburner
    2012-05-26 13:38 . 2012-05-26 13:38 -------- d-----w- c:\program files (x86)\GIGA
    2012-05-25 18:17 . 2012-05-25 18:17 -------- d-----w- c:\program files (x86)\FlashGet
    2012-05-24 14:58 . 2012-05-24 14:58 -------- d-----w- C:\KISS
    2012-05-24 14:20 . 2012-03-09 08:57 23816 ------w- c:\windows\system32\drivers\cpuz135_x64.sys
    2012-05-24 14:20 . 2012-05-24 14:20 -------- d-----w- c:\program files\CPUID
    2012-05-24 11:42 . 2012-05-24 11:42 -------- d-----w- c:\program files\Speccy
    2012-05-23 11:58 . 2012-05-23 11:58 283200 ------w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-05-23 11:58 . 2012-05-23 11:58 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
    2012-05-23 11:57 . 2012-05-23 12:00 -------- d-----w- c:\programdata\DAEMON Tools Lite
    2012-05-22 19:19 . 2012-05-22 19:19 -------- d-----w- c:\windows\Sun
    2012-05-22 19:16 . 2012-05-22 19:16 -------- d-----w- c:\program files (x86)\Oracle
    2012-05-22 19:15 . 2012-04-04 16:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-05-22 19:15 . 2012-04-04 16:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-05-22 19:12 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
    2012-05-22 15:04 . 2012-05-22 15:13 -------- d-----w- c:\program files (x86)\NeoDownloader
    2012-05-21 19:30 . 2012-05-21 19:30 -------- d-----w- c:\program files (x86)\7-Zip
    2012-05-21 19:27 . 2012-05-21 19:27 -------- d-----w- c:\program files (x86)\Notepad++
    2012-05-20 14:41 . 2012-05-20 14:41 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
    2012-05-20 09:53 . 2012-06-01 10:35 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2012-05-18 19:54 . 2012-06-03 10:47 -------- d-----w- c:\programdata\Electronic Arts
    2012-05-18 19:54 . 2012-05-18 19:55 -------- d-----w- c:\program files (x86)\Origin
    2012-05-17 21:22 . 2012-05-17 21:34 -------- d-----w- c:\programdata\Blizzard Entertainment
    2012-05-17 21:04 . 2012-05-17 21:04 -------- d-----w- c:\programdata\Battle.net
    2012-05-17 19:47 . 2012-05-17 21:34 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
    2012-05-16 15:19 . 2012-05-16 15:19 -------- d-----w- c:\programdata\BDLogging
    2012-05-16 15:18 . 2012-05-27 20:35 -------- d-----w- c:\program files\Bitdefender
    2012-05-16 15:16 . 2012-05-27 20:21 -------- d-----w- c:\program files\Common Files\Bitdefender
    2012-05-15 20:52 . 2012-05-15 20:52 -------- d-----w- c:\program files (x86)\VideoLAN
    2012-05-15 20:50 . 2011-03-02 10:43 175616 ----a-w- c:\windows\SysWow64\unrar.dll
    2012-05-15 20:50 . 2012-05-15 20:50 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
    2012-05-15 20:08 . 2012-05-15 20:08 -------- d-----w- c:\program files (x86)\VPNCheck
    2012-05-15 20:00 . 2012-05-15 20:02 -------- d-----w- c:\program files (x86)\OpenVPN
    2012-05-15 19:17 . 2012-06-06 00:01 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-05-15 19:09 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2012-05-15 19:09 . 2009-07-14 01:15 50688 ----a-w- c:\program files (x86)\Internet Explorer\hmmapi.dll
    2012-05-15 19:02 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2012-05-15 18:51 . 2012-06-07 20:57 -------- d-----w- c:\users\UpdatusUser
    2012-05-15 18:43 . 2012-05-15 18:42 839112 ----a-w- c:\windows\system32\deployJava1.dll
    2012-05-15 18:43 . 2012-05-15 18:42 955848 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-15 18:42 . 2012-05-15 18:42 -------- d-----w- c:\program files\Java
    2012-05-15 18:24 . 2003-04-09 03:28 233472 ----a-r- c:\users\Chrilles\AppData\Roaming\MafiaSetup.exe
    2012-05-15 18:18 . 2012-05-15 18:18 -------- d-----w- c:\program files\SystemRequirementsLab
    2012-05-15 14:56 . 2012-05-15 14:57 -------- d-----w- c:\windows\SysWow64\Adobe
    2012-05-15 14:54 . 2012-05-15 20:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-15 14:54 . 2012-05-15 20:42 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\SysWow64\Macromed
    2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\system32\Macromed
    2012-05-15 14:49 . 2012-05-15 14:49 -------- d-----w- c:\program files (x86)\Microsoft
    2012-05-15 14:47 . 2005-05-26 13:34 3767504 ----a-w- c:\windows\system32\d3dx9_26.dll
    2012-05-15 14:47 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll
    2012-05-15 14:09 . 2012-05-15 14:09 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
    2012-05-15 14:07 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-05-15 14:07 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\SPReview
    2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\EventProviders
    2012-05-15 13:42 . 2010-11-20 13:27 624128 ----a-w- c:\windows\system32\qedit.dll
    2012-05-15 13:41 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
    2012-05-15 13:41 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-15 13:41 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\SysWow64\Wat
    2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\system32\Wat
    2012-05-15 12:57 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
    2012-05-15 12:48 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-05-15 12:48 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-05-15 12:48 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-05-15 12:48 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-05-15 12:48 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-05-15 12:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-05-15 12:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-05-15 12:44 . 2010-12-17 11:40 715776 ----a-w- c:\windows\system32\kerberos.dll
    2012-05-15 12:38 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2012-05-15 12:38 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2012-05-15 12:31 . 2012-05-15 12:31 -------- d-----w- c:\programdata\NVIDIA Corporation
    2012-05-15 12:31 . 2012-05-22 19:13 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
    2012-05-15 12:31 . 2012-05-22 19:12 -------- d-----w- c:\program files\NVIDIA Corporation
    2012-05-15 12:30 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-05-15 12:30 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
    2012-05-15 12:30 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-05-15 12:30 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-05-15 12:30 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-05-15 12:30 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-05-15 12:30 . 2010-11-20 11:07 162816 ----a-w- c:\windows\system32\rdpudd.dll
    2012-05-15 12:30 . 2010-11-20 11:03 20992 ------w- c:\windows\system32\drivers\rdpvideominiport.sys
    2012-05-15 11:41 . 2012-06-02 21:33 -------- d-----w- c:\windows\Panther
    2012-05-15 11:18 . 2012-02-23 08:18 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-15 11:15 . 2012-05-15 11:15 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2012-05-15 11:14 . 2011-06-10 06:34 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2012-05-15 11:14 . 2011-06-10 06:34 539240 ------w- c:\windows\system32\drivers\Rt64win7.sys
    2012-05-15 11:14 . 2011-06-10 06:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2012-05-15 11:11 . 2005-11-13 21:22 757760 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2012-05-15 11:11 . 2005-11-13 21:22 69715 ------w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2012-05-15 11:11 . 2005-11-13 21:21 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2012-05-15 11:11 . 2005-11-13 21:20 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2012-05-15 11:11 . 2005-11-13 21:19 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
    2012-05-15 11:11 . 2005-11-13 21:19 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2012-05-15 11:11 . 2005-11-13 21:16 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
    2012-05-15 11:11 . 2012-05-12 21:55 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2012-05-15 11:11 . 2012-05-12 21:55 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2012-05-15 11:11 . 2012-05-15 11:11 16896 ----a-w- c:\windows\AsTaskSched.dll
    2012-05-15 11:11 . 2012-05-15 11:11 -------- d-----w- c:\program files (x86)\Intel
    2012-05-15 11:11 . 2011-04-15 08:00 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
    2012-05-15 11:10 . 2012-05-15 11:10 -------- d-----w- C:\Intel
    2012-05-15 11:10 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-15 13:55 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2012-05-15 13:55 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2012-05-15 10:48 . 2012-02-09 20:43 1738048 ----a-w- c:\windows\system32\nvdispco64.dll
    2012-05-15 10:48 . 2012-02-09 20:43 1468224 ----a-w- c:\windows\system32\nvgenco64.dll
    2012-05-15 10:48 . 2012-02-09 20:43 10194752 ----a-w- c:\windows\system32\nvwgf2umx.dll
    2012-05-02 00:46 . 2012-05-02 00:46 4472832 ----a-w- c:\windows\SysWow64\GPhotos.scr
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
    .
    (((((((((((((((((((((((((((((((((( Startpunkter I registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    R1 1052426drv;1052426drv;c:\windows\system32\DRIVERS\1052426drv.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 257696]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-06 113120]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 39377219;39377219;c:\windows\system32\DRIVERS\39377219.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    .
    .
    Innehåll I mappen 'Schemalagda aktiviteter':
    .
    2012-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 20:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-28 11905128]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Extra genomsökning -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
    IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Ägaren\AppData\Roaming\Mozilla\Firefox\Profiles\r3cyqdc7.default\
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
    89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"=hex:51,66,7a,6c,4c,1d,38,12,68,40,25,
    2b,77,e4,db,02,e0,8b,7a,e8,bc,10,3a,e3
    "{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
    57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
    "{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
    d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
    "{F156768E-81EF-470C-9057-481BA8380DBA}"=hex:51,66,7a,6c,4c,1d,38,12,e0,75,45,
    f5,dd,cf,62,02,ef,41,0b,5b,ad,66,49,ae
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:5f,b7,7b,f1,c8,44,cd,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-06-08 00:57:10 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-06-07 22:57
    .
    Före genomsökningen: 374 572 933 120 byte ledigt
    Efter genomsökningen: 374 161 375 232 byte ledigt
    .
    - - End Of File - - 40CEC8475A1ADA1629C0076C9D8CD831
     
  13. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    WOW! That's a relief :)

    Combofix log looks good but we need to check one last thing.

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\system32\services.exe
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  14. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    AntivirusResult
    AhnLab-V3 -
    AntiVir -
    Antiy-AVL -
    Avast -
    AVG Patched_c.LXT
    BitDefender -
    ByteHero -
    CAT-QuickHeal -
    ClamAV -
    Commtouch -
    Comodo -
    DrWeb -
    Emsisoft -
    eSafe -
    F-Prot -
    F-Secure -
    Fortinet -
    GData -
    Ikarus -
    Jiangmin -
    K7AntiVirus -
    Kaspersky -
    McAfee ZeroAccess
    McAfee-GW-Edition ZeroAccess
    Microsoft -
    NOD32 -
    Norman -
    nProtect -
    Panda -
    PCTools -
    Rising -
    Sophos -
    SUPERAntiSpyware -
    Symantec -
    TheHacker -
    TotalDefense -
    TrendMicro -
    TrendMicro-HouseCall -
    VBA32 -
    VIPRE Trojan.Win32.Generic!BT
    ViRobot -
    VirusBuster -

    But how will I get rid of the viruses inside the C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U folder?
     
  15. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    I don't think that folder exist anymore.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :folderfind
      {6ccbf812-07b7-4726-bef0-b612a153384e}
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  16. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    I can access it and Nod32 blocks it every other minute, and what about services.exe? The results say it contains ZeroAccess aka Sirefef, and its Sirefef that keeps being blocked by Nod32.

    SystemLook 30.07.11 by jpshortstuff
    Log created at 01:22 on 08/06/2012 by Ägaren
    Administrator - Elevation successful

    ========== folderfind ==========

    Searching for "{6ccbf812-07b7-4726-bef0-b612a153384e}"
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d--hs-- [12:37 15/05/2012]
    C:\_OTL\MovedFiles\06032012_202914\C_Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d------ [18:29 03/06/2012]

    -= EOF =-
     
  17. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Let's see one more thing...

    Re-run System Look with this code:

    Code:
    :dir
     
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} /s
     
  18. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    SystemLook 30.07.11 by jpshortstuff
    Log created at 01:28 on 08/06/2012 by Ägaren
    Administrator - Elevation successful

    ========== dir ==========

    - Unable to find folder.

    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} - Parameters: "/s"

    ---Files---
    @ ---hs-- 2048 bytes [12:37 15/05/2012] [06:41 17/11/2011]

    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\L d--hs-- [12:37 15/05/2012]
    00000004.@ --a---- 740 bytes [17:51 02/06/2012] [22:39 07/06/2012]

    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U d-ahs-- [12:37 15/05/2012]
    00000004.@ --a---- 1536 bytes [17:29 02/06/2012] [20:11 06/06/2012]
    000000cb.@ --a---- 1584 bytes [17:29 02/06/2012] [17:29 02/06/2012]
    80000032.@ --a---- 93696 bytes [11:43 06/06/2012] [11:43 06/06/2012]

    -= EOF =-
     
  19. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Very well.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  20. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    ComboFix 12-06-06.02 - Ägaren 2012-06-08 1:35.3.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1053.18.8173.6096 [GMT 2:00]
    Körs från: c:\users\-garen\Desktop\ComboFix.exe
    Kommandoväxlar som använts :: c:\users\-garen\Desktop\CFScript.txt
    AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-05-07 till 2012-06-07 ))))))))))))))))))))))))))))))
    .
    .
    2012-06-07 23:38 . 2012-06-07 23:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-07 23:38 . 2012-06-07 23:38 -------- d-----w- c:\users\Chrilles\AppData\Local\temp
    2012-06-07 18:23 . 2012-06-07 22:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-06-07 16:16 . 2012-06-07 16:16 -------- d-----w- c:\program files\Alex Feinman
    2012-06-05 23:50 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4552CAB4-0065-4371-B8ED-5513444AFBD7}\mpengine.dll
    2012-06-03 18:42 . 2012-06-03 18:42 -------- d-----w- c:\program files (x86)\ESET
    2012-06-03 18:29 . 2012-06-03 18:29 -------- d-----w- C:\_OTL
    2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\programdata\Sophos
    2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\program files (x86)\Sophos
    2012-06-03 12:49 . 2012-06-03 12:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-06-03 08:12 . 2012-06-07 00:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-03 08:12 . 2012-06-03 08:13 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-06-02 20:17 . 2012-06-02 20:17 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-06-02 20:17 . 2012-06-02 20:17 460888 ----a-w- c:\windows\system32\drivers\39377219.sys
    2012-06-02 17:35 . 2012-06-02 17:35 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-02 17:35 . 2012-04-04 13:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-02 17:35 . 2012-06-02 17:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-06-02 16:39 . 2012-06-02 16:39 -------- d-----w- c:\programdata\Rockstar Games
    2012-06-02 11:28 . 2012-06-07 22:57 -------- d-----w-aren c:\users\GAREN~2
    2012-06-02 11:14 . 2012-06-02 11:14 -------- d-----w- c:\program files (x86)\Rockstar Games
    2012-05-28 15:56 . 2012-05-28 15:56 -------- d-sh--w- c:\programdata\DSS
    2012-05-26 15:55 . 2012-05-26 22:38 -------- d-----w- c:\program files (x86)\MSI Afterburner
    2012-05-26 13:38 . 2012-05-26 13:38 -------- d-----w- c:\program files (x86)\GIGA
    2012-05-25 18:17 . 2012-05-25 18:17 -------- d-----w- c:\program files (x86)\FlashGet
    2012-05-24 14:58 . 2012-05-24 14:58 -------- d-----w- C:\KISS
    2012-05-24 14:20 . 2012-03-09 08:57 23816 ------w- c:\windows\system32\drivers\cpuz135_x64.sys
    2012-05-24 14:20 . 2012-05-24 14:20 -------- d-----w- c:\program files\CPUID
    2012-05-24 11:42 . 2012-05-24 11:42 -------- d-----w- c:\program files\Speccy
    2012-05-23 11:58 . 2012-05-23 11:58 283200 ------w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-05-23 11:58 . 2012-05-23 11:58 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
    2012-05-23 11:57 . 2012-05-23 12:00 -------- d-----w- c:\programdata\DAEMON Tools Lite
    2012-05-22 19:19 . 2012-05-22 19:19 -------- d-----w- c:\windows\Sun
    2012-05-22 19:16 . 2012-05-22 19:16 -------- d-----w- c:\program files (x86)\Oracle
    2012-05-22 19:15 . 2012-04-04 16:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-05-22 19:15 . 2012-04-04 16:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-05-22 19:12 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
    2012-05-22 15:04 . 2012-05-22 15:13 -------- d-----w- c:\program files (x86)\NeoDownloader
    2012-05-21 19:30 . 2012-05-21 19:30 -------- d-----w- c:\program files (x86)\7-Zip
    2012-05-21 19:27 . 2012-05-21 19:27 -------- d-----w- c:\program files (x86)\Notepad++
    2012-05-20 14:41 . 2012-05-20 14:41 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
    2012-05-20 09:53 . 2012-06-01 10:35 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2012-05-18 19:54 . 2012-06-03 10:47 -------- d-----w- c:\programdata\Electronic Arts
    2012-05-18 19:54 . 2012-05-18 19:55 -------- d-----w- c:\program files (x86)\Origin
    2012-05-17 21:22 . 2012-05-17 21:34 -------- d-----w- c:\programdata\Blizzard Entertainment
    2012-05-17 21:04 . 2012-05-17 21:04 -------- d-----w- c:\programdata\Battle.net
    2012-05-17 19:47 . 2012-05-17 21:34 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
    2012-05-16 15:19 . 2012-05-16 15:19 -------- d-----w- c:\programdata\BDLogging
    2012-05-16 15:18 . 2012-05-27 20:35 -------- d-----w- c:\program files\Bitdefender
    2012-05-16 15:16 . 2012-05-27 20:21 -------- d-----w- c:\program files\Common Files\Bitdefender
    2012-05-15 20:52 . 2012-05-15 20:52 -------- d-----w- c:\program files (x86)\VideoLAN
    2012-05-15 20:50 . 2011-03-02 10:43 175616 ----a-w- c:\windows\SysWow64\unrar.dll
    2012-05-15 20:50 . 2012-05-15 20:50 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
    2012-05-15 20:08 . 2012-05-15 20:08 -------- d-----w- c:\program files (x86)\VPNCheck
    2012-05-15 20:00 . 2012-05-15 20:02 -------- d-----w- c:\program files (x86)\OpenVPN
    2012-05-15 19:17 . 2012-06-06 00:01 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-05-15 19:09 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2012-05-15 19:09 . 2009-07-14 01:15 50688 ----a-w- c:\program files (x86)\Internet Explorer\hmmapi.dll
    2012-05-15 19:02 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2012-05-15 18:51 . 2012-06-07 20:57 -------- d-----w- c:\users\UpdatusUser
    2012-05-15 18:43 . 2012-05-15 18:42 839112 ----a-w- c:\windows\system32\deployJava1.dll
    2012-05-15 18:43 . 2012-05-15 18:42 955848 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-05-15 18:42 . 2012-05-15 18:42 -------- d-----w- c:\program files\Java
    2012-05-15 18:24 . 2003-04-09 03:28 233472 ----a-r- c:\users\Chrilles\AppData\Roaming\MafiaSetup.exe
    2012-05-15 18:18 . 2012-05-15 18:18 -------- d-----w- c:\program files\SystemRequirementsLab
    2012-05-15 14:56 . 2012-05-15 14:57 -------- d-----w- c:\windows\SysWow64\Adobe
    2012-05-15 14:54 . 2012-05-15 20:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-15 14:54 . 2012-05-15 20:42 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\SysWow64\Macromed
    2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\system32\Macromed
    2012-05-15 14:49 . 2012-05-15 14:49 -------- d-----w- c:\program files (x86)\Microsoft
    2012-05-15 14:47 . 2005-05-26 13:34 3767504 ----a-w- c:\windows\system32\d3dx9_26.dll
    2012-05-15 14:47 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll
    2012-05-15 14:09 . 2012-05-15 14:09 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
    2012-05-15 14:07 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-05-15 14:07 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\SPReview
    2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\EventProviders
    2012-05-15 13:42 . 2010-11-20 13:27 624128 ----a-w- c:\windows\system32\qedit.dll
    2012-05-15 13:41 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
    2012-05-15 13:41 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-15 13:41 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\SysWow64\Wat
    2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\system32\Wat
    2012-05-15 12:57 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
    2012-05-15 12:48 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-05-15 12:48 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-05-15 12:48 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-05-15 12:48 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-05-15 12:48 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-05-15 12:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-05-15 12:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-05-15 12:44 . 2010-12-17 11:40 715776 ----a-w- c:\windows\system32\kerberos.dll
    2012-05-15 12:38 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2012-05-15 12:38 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2012-05-15 12:31 . 2012-05-15 12:31 -------- d-----w- c:\programdata\NVIDIA Corporation
    2012-05-15 12:31 . 2012-05-22 19:13 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
    2012-05-15 12:31 . 2012-05-22 19:12 -------- d-----w- c:\program files\NVIDIA Corporation
    2012-05-15 12:30 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-05-15 12:30 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
    2012-05-15 12:30 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-05-15 12:30 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-05-15 12:30 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-05-15 12:30 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-05-15 12:30 . 2010-11-20 11:07 162816 ----a-w- c:\windows\system32\rdpudd.dll
    2012-05-15 12:30 . 2010-11-20 11:03 20992 ------w- c:\windows\system32\drivers\rdpvideominiport.sys
    2012-05-15 11:41 . 2012-06-02 21:33 -------- d-----w- c:\windows\Panther
    2012-05-15 11:18 . 2012-02-23 08:18 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-15 11:15 . 2012-05-15 11:15 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2012-05-15 11:14 . 2011-06-10 06:34 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2012-05-15 11:14 . 2011-06-10 06:34 539240 ------w- c:\windows\system32\drivers\Rt64win7.sys
    2012-05-15 11:14 . 2011-06-10 06:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2012-05-15 11:11 . 2005-11-13 21:22 757760 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2012-05-15 11:11 . 2005-11-13 21:22 69715 ------w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2012-05-15 11:11 . 2005-11-13 21:21 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2012-05-15 11:11 . 2005-11-13 21:20 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2012-05-15 11:11 . 2005-11-13 21:19 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
    2012-05-15 11:11 . 2005-11-13 21:19 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2012-05-15 11:11 . 2005-11-13 21:16 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
    2012-05-15 11:11 . 2012-05-12 21:55 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2012-05-15 11:11 . 2012-05-12 21:55 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2012-05-15 11:11 . 2012-05-15 11:11 16896 ----a-w- c:\windows\AsTaskSched.dll
    2012-05-15 11:11 . 2012-05-15 11:11 -------- d-----w- c:\program files (x86)\Intel
    2012-05-15 11:11 . 2011-04-15 08:00 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
    2012-05-15 11:10 . 2012-05-15 11:10 -------- d-----w- C:\Intel
    2012-05-15 11:10 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-15 13:55 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2012-05-15 13:55 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2012-05-15 10:48 . 2012-02-09 20:43 1738048 ----a-w- c:\windows\system32\nvdispco64.dll
    2012-05-15 10:48 . 2012-02-09 20:43 1468224 ----a-w- c:\windows\system32\nvgenco64.dll
    2012-05-15 10:48 . 2012-02-09 20:43 10194752 ----a-w- c:\windows\system32\nvwgf2umx.dll
    2012-05-02 00:46 . 2012-05-02 00:46 4472832 ----a-w- c:\windows\SysWow64\GPhotos.scr
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-07_22.53.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-05-15 12:27 . 2012-06-07 22:55 32802 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:10 . 2012-06-07 22:41 30196 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-06-07 22:55 30196 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-05-15 10:46 . 2012-06-07 22:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-05-15 10:46 . 2012-06-07 22:51 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2012-06-03 19:26 . 2012-06-07 22:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2012-06-03 19:26 . 2012-06-07 22:51 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-06-07 22:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-06-07 22:51 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-05-15 11:06 . 2012-06-07 22:55 7128 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3856055600-2435477386-2425398921-1000_UserData.bin
    .
    (((((((((((((((((((((((((((((((((( Startpunkter I registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    R1 1052426drv;1052426drv;c:\windows\system32\DRIVERS\1052426drv.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 257696]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-06 113120]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 39377219;39377219;c:\windows\system32\DRIVERS\39377219.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    .
    .
    Innehåll I mappen 'Schemalagda aktiviteter':
    .
    2012-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 20:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-28 11905128]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
    .
    ------- Extra genomsökning -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
    IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
    TCP: DhcpNameServer = 80.67.0.2 91.213.246.2
    FF - ProfilePath - c:\users\Ägaren\AppData\Roaming\Mozilla\Firefox\Profiles\r3cyqdc7.default\
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
    89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"=hex:51,66,7a,6c,4c,1d,38,12,68,40,25,
    2b,77,e4,db,02,e0,8b,7a,e8,bc,10,3a,e3
    "{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
    57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
    "{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
    d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
    "{F156768E-81EF-470C-9057-481BA8380DBA}"=hex:51,66,7a,6c,4c,1d,38,12,e0,75,45,
    f5,dd,cf,62,02,ef,41,0b,5b,ad,66,49,ae
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:5f,b7,7b,f1,c8,44,cd,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Sluttid: 2012-06-08 01:39:27
    ComboFix-quarantined-files.txt 2012-06-07 23:39
    ComboFix2.txt 2012-06-07 22:57
    .
    Före genomsökningen: 372 455 260 160 byte ledigt
    Efter genomsökningen: 372 376 178 688 byte ledigt
    .
    - - End Of File - - 8CBB2CBB244206FC6DA7272A182D9A0F
     
  21. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Re-run System Look with the same code as in my reply #90.
     
  22. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    SystemLook 30.07.11 by jpshortstuff
    Log created at 01:45 on 08/06/2012 by Ägaren
    Administrator - Elevation successful

    ========== folderfind ==========

    Searching for "{6ccbf812-07b7-4726-bef0-b612a153384e}"
    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d--hs-- [12:37 15/05/2012]
    C:\_OTL\MovedFiles\06032012_202914\C_Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d------ [18:29 03/06/2012]

    -= EOF =-
     
  23. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Are you sure you run my script in Combofix or you just ran Combofix?
    If you did run my script please re-run it from Safe Mode.
     
  24. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    I put the text in notepad saved as CFScript.txt, then moved it to the combofix.exe and it said like open with combofix. Will try in safe mode then.
     
  25. cschrille

    cschrille TS Enthusiast Topic Starter Posts: 181

    Great, now Combofix wont open again. Ugh.
    Is there any other program which can do the same thing as Combofix?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.