TechSpot

Some help with my computer?

Solved
By Allst-half
Oct 23, 2012
  1. Hello,

    In the last few days I have been troubled with some strange behaviour of my stationary PC.
    It started with a red symbol on the Microsoft Sequrity Essentials at the taskbar. My newly
    written emails couldn't be sent out, and when checking, I found the firewall was turned off by something unknown. I started looking aroundon the net for some help and I visited Microsoft to download fixes turning the wall back on. Then the error codes started to appear. Whatever I did I was blocked from any form of execution.

    I downloaded AVG Anti virus Free version, and when scanning the whole system threats where
    discovered. Sirefef.AO .AG .AB and so on. These seemed to be removed, but still the firewall
    was blocked from being turned on. I then did new checkings with MSE, which did find more
    of the same sort, apparently removing the unwanted objects. But not for long. I then decided to
    search on youtube for answers in how to remove viruses that the anti-virus software was unable to do. But the solutions where advanced involving registry and so on. I didn't dare to mess around.

    Then I found malwarebytes and had a scan with that tool. Again threats where detected.
    It seemed the virus had infested the sequrity system of my PC, giving all orders now.

    I was thinking of doing a format of the C-partition, but in safe modus other errors appeared, making it impossible to get access even to restore the system to previous settings, which by the way where only from a few days back in time. Messages like System recovery error 0x80070057 and 0x80070020 when trying to make a recovery CD/DVD.
    I also discovered that my Windows 7 HP 32-bit OS Norwegian version was only on the HDD, there where no DVD or CD to install with. I have now ordered a new OEM version, and hope it arrives soon.

    If I'm to rescue my programs and materials on that particular drive, my only hope for this problem is to get some help from an expert who knows a lot about malware and viruses, and how they operate. Otherwise I'll have to format the drive and make a new install of Win7.

    Perhaps there is some good souls in this world too :'(
     
  2. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Thank you so much for helping me with the PC troubles. I'm most grateful and appreciate your efforts tremendously.

    Before I post the logs and reports from the different software runnings, I would like to make a few comments. Perhaps this will help a bit to understand.

    1 day before I contacted the Techspot forum, I removed the 2 internal extra HDD's that contained a lot of programs that I was afraid to lose if they where contaminated or if a formatting process where to go wrong.
    It is of course a possibility that there might be infections on one or both these drives, as they where
    operational when the virus attacks started. I do not want to attach them at this point. I figure if the firewalls
    and detection system works properly, then the chances are good to get these cleaned without any further
    damages. If I attach them now, many years of work can be lost in the process, since the system is very
    unstable.

    I must also add that it is only plain luck that I'm able to operate from the infected machine, as I have
    sometimes had to reset the computer 10-12 times before I got through to a "normal" windows. Sometimes the icons where frozen, other times just a black screen. I can not turn the net connection off in windows, so when this was necessary, I had to run Safe mode without network.

    Fortunatly I have a laptop with Vista installed, that has been a great help to read your instructions while in
    a disconnected enviroment with my stationary PC.

    I ran a scanning with Microsoft Security Essentials, which had been installed at an earlier point. And as I
    understood there where no need to send any log from such a scan, but maybe I have misunderstood the
    many instructions. In any case the program registered another 2 severe threats. This time the:
    Trojan:Win32/Dynamer!dtc Removed
    Virus:DOS/TaiPan_666.B Disinfected

    I found a very suspect ghosted dir in the "All users" dir:
    {D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}

    Now the logs!
    Malwarebytes: protection-log-2012-10-24.txt

    2012/10/24 05:16:45 +0200 UD6 Allan MESSAGE Starting protection
    2012/10/24 05:16:45 +0200 UD6 Allan MESSAGE Protection started successfully
    2012/10/24 05:16:45 +0200 UD6 Allan MESSAGE Starting IP protection
    2012/10/24 05:16:45 +0200 UD6 Allan ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
    2012/10/24 06:10:03 +0200 UD6 Allan MESSAGE Starting protection
    2012/10/24 06:10:04 +0200 UD6 Allan MESSAGE Protection started successfully
    2012/10/24 06:10:04 +0200 UD6 Allan MESSAGE Starting IP protection
    2012/10/24 06:10:04 +0200 UD6 Allan ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

    --------------------------------------------------------------------------------------------------------------------------------------

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-10-24 06:02:43
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD6401AALS-00L3B2 rev.01.03B01
    Running: ww4t5lph.exe; Driver: C:\Users\Allan\AppData\Local\Temp\pgldapow.sys

    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8365A3C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83693D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
    Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Utilities\Daemon Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x18 0xCC 0x97 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x6C 0x76 0x3D ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x2E 0xA5 0x25 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Utilities\Daemon Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x18 0xCC 0x97 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x6C 0x76 0x3D ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x2E 0xA5 0x25 ...
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Utilities\Daemon Tools Lite\
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x18 0xCC 0x97 ...
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x6C 0x76 0x3D ...
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x2E 0xA5 0x25 ...
    ---- EOF - GMER 1.0.15 ----
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    DDS (Ver_2012-10-19.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16421
    Run by Allan at 6:15:44 on 2012-10-24
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.47.1044.18.3579.2363 [GMT 2:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ================
    .
    C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
    C:\Program Files\AVG\AVG2013\avgcsrvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\AVG\AVG2013\avgidsagent.exe
    C:\Program Files\AVG\AVG2013\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe
    C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
    C:\Windows\system32\vmnat.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\vmnetdhcp.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
    C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\AVG\AVG2013\avgui.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG2013\avgnsx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG2013\avgemcx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Nero\Update\NASvc.exe
    C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.online.no/
    uSearch Page = hxxp://no.woofi.info/
    mStart Page = hxxp://no.woofi.info/
    mSearch Page = hxxp://no.woofi.info/
    mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
    uURLSearchHooks: {687578b9-7132-4a7a-80e4-30ee31099e03} - <orphaned>
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: CescrtHlpr Object: {64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.3\AVG Secure Search_toolbar.dll
    BHO: CatcherBHO Class: {9B4DF450-DCC7-4B07-935D-0CD757A64583} -
    BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
    TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: facemoods Toolbar: {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
    TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.3\AVG Secure Search_toolbar.dll
    uRun: [DAEMON Tools Lite] "g:\utilities\daemon tools lite\DTLite.exe" -autorun
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
    mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
    mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
    mRun: [NBAgent] "c:\program files\nero\nero 11\nero backitup\NBAgent.exe" /WinStart
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE -startup
    mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [ROC_roc_ssl_v12] "c:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    LSP: mswsock.dll
    LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 193.213.112.4 130.67.15.198
    TCP: Interfaces\{48598603-491D-4990-AD40-82492B2B11EA} : DHCPNameServer = 193.213.112.4 130.67.15.198
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\13.2.0\ViProtocol.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    LSA: Authentication Packages = msv1_0 relog_ap
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-9-21 55008]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
    R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-10-5 93536]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
    R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-12-28 56496]
    R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-12-28 12464]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-9-13 177504]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-10-20 26984]
    R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2011-3-10 3026]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-10-2 5783672]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-2 193568]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-23 399432]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-23 676936]
    R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-9-23 641832]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-12-8 2214504]
    R2 TuneUp.UtilitiesSvc;AVG PC TuneUp Service;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesService32.exe [2012-8-23 1532280]
    R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]
    R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [2012-10-20 711112]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-23 22856]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesDriver32.sys [2012-7-4 10088]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 rrkf;rrkf;c:\users\allan\appdata\roaming\61t6w.bat [2012-10-17 86]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-5 250808]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 hidmini;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidmini.sys [2010-10-14 3712]
    S3 hidtopgun;HID Minidriver for EMS TopGun;c:\windows\system32\drivers\hidtopgun.sys [2010-10-20 25728]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 99272]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
    S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2010-11-10 176640]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-22 1343400]
    .
    =============== Created Last 30 ================
    .
    2012-10-23 21:46:26 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bc4c46d3-f603-40e9-897c-dda88ce28034}\mpengine.dll
    2012-10-23 01:58:05 32120 ----a-w- c:\windows\system32\TURegOpt.exe
    2012-10-23 01:58:03 21880 ----a-w- c:\windows\system32\authuitu.dll
    2012-10-23 01:57:34 -------- d-----w- c:\users\allan\appdata\roaming\AVG
    2012-10-23 01:57:01 -------- d-----w- c:\programdata\AVG
    2012-10-23 01:56:32 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2012-10-23 00:44:17 -------- d-----w- c:\users\allan\appdata\roaming\Malwarebytes
    2012-10-23 00:44:00 -------- d-----w- c:\programdata\Malwarebytes
    2012-10-23 00:43:59 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-10-23 00:43:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-10-22 15:50:52 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-10-20 18:21:17 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-10-20 15:18:05 19076 ----a-w- C:\FixitRegBackup.reg
    2012-10-20 13:53:31 -------- d-----w- c:\users\allan\appdata\roaming\AVG2013
    2012-10-20 13:52:29 -------- d-----w- c:\users\allan\appdata\local\AVG Secure Search
    2012-10-20 13:52:21 -------- d-----w- c:\users\allan\appdata\roaming\TuneUp Software
    2012-10-20 13:52:19 -------- d-----w- c:\programdata\AVG Secure Search
    2012-10-20 13:52:10 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-10-20 13:52:09 -------- d-----w- c:\program files\common files\AVG Secure Search
    2012-10-20 13:52:09 -------- d-----w- c:\program files\AVG Secure Search
    2012-10-20 13:51:34 -------- d--h--w- C:\$AVG
    2012-10-20 13:51:34 -------- d-----w- c:\programdata\AVG2013
    2012-10-20 13:51:28 -------- d-----w- c:\program files\AVG
    2012-10-20 13:49:20 -------- d--h--w- c:\programdata\Common Files
    2012-10-20 13:49:20 -------- d-----w- c:\users\allan\appdata\local\MFAData
    2012-10-20 13:49:20 -------- d-----w- c:\users\allan\appdata\local\Avg2013
    2012-10-20 13:49:20 -------- d-----w- c:\programdata\MFAData
    2012-10-16 23:42:11 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-10-16 23:28:20 86 ---h--w- c:\users\allan\appdata\roaming\61t6w.bat
    2012-10-02 01:30:38 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    .
    ==================== Find3M ====================
    .
    2012-10-20 18:21:09 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2012-10-08 22:01:11 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-08 22:01:11 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-09-21 01:46:06 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-09-21 01:46:00 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2012-09-21 01:45:54 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    2012-09-21 01:45:52 55008 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-09-14 01:05:20 35552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2012-09-13 01:11:20 177504 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2012-08-30 20:03:50 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-08-30 20:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2012-08-07 14:18:24 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 6:16:43,11 ===============
     
  4. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    This is the DDS attach text (There where no OTL.txt or Extras.txt from the DDS log as mentioned in the removal instructions)
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-10-19.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 07.03.2010 01:39:22
    System Uptime: 24.10.2012 06:09:04 (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | P55-UD6
    Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | Socket 1156 | 2870/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 146 GiB total, 40,915 GiB free.
    D: is FIXED (NTFS) - 117 GiB total, 100,741 GiB free.
    E: is FIXED (NTFS) - 332 GiB total, 51,956 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
    Description: AM1L1FI4 IDE Controller
    Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_093557B6&REV_01\4&5D18F2DF&0
    Manufacturer: (Standard mass storage controllers)
    Name: AM1L1FI4 IDE Controller
    PNP Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_093557B6&REV_01\4&5D18F2DF&0
    Service: acr564ru
    .
    ==== System Restore Points ===================
    .
    RP279: 24.10.2012 04:07:38 - Planlagt kontrollpunkt
    .
    ==== Installed Programs ======================
    .
    «Achtung Panzer - Kharkov 1943»
    12noon Display Changer
    3D Rad v7.12
    7-Zip 4.65
    A2 Oasis
    Acronis True Image Home
    Adobe Acrobat Reader 3.02
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 11 ActiveX
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 8.2.5
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Age of Mythology
    Age of Mythology - The Titans Expansion
    Any Video Converter 3.2.2
    Any Video Converter Professional 3.1.1
    AnyToISO
    Ask Toolbar
    Ask Toolbar Updater
    Atari800Win PLus 4.0
    µTorrent
    AVG 2013
    AVG PC TuneUp
    AVG PC TuneUp Language Pack (en-US)
    BeebEm V4.13
    Blockbuster Ent., 2nd Ed.
    calibre
    CBR to PDF converter version 2.5
    CCS64 V3.8
    CDisplay 1.8
    CinemaForge
    CopyFilenames 3.1
    D-Fend Reloaded 1.1.0 (deinstall)
    D3DX10
    DAEMON Tools Lite
    DebugMode Wax 2.0
    Defenstar
    Defenstar version 1.1
    DemonStar Full v3.25
    Do It Again
    Driver Whiz
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    EMU7800 v0.95
    Eye Candy 4000
    Facemoods Toolbar
    Falcon 4.0: Allied Force
    FileZilla Client 3.5.3
    Flight Simulator X
    Flight Simulator X Service Pack 1
    Fraps (remove only)
    Free Audio Converter 4.1
    Free Screen To Video V 1.2
    Gamebase 264 version 0.6
    GameBase Amiga v1.6
    GameBase v1.2
    Gigabyte Raid Configurer
    Half-Life Source
    HD Tune Pro 4.01
    High-Definition Video Playback
    Hoxs64
    Hurrican 1.0.0.4
    Java Auto Updater
    Java(TM) 6 Update 37
    JDownloader 0.9
    kat5200 version 0.6.2
    Khameleon version 2011-08-26
    Magic ISO Maker v5.5 (build 0281)
    Malwarebytes Anti-Malware versjon 1.65.1.1000
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Client Profile NOR Language Pack
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Extended NOR Language Pack
    Microsoft Age of Empires
    Microsoft Age of Empires II
    Microsoft Application Error Reporting
    Microsoft Flight Simulator X
    Microsoft Flight Simulator X: Acceleration
    Microsoft Office Excel Viewer
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    ModPlug Player
    Moyea YouTube FLV Downloader version: 3.1.2.26
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML4 Parser
    Nero 11
    Nero 11 Disc Menus Basic
    Nero 11 Effects Basic
    Nero 11 Image Samples
    Nero 11 Kwik Themes Basic
    Nero 11 PiP Effects Basic
    Nero Audio Pack 1
    Nero BackItUp 11
    Nero BackItUp 11 Help (CHM)
    Nero Backup Drivers
    Nero Burning ROM 11
    Nero Burning ROM 11 Help (CHM)
    Nero ControlCenter 11
    Nero ControlCenter 11 Help (CHM)
    Nero Core Components 11
    Nero CoverDesigner 11
    Nero CoverDesigner 11 Help (CHM)
    Nero Express 11
    Nero Express 11 Help (CHM)
    Nero Kwik Media
    Nero Kwik Media Help (CHM)
    Nero Recode 11
    Nero Recode 11 Help (CHM)
    Nero RescueAgent 11
    Nero RescueAgent 11 Help (CHM)
    Nero SoundTrax 11
    Nero SoundTrax 11 Help (CHM)
    Nero Update
    Nero Video 11
    Nero Video 11 Help (CHM)
    Nero WaveEditor 11
    Nero WaveEditor 11 Help (CHM)
    nero.prerequisites.msi
    NVIDIA Display Control Panel
    NVIDIA Grafikkdriver 275.33
    NVIDIA Install Application
    NVIDIA kontrollpanel 275.33
    NVIDIA oppdateringer 1.3.5
    NVIDIA PhysX
    NVIDIA Update Components
    PCSX2 - Playstation 2 Emulator
    PDF Reader 3
    PDF Settings
    PJP's JoyIDs
    PowerISO
    Project64 1.6
    PVSonyDll
    Realtek High Definition Audio Driver
    Red Alert Themes
    Red Alert Windows 95
    RPCEmu
    Saitek SD6 Programming Software 6.6.6.9
    Samsung_MonSetup
    Secret Weapons Over Normandy
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile NOR Language Pack (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile NOR Language Pack (KB2518870)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    SolveigMM AVI Trimmer
    Spectaculator 7.0.1
    Starcraft
    TED Notepad
    TextMaker Viewer
    The GameBase64 Collection v07
    The KMPlayer (remove only)
    The Settlers IV
    tools-freebsd
    tools-linux
    tools-netware
    tools-solaris
    tools-windows
    tools-winPre2k
    Total Annihilation
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    VB64
    Vcc Color Computer 3 Emulator Ver 1.42
    VLC media player 1.1.7
    VMware Workstation
    welcome
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Fotogalleri
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR archiver
    WinUAE 1.5.0
    Xvid 1.1.3 final uninstall
    ZD Soft Game Recorder
    Zip Motion Block Video codec (Remove Only)
    .
    ==== End Of File ===========================
     
  5. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    MBAM log is incorrect.
    Please redo.
     
  6. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Sending 2 last logs from Malwarebytes. Doesn't seem the program could find any troubles, but my computer
    still has to be restarted because Windows 7 is freezing up on icons and taskbars. Even Taskmanager won't run, so I'll have to physically turn off the PC each time.

    Malwarebytes Anti-Malware (Prøveversjon) 1.65.1.1000
    www.malwarebytes.org
    Databaseversjon: v2012.10.22.06
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Allan :: UD6 [administrator]
    Beskyttelse: Aktivert
    24.10.2012 05:18:54
    mbam-log-2012-10-24 (05-18-54).txt
    Skanntype: Hurtigsøk
    Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
    Deaktiverte skanninnstillinger: P2P
    Objekter skannet: 248066
    Tid tilbakelagt: 3 minutt(er), 49 sekund(er)
    Minneprosesser oppdaget: 0
    (Ingen skadelige objekter funnet)
    Minnemoduler oppdaget: 0
    (Ingen skadelige objekter funnet)
    Registernøkler oppdaget: 0
    (Ingen skadelige objekter funnet)
    Registerverdier oppdaget: 0
    (Ingen skadelige objekter funnet)
    Registerfiler oppdaget: 0
    (Ingen skadelige objekter funnet)
    Mapper oppdaget: 0
    (Ingen skadelige objekter funnet)
    Filer oppdaget 0
    (Ingen skadelige objekter funnet)
    (klar)
    ----------------------------------------------------------------------------------------------
    Malwarebytes Anti-Malware (Prøveversjon) 1.65.1.1000
    www.malwarebytes.org
    Databaseversjon: v2012.10.22.06
    Windows 7 Service Pack 1 x86 NTFS (Sikkerhetsmodus)
    Internet Explorer 9.0.8112.16421
    Allan :: UD6 [administrator]
    Beskyttelse: Deaktivert
    24.10.2012 18:12:49
    mbam-log-2012-10-24 (18-12-49).txt
    Skanntype: Hurtigsøk
    Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
    Deaktiverte skanninnstillinger: P2P
    Objekter skannet: 245610
    Tid tilbakelagt: 2 minutt(er), 23 sekund(er)
    Minneprosesser oppdaget: 0
    (Ingen skadelige objekter funnet)
    Minnemoduler oppdaget: 0
    (Ingen skadelige objekter funnet)
    Registernøkler oppdaget: 0
    (Ingen skadelige objekter funnet)
    Registerverdier oppdaget: 0
    (Ingen skadelige objekter funnet)
    Registerfiler oppdaget: 0
    (Ingen skadelige objekter funnet)
    Mapper oppdaget: 0
    (Ingen skadelige objekter funnet)
    Filer oppdaget 0
    (Ingen skadelige objekter funnet)
    (klar)
     
  7. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =============================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  8. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    On top of that when PC working, the firewall can't be turned on, getting the error message 0x8007042c. Perhaps it has something to do with MSE, AVG or Malwarebytes running.

    I was able to make a system repair disk though, which earlier where blocked with another error message.
     
  9. Broni

    Broni Malware Annihilator Posts: 47,080   +258

  10. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    OK! I have deleted AVG now. Firewall still won't be turned on with the same error message appearing.
     
  11. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Report 2

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Allan [Admin rights]
    Mode : Remove -- Date : 10/24/2012 19:21:04
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> REMOVED
    [Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L\00000004.@ --> REMOVED
    [Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L\201d3dde --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> REMOVED
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    ¤¤¤ Extern Hives: ¤¤¤
    -> D:\windows\system32\config\SOFTWARE
    -> D:\Users\AS\NTUSER.DAT
    -> D:\Users\Default\NTUSER.DAT
    -> D:\Users\Default User\NTUSER.DAT
    -> D:\Documents and Settings\Default\NTUSER.DAT
    -> D:\Documents and Settings\Default User\NTUSER.DAT
    -> D:\Documents and Settings\JEJ\NTUSER.DAT
    ¤¤¤ Infection : ZeroAccess ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
    --- User ---
    [MBR] 3abadc3e0a09666d883124ca372a879d
    [BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
     
     
  12. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Report 1

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Allan [Admin rights]
    Mode : Scan -- Date : 10/24/2012 19:20:01
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
    [HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> FOUND
    [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> FOUND
    [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> FOUND
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    ¤¤¤ Extern Hives: ¤¤¤
    -> D:\windows\system32\config\SOFTWARE
    -> D:\Users\AS\NTUSER.DAT
    -> D:\Users\Default\NTUSER.DAT
    -> D:\Users\Default User\NTUSER.DAT
    -> D:\Documents and Settings\Default\NTUSER.DAT
    -> D:\Documents and Settings\Default User\NTUSER.DAT
    -> D:\Documents and Settings\JEJ\NTUSER.DAT
    ¤¤¤ Infection : ZeroAccess ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
    --- User ---
    [MBR] 3abadc3e0a09666d883124ca372a879d
    [BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  13. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-24 19:27:39
    -----------------------------
    19:27:39.877 OS Version: Windows 6.1.7601 Service Pack 1
    19:27:39.877 Number of processors: 4 586 0x1E05
    19:27:39.878 ComputerName: UD6 UserName:
    19:27:40.654 Initialize success
    19:28:45.084 AVAST engine defs: 12102400
    19:29:20.317 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
    19:29:20.319 Disk 0 Vendor: WDC_WD6401AALS-00L3B2 01.03B01 Size: 610480MB BusType: 11
    19:29:20.327 Disk 0 MBR read successfully
    19:29:20.329 Disk 0 MBR scan
    19:29:20.332 Disk 0 Windows 7 default MBR code
    19:29:20.336 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    19:29:20.365 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 149900 MB offset 206848
    19:29:20.410 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 120000 MB offset 307202048
    19:29:20.446 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 340478 MB offset 552962048
    19:29:20.485 Disk 0 scanning sectors +1250260992
    19:29:20.564 Disk 0 scanning C:\Windows\system32\drivers
    19:29:35.088 Service scanning
    19:29:43.109 Service MpKslb3f0ff26 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BC4C46D3-F603-40E9-897C-DDA88CE28034}\MpKslb3f0ff26.sys **LOCKED** 32
    19:29:50.768 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    19:29:56.935 Modules scanning
    19:30:27.924 Disk 0 trace - called modules:
    19:30:27.933 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86ce91e8]<<
    19:30:27.938 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87efc030]
    19:30:27.942 3 CLASSPNP.SYS[8e25f59e] -> nt!IofCallDriver -> [0x86cb9918]
    19:30:27.946 5 ACPI.sys[8d79e3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x87aed908]
    19:30:27.951 \Driver\atapi[0x87a6fac0] -> IRP_MJ_CREATE -> 0x86ce91e8
    19:30:28.572 AVAST engine scan C:\Windows
    19:30:33.973 AVAST engine scan C:\Windows\system32
    19:33:04.055 AVAST engine scan C:\Windows\system32\drivers
    19:33:20.069 AVAST engine scan C:\Users\Allan
    19:38:24.064 AVAST engine scan C:\ProgramData
    19:39:15.970 Scan finished successfully
    19:39:45.226 Disk 0 MBR has been saved successfully to "C:\Users\Allan\Desktop\MBR.dat"
    19:39:45.278 The log file has been saved successfully to "C:\Users\Allan\Desktop\aswMBR.txt"
     
  14. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Has to run from safemode with network connection now. Explorer not able to download webcontent. Long intervals followed by locking scrolling ability inside windows and different pointer icons. Nothing happens when using right mousebutton inside window, no menu or chance to update website.
     
  15. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  16. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-10-2012
    Ran by SYSTEM at 25-10-2012 00:37:32
    Running from H:\fix2012
    Windows 7 Home Premium (X86) OS Language: Norwegian Bokmal
    The current controlset is ControlSet003
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-20] ()
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7547424 2009-06-25] (Realtek Semiconductor)
    HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595792 2008-04-09] (Acronis)
    HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [909208 2008-04-09] (Acronis)
    HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [136472 2008-04-09] (Acronis)
    HKLM\...\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [129584 2010-01-22] (VMware, Inc.)
    HKLM\...\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe [237568 2009-06-03] (Saitek)
    HKLM\...\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe [131072 2009-06-03] (Saitek)
    HKLM\...\Run: [] [x]
    HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
    HKLM\...\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I [362200 2011-09-05] (facemoods.com)
    HKLM\...\Run: [NBAgent] "C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1493288 2011-09-20] (Nero AG)
    HKLM\...\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE -startup [312376 2011-11-15] (Power Software Ltd)
    HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [x]
    HKLM\...\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [x]
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
    HKU\Allan\...\Run: [DAEMON Tools Lite] "G:\Utilities\Daemon Tools Lite\DTLite.exe" -autorun [x]
    HKU\Allan\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" [321328 2012-02-28] (BitTorrent, Inc.)
    HKU\Allan\...\Policies\system: [LogonHoursAction] 2
    HKU\Allan\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\JEJ\...\Run: [BrowserChoice] "C:\Windows\System32\browserchoice.exe" /run [293376 2010-02-11] (Microsoft Corporation)
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
    Lsa: [Authentication Packages] msv1_0 relog_ap
    ==================== Services (Whitelisted) ===================
    2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [431384 2008-04-09] (Acronis)
    2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)
    2 NAUpdate; "C:\Program Files\Nero\Update\NASvc.exe" [641832 2011-09-23] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [287824 2012-09-12] (Microsoft Corporation)
    2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation)
    2 TryAndDecideService; "C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [492896 2008-04-09] ()
    2 TuneUp.UtilitiesSvc; "C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe" [1532280 2012-08-23] (AVG)
    2 VMAuthdService; "C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" [113200 2010-01-22] (VMware, Inc.)
    2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [334384 2010-01-22] (VMware, Inc.)
    2 VMUSBArbService; "C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe" [563760 2010-01-22] (VMware, Inc.)
    2 VMware NAT Service; C:\Windows\system32\vmnat.exe [395824 2010-01-22] (VMware, Inc.)
    2 vToolbarUpdater13.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-10-20] ()
    3 ufad-ws60; "C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml [x]
    ==================== Drivers (Whitelisted) ====================
    1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-10-20] (AVG Technologies)
    2 hcmon; \??\C:\Windows\system32\drivers\hcmon.sys [32304 2010-01-22] (VMware, Inc.)
    3 hidmini; C:\Windows\System32\DRIVERS\hidmini.sys [3712 2008-04-21] (Windows (R) Codename Longhorn DDK provider)
    3 hidtopgun; C:\Windows\System32\DRIVERS\hidtopgun.sys [25728 2008-04-21] (Windows (R) Codename Longhorn DDK provider)
    1 hwinterface; C:\Windows\System32\Drivers\hwinterface.sys [3026 2011-03-10] (Logix4u)
    0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [93024 2009-07-17] (JMicron Technology Corp.)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
    2 rrkf; C:\Users\Allan\AppData\Roaming\61t6w.bat [86 2012-10-17] ()
    3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [14080 2009-06-10] (Saitek)
    3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [36992 2009-06-10] (Saitek)
    1 SCDEmu; C:\Windows\System32\Drivers\SCDEmu.sys [112096 2011-11-15] (Power Software Ltd)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [431672 2011-03-19] (Duplex Secure Ltd.)
    0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368480 2010-03-07] (Acronis)
    2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2010-03-07] (Acronis)
    3 TrueSight; \??\C:\Windows\system32\drivers\TrueSight.sys [13952 2012-10-24] ()
    3 TuneUpUtilitiesDrv; \??\C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys [10088 2012-07-04] (TuneUp Software)
    2 vmci; \??\C:\Windows\system32\Drivers\vmci.sys [70704 2010-01-22] (VMware, Inc.)
    3 vmkbd; \??\C:\Windows\system32\drivers\VMkbd.sys [23216 2010-01-22] (VMware, Inc.)
    3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16560 2010-01-22] (VMware, Inc.)
    2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [36400 2010-01-22] (VMware, Inc.)
    2 VMnetuserif; \??\C:\Windows\system32\drivers\vmnetuserif.sys [26288 2010-01-22] (VMware, Inc.)
    3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2010-01-22] (VMware, Inc.)
    2 vmx86; \??\C:\Windows\system32\Drivers\vmx86.sys [854192 2010-01-22] (VMware, Inc.)
    2 vstor2-ws60; \??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [22448 2009-10-12] (VMware, Inc.)
    1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [x]
    3 gdrv; \??\C:\Windows\gdrv.sys [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2012-10-25 00:33 - 2012-10-25 00:33 - 00000000 ____D C:\FRST
    2012-10-24 18:39 - 2012-10-24 18:39 - 00002463 ____A C:\Users\Allan\Desktop\aswMBR.txt
    2012-10-24 18:39 - 2012-10-24 18:39 - 00000512 ____A C:\Users\Allan\Desktop\MBR.dat
    2012-10-24 18:27 - 2012-10-24 18:27 - 04731392 ____A (AVAST Software) C:\Users\Allan\Desktop\aswMBR.exe
    2012-10-24 18:21 - 2012-10-24 18:21 - 00003648 ____A C:\Users\Allan\Desktop\RKreport[2].txt
    2012-10-24 18:20 - 2012-10-24 18:20 - 00003336 ____A C:\Users\Allan\Desktop\RKreport[1].txt
    2012-10-24 18:19 - 2012-10-24 18:21 - 00000000 ____D C:\Users\Allan\Desktop\RK_Quarantine
    2012-10-24 18:19 - 2012-10-24 18:19 - 00013952 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-10-24 18:17 - 2012-10-24 18:17 - 01580544 ____A C:\Users\Allan\Desktop\RogueKiller.exe
    2012-10-24 18:08 - 2012-10-24 18:11 - 00488582 ____A C:\Users\Allan\Desktop\avgremover.log
    2012-10-24 18:05 - 2012-10-24 18:05 - 02586752 ____A (AVG Technologies CZ, s.r.o.) C:\Users\Allan\Desktop\avg_remover_stf_x86_2013_2706.exe
    2012-10-24 05:16 - 2012-10-24 05:16 - 00015834 ____A C:\Users\Allan\Desktop\dds.txt
    2012-10-24 05:16 - 2012-10-24 05:16 - 00008294 ____A C:\Users\Allan\Desktop\attach.txt
    2012-10-24 05:12 - 2012-10-24 05:12 - 00687724 ____R (Swearware) C:\Users\Allan\Desktop\dds.com
    2012-10-24 05:02 - 2012-10-24 05:02 - 00008717 ____A C:\Users\Allan\Desktop\gmer.log
    2012-10-24 04:31 - 2012-10-24 04:31 - 00302592 ____A C:\Users\Allan\Desktop\ww4t5lph.exe
    2012-10-23 04:02 - 2012-10-23 04:02 - 00000632 _RASH C:\Users\Allan\ntuser.pol
    2012-10-23 02:58 - 2012-08-23 10:31 - 00032120 ____A (AVG) C:\Windows\System32\TURegOpt.exe
    2012-10-23 02:58 - 2012-08-23 10:31 - 00021880 ____A (AVG) C:\Windows\System32\authuitu.dll
    2012-10-23 02:57 - 2012-10-23 02:58 - 00000000 ____D C:\Users\All Users\AVG
    2012-10-23 02:57 - 2012-10-23 02:57 - 00002177 ____A C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
    2012-10-23 02:57 - 2012-10-23 02:57 - 00002129 ____A C:\Users\Public\Desktop\AVG PC TuneUp.lnk
    2012-10-23 02:57 - 2012-10-23 02:57 - 00000000 ____D C:\Users\Allan\AppData\Roaming\AVG
    2012-10-23 02:56 - 2012-10-23 02:56 - 00000000 __SHD C:\Users\All Users\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2012-10-23 01:44 - 2012-10-23 01:44 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-10-23 01:44 - 2012-10-23 01:44 - 00000000 ____D C:\Users\Allan\AppData\Roaming\Malwarebytes
    2012-10-23 01:44 - 2012-10-23 01:44 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-10-23 01:43 - 2012-10-23 01:44 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-10-23 01:43 - 2012-09-29 18:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-10-22 17:33 - 2012-10-23 02:55 - 00000000 ____D C:\Users\Allan\Downloads\Antivirus progs
    2012-10-22 16:58 - 2012-10-22 16:58 - 16985648 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\Windows-KB890830-V4.13.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-10-20 19:21 - 2012-10-20 19:21 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00000000 ____D C:\Program Files\Java
    2012-10-20 19:21 - 2012-10-20 19:21 - 00000000 ____D C:\Program Files\Common Files\Java
    2012-10-20 19:20 - 2012-10-20 19:20 - 00000000 ____D C:\Users\All Users\McAfee
    2012-10-20 16:26 - 2012-10-20 16:26 - 11088872 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\mseinstall.exe
    2012-10-20 16:18 - 2012-10-20 16:18 - 00019076 ____A C:\FixitRegBackup.reg
    2012-10-20 16:17 - 2012-10-20 16:17 - 00899584 ____A C:\Users\Allan\Downloads\MicrosoftFixit50535.msi
    2012-10-20 14:52 - 2012-10-24 18:08 - 00000000 ____D C:\Users\All Users\AVG Secure Search
    2012-10-20 14:52 - 2012-10-20 14:52 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
    2012-10-20 14:52 - 2012-10-20 14:52 - 00000000 ____D C:\Users\Allan\AppData\Roaming\TuneUp Software
    2012-10-20 14:52 - 2012-10-20 14:52 - 00000000 ____D C:\Users\Allan\AppData\Local\AVG Secure Search
    2012-10-20 14:52 - 2012-10-20 14:52 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
    2012-10-20 14:51 - 2012-10-24 18:11 - 00000000 ____D C:\Program Files\AVG
    2012-10-20 14:51 - 2012-10-20 14:51 - 00000000 ___HD C:\$AVG
    2012-10-20 14:48 - 2012-10-20 14:48 - 04420616 ____A (AVG Technologies) C:\Users\Allan\Downloads\avg_free_stb_all_2013_2741_cnet.exe
    2012-10-20 05:41 - 2012-10-20 05:42 - 00000000 ____D C:\Users\Allan\Documents\TEMP DOCS
    2012-10-17 00:42 - 2012-10-17 00:42 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-10-17 00:28 - 2012-10-17 00:28 - 00090176 ____A C:\Users\Allan\AppData\Roaming\gmzdanb.dat
    2012-10-17 00:28 - 2012-10-17 00:28 - 00086080 ____A C:\Users\Allan\AppData\Roaming\asfebji.dat
    2012-10-17 00:28 - 2012-10-17 00:28 - 00060992 ____A C:\Users\Allan\AppData\Roaming\ekseldi.dat
    2012-10-17 00:28 - 2012-10-17 00:28 - 00000086 ____H C:\Users\Allan\AppData\Roaming\61t6w.bat
    2012-10-17 00:27 - 2012-10-17 00:27 - 00000012 ____A C:\Windows\srun.log
    2012-10-15 02:14 - 2012-10-15 02:24 - 00000000 ____D C:\Users\Allan\Documents\Utskrifter fra bank
    ==================== 3 Months Modified Files ==================
    2012-10-24 21:01 - 2012-05-05 12:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-10-24 20:11 - 2009-07-14 05:34 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-10-24 20:11 - 2009-07-14 05:34 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-10-24 20:04 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-10-24 20:04 - 2009-07-14 05:39 - 00088403 ____A C:\Windows\setupact.log
    2012-10-24 18:39 - 2012-10-24 18:39 - 00002463 ____A C:\Users\Allan\Desktop\aswMBR.txt
    2012-10-24 18:39 - 2012-10-24 18:39 - 00000512 ____A C:\Users\Allan\Desktop\MBR.dat
    2012-10-24 18:27 - 2012-10-24 18:27 - 04731392 ____A (AVAST Software) C:\Users\Allan\Desktop\aswMBR.exe
    2012-10-24 18:21 - 2012-10-24 18:21 - 00003648 ____A C:\Users\Allan\Desktop\RKreport[2].txt
    2012-10-24 18:20 - 2012-10-24 18:20 - 00003336 ____A C:\Users\Allan\Desktop\RKreport[1].txt
    2012-10-24 18:19 - 2012-10-24 18:19 - 00013952 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-10-24 18:17 - 2012-10-24 18:17 - 01580544 ____A C:\Users\Allan\Desktop\RogueKiller.exe
    2012-10-24 18:11 - 2012-10-24 18:08 - 00488582 ____A C:\Users\Allan\Desktop\avgremover.log
    2012-10-24 18:09 - 2010-03-07 01:52 - 00029154 ____A C:\Windows\PFRO.log
    2012-10-24 18:05 - 2012-10-24 18:05 - 02586752 ____A (AVG Technologies CZ, s.r.o.) C:\Users\Allan\Desktop\avg_remover_stf_x86_2013_2706.exe
    2012-10-24 17:42 - 2010-03-07 01:34 - 01856002 ____A C:\Windows\WindowsUpdate.log
    2012-10-24 05:16 - 2012-10-24 05:16 - 00015834 ____A C:\Users\Allan\Desktop\dds.txt
    2012-10-24 05:16 - 2012-10-24 05:16 - 00008294 ____A C:\Users\Allan\Desktop\attach.txt
    2012-10-24 05:12 - 2012-10-24 05:12 - 00687724 ____R (Swearware) C:\Users\Allan\Desktop\dds.com
    2012-10-24 05:02 - 2012-10-24 05:02 - 00008717 ____A C:\Users\Allan\Desktop\gmer.log
    2012-10-24 04:31 - 2012-10-24 04:31 - 00302592 ____A C:\Users\Allan\Desktop\ww4t5lph.exe
    2012-10-23 04:02 - 2012-10-23 04:02 - 00000632 _RASH C:\Users\Allan\ntuser.pol
    2012-10-23 02:57 - 2012-10-23 02:57 - 00002177 ____A C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
    2012-10-23 02:57 - 2012-10-23 02:57 - 00002129 ____A C:\Users\Public\Desktop\AVG PC TuneUp.lnk
    2012-10-23 01:44 - 2012-10-23 01:44 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-10-22 16:58 - 2012-10-22 16:58 - 16985648 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\Windows-KB890830-V4.13.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-10-20 19:21 - 2012-10-20 19:21 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-10-20 19:21 - 2011-12-24 13:46 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-10-20 16:53 - 2011-03-12 19:44 - 00001912 ____A C:\Windows\epplauncher.mif
    2012-10-20 16:48 - 2009-07-14 08:31 - 00494966 ____A C:\Windows\System32\perfh014.dat
    2012-10-20 16:48 - 2009-07-14 08:31 - 00095282 ____A C:\Windows\System32\perfc014.dat
    2012-10-20 16:26 - 2012-10-20 16:26 - 11088872 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\mseinstall.exe
    2012-10-20 16:18 - 2012-10-20 16:18 - 00019076 ____A C:\FixitRegBackup.reg
    2012-10-20 16:17 - 2012-10-20 16:17 - 00899584 ____A C:\Users\Allan\Downloads\MicrosoftFixit50535.msi
    2012-10-20 15:31 - 2010-03-07 01:45 - 01369214 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-10-20 15:23 - 2009-07-14 05:53 - 00032560 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-10-20 14:52 - 2012-10-20 14:52 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
    2012-10-20 14:48 - 2012-10-20 14:48 - 04420616 ____A (AVG Technologies) C:\Users\Allan\Downloads\avg_free_stb_all_2013_2741_cnet.exe
    2012-10-19 00:17 - 2010-05-15 09:09 - 00001119 ____A C:\Windows\Sidplay2w.ini
    2012-10-17 00:28 - 2012-10-17 00:28 - 00090176 ____A C:\Users\Allan\AppData\Roaming\gmzdanb.dat
    2012-10-17 00:28 - 2012-10-17 00:28 - 00086080 ____A C:\Users\Allan\AppData\Roaming\asfebji.dat
    2012-10-17 00:28 - 2012-10-17 00:28 - 00060992 ____A C:\Users\Allan\AppData\Roaming\ekseldi.dat
    2012-10-17 00:28 - 2012-10-17 00:28 - 00000086 ____H C:\Users\Allan\AppData\Roaming\61t6w.bat
    2012-10-17 00:27 - 2012-10-17 00:27 - 00000012 ____A C:\Windows\srun.log
    2012-10-08 23:01 - 2012-05-05 12:25 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-10-08 23:01 - 2011-06-08 10:41 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-10-06 21:14 - 2011-09-19 13:38 - 00000128 ____A C:\Users\All Users\Tempest 2000.eeprom
    2012-09-29 18:54 - 2012-10-23 01:43 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-09-27 23:32 - 2010-03-07 01:48 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-09-22 21:16 - 2011-10-19 10:45 - 00007606 ____A C:\Users\Allan\AppData\Local\Resmon.ResmonCfg
    2012-09-21 23:50 - 2009-07-14 03:04 - 00000425 ____A C:\Windows\win.ini
    2012-09-10 19:49 - 2009-07-14 05:33 - 02090584 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-30 21:03 - 2012-08-30 21:03 - 00193552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 21:03 - 2010-10-24 21:25 - 00099272 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-08-23 10:31 - 2012-10-23 02:58 - 00032120 ____A (AVG) C:\Windows\System32\TURegOpt.exe
    2012-08-23 10:31 - 2012-10-23 02:58 - 00021880 ____A (AVG) C:\Windows\System32\authuitu.dll
    2012-08-07 15:18 - 2010-03-07 01:47 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================
    Restore point made on: 2012-10-24 03:07:49
    ==================== Memory info ===========================
    Percentage of memory in use: 13%
    Total physical RAM: 4091.3 MB
    Available physical RAM: 3555.73 MB
    Total Pagefile: 4089.57 MB
    Available Pagefile: 3564.18 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1971.2 MB
    ==================== Partitions =============================
    2 Drive c: (W7) (Fixed) (Total:146.39 GB) (Free:40.43 GB) NTFS
    3 Drive e: (W7X64) (Fixed) (Total:117.19 GB) (Free:100.74 GB) NTFS
    4 Drive f: (DATA) (Fixed) (Total:332.5 GB) (Free:51.96 GB) NTFS
    6 Drive h: () (Removable) (Total:7.5 GB) (Free:3.7 GB) FAT32
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disknr. Status Str. Ledig Dyn GPT
    -------- ------------- ------- ------- --- ---
    Disk 0 Tilkoblet 596 G byte 0 byte
    Disk 1 Tilkoblet 7686 M byte 0 byte
    Forlater DiskPart...
    Partitions of Disk 0:
    ===============
    Disk 0 er n† den valgte disken.
    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 100 M 1024 K byte
    Partisjon 2 Prim‘r 146 G 101 M byte
    Partisjon 3 Prim‘r 117 G 146 G byte
    Partisjon 4 Prim‘r 332 G 263 G byte
    Forlater DiskPart...
    =========================================================
    Disk: 0
    Disk 0 er n† den valgte disken.
    Partisjonen 1 er n† den valgte partisjonen.
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Ja
    Forskyvning I byte: 1048576
    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 1 Y System Rese NTFS Partisjon 100 M OK
    Forlater DiskPart...
    =========================================================
    Disk: 0
    Disk 0 er n† den valgte disken.
    Partisjonen 2 er n† den valgte partisjonen.
    Partisjon 2
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 105906176
    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 2 C W7 NTFS Partisjon 146 G OK
    Forlater DiskPart...
    =========================================================
    Disk: 0
    Disk 0 er n† den valgte disken.
    Partisjonen 3 er n† den valgte partisjonen.
    Partisjon 3
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 157287448576
    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 3 E W7X64 NTFS Partisjon 117 G OK
    Forlater DiskPart...
    =========================================================
    Disk: 0
    Disk 0 er n† den valgte disken.
    Partisjonen 4 er n† den valgte partisjonen.
    Partisjon 4
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 283116568576
    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 4 F DATA NTFS Partisjon 332 G OK
    Forlater DiskPart...
    =========================================================
    Partitions of Disk 1:
    ===============
    Disk 1 er n† den valgte disken.
    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 7682 M 4032 K byte
    Forlater DiskPart...
    =========================================================
    Disk: 1
    Disk 1 er n† den valgte disken.
    Partisjonen 1 er n† den valgte partisjonen.
    Partisjon 1
    Type : 0C
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 4128768
    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 5 H FAT32 Flyttbar 7682 M OK
    Forlater DiskPart...
    =========================================================
    Last Boot: 2012-10-18 00:03
    ==================== End Of Log ============================
     
  17. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Farbar Recovery Scan Tool (x86) Version: 21-10-2012
    Ran by SYSTEM at 2012-10-25 00:43:48
    Running from H:\fix2012
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
    C:\Windows\System32\services.exe
    [2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
    === End Of Search ===
     
  18. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    The recovery option seemed to switch partition letters, so I'm not absolutly sure if the scan was from C: or D: partision. The system reported more than one OS.
     
  19. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    When trying to run Win7 there is a script error report now. Line 64 - value is 0 or undefined, not a functional object. Code 0.
     
  20. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Re-run RogueKiller and post new log.
    Also update me on computer's issues.
     

    Attached Files:

  21. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Fixlog text:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-10-2012
    Ran by SYSTEM at 2012-10-25 04:24:57 Run:1
    Running from H:\fix2012
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet003\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
    rrkf service deleted successfully.
    C:\Users\Allan\AppData\Roaming\61t6w.bat moved successfully.
    ==== End of Fixlog ====
     
  22. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    Re-run RogueKiller one more time and post new log.
     
  23. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Report 3:

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Allan [Admin rights]
    Mode : Scan -- Date : 10/25/2012 04:33:01
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 0 ¤¤¤
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_PNP] : \SystemRoot
    \System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    ¤¤¤ Extern Hives: ¤¤¤
    -> D:\windows\system32\config\SOFTWARE
    -> D:\Users\AS\NTUSER.DAT
    -> D:\Users\Default\NTUSER.DAT
    -> D:\Users\Default User\NTUSER.DAT
    -> D:\Documents and Settings\Default\NTUSER.DAT
    -> D:\Documents and Settings\Default User\NTUSER.DAT
    -> D:\Documents and Settings\JEJ\NTUSER.DAT
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
    --- User ---
    [MBR] 3abadc3e0a09666d883124ca372a879d
    [BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: USB Flash Memory USB Device +++++
    --- User ---
    [MBR] 08d4a4ff7771df7294cef168b07ba0fe
    [BSP] 0b303904ef3a366223eac251a6bd315d : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7682 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
     
  24. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Report 4 (after deleting in RogueKiller)

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Allan [Admin rights]
    Mode : Remove -- Date : 10/25/2012 04:43:13
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 0 ¤¤¤
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    ¤¤¤ Extern Hives: ¤¤¤
    -> D:\windows\system32\config\SOFTWARE
    -> D:\Users\AS\NTUSER.DAT
    -> D:\Users\Default\NTUSER.DAT
    -> D:\Users\Default User\NTUSER.DAT
    -> D:\Documents and Settings\Default\NTUSER.DAT
    -> D:\Documents and Settings\Default User\NTUSER.DAT
    -> D:\Documents and Settings\JEJ\NTUSER.DAT
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
    --- User ---
    [MBR] 3abadc3e0a09666d883124ca372a879d
    [BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: USB Flash Memory USB Device +++++
    --- User ---
    [MBR] 08d4a4ff7771df7294cef168b07ba0fe
    [BSP] 0b303904ef3a366223eac251a6bd315d : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7682 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[4].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt
     
  25. Broni

    Broni Malware Annihilator Posts: 47,080   +258

    Good :)

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    =================================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.