Solved Some help with my computer?

A

Allst-half

Posts: 37   +0
Hello,

In the last few days I have been troubled with some strange behaviour of my stationary PC.
It started with a red symbol on the Microsoft Sequrity Essentials at the taskbar. My newly
written emails couldn't be sent out, and when checking, I found the firewall was turned off by something unknown. I started looking aroundon the net for some help and I visited Microsoft to download fixes turning the wall back on. Then the error codes started to appear. Whatever I did I was blocked from any form of execution.

I downloaded AVG Anti virus Free version, and when scanning the whole system threats where
discovered. Sirefef.AO .AG .AB and so on. These seemed to be removed, but still the firewall
was blocked from being turned on. I then did new checkings with MSE, which did find more
of the same sort, apparently removing the unwanted objects. But not for long. I then decided to
search on youtube for answers in how to remove viruses that the anti-virus software was unable to do. But the solutions where advanced involving registry and so on. I didn't dare to mess around.

Then I found malwarebytes and had a scan with that tool. Again threats where detected.
It seemed the virus had infested the sequrity system of my PC, giving all orders now.

I was thinking of doing a format of the C-partition, but in safe modus other errors appeared, making it impossible to get access even to restore the system to previous settings, which by the way where only from a few days back in time. Messages like System recovery error 0x80070057 and 0x80070020 when trying to make a recovery CD/DVD.
I also discovered that my Windows 7 HP 32-bit OS Norwegian version was only on the HDD, there where no DVD or CD to install with. I have now ordered a new OEM version, and hope it arrives soon.

If I'm to rescue my programs and materials on that particular drive, my only hope for this problem is to get some help from an expert who knows a lot about malware and viruses, and how they operate. Otherwise I'll have to format the drive and make a new install of Win7.

Perhaps there is some good souls in this world too :'(
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Thank you so much for helping me with the PC troubles. I'm most grateful and appreciate your efforts tremendously.

Before I post the logs and reports from the different software runnings, I would like to make a few comments. Perhaps this will help a bit to understand.

1 day before I contacted the Techspot forum, I removed the 2 internal extra HDD's that contained a lot of programs that I was afraid to lose if they where contaminated or if a formatting process where to go wrong.
It is of course a possibility that there might be infections on one or both these drives, as they where
operational when the virus attacks started. I do not want to attach them at this point. I figure if the firewalls
and detection system works properly, then the chances are good to get these cleaned without any further
damages. If I attach them now, many years of work can be lost in the process, since the system is very
unstable.

I must also add that it is only plain luck that I'm able to operate from the infected machine, as I have
sometimes had to reset the computer 10-12 times before I got through to a "normal" windows. Sometimes the icons where frozen, other times just a black screen. I can not turn the net connection off in windows, so when this was necessary, I had to run Safe mode without network.

Fortunatly I have a laptop with Vista installed, that has been a great help to read your instructions while in
a disconnected enviroment with my stationary PC.

I ran a scanning with Microsoft Security Essentials, which had been installed at an earlier point. And as I
understood there where no need to send any log from such a scan, but maybe I have misunderstood the
many instructions. In any case the program registered another 2 severe threats. This time the:
Trojan:Win32/Dynamer!dtc Removed
Virus:DOS/TaiPan_666.B Disinfected

I found a very suspect ghosted dir in the "All users" dir:
{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}

Now the logs!
Malwarebytes: protection-log-2012-10-24.txt

2012/10/24 05:16:45 +0200 UD6 Allan MESSAGE Starting protection
2012/10/24 05:16:45 +0200 UD6 Allan MESSAGE Protection started successfully
2012/10/24 05:16:45 +0200 UD6 Allan MESSAGE Starting IP protection
2012/10/24 05:16:45 +0200 UD6 Allan ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
2012/10/24 06:10:03 +0200 UD6 Allan MESSAGE Starting protection
2012/10/24 06:10:04 +0200 UD6 Allan MESSAGE Protection started successfully
2012/10/24 06:10:04 +0200 UD6 Allan MESSAGE Starting IP protection
2012/10/24 06:10:04 +0200 UD6 Allan ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

--------------------------------------------------------------------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-24 06:02:43
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD6401AALS-00L3B2 rev.01.03B01
Running: ww4t5lph.exe; Driver: C:\Users\Allan\AppData\Local\Temp\pgldapow.sys

---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8365A3C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83693D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Utilities\Daemon Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x18 0xCC 0x97 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x6C 0x76 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x2E 0xA5 0x25 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Utilities\Daemon Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x18 0xCC 0x97 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x6C 0x76 0x3D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x2E 0xA5 0x25 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Utilities\Daemon Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x18 0xCC 0x97 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x6C 0x76 0x3D ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x2E 0xA5 0x25 ...
---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421
Run by Allan at 6:15:44 on 2012-10-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.47.1044.18.3579.2363 [GMT 2:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG2013\avgemcx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.online.no/
uSearch Page = hxxp://no.woofi.info/
mStart Page = hxxp://no.woofi.info/
mSearch Page = hxxp://no.woofi.info/
mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
uURLSearchHooks: {687578b9-7132-4a7a-80e4-30ee31099e03} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CescrtHlpr Object: {64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.3\AVG Secure Search_toolbar.dll
BHO: CatcherBHO Class: {9B4DF450-DCC7-4B07-935D-0CD757A64583} -
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: facemoods Toolbar: {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.3\AVG Secure Search_toolbar.dll
uRun: [DAEMON Tools Lite] "g:\utilities\daemon tools lite\DTLite.exe" -autorun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
mRun: [NBAgent] "c:\program files\nero\nero 11\nero backitup\NBAgent.exe" /WinStart
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE -startup
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_ssl_v12] "c:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
LSP: mswsock.dll
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 193.213.112.4 130.67.15.198
TCP: Interfaces\{48598603-491D-4990-AD40-82492B2B11EA} : DHCPNameServer = 193.213.112.4 130.67.15.198
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\13.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-9-21 55008]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-10-5 93536]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-12-28 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-12-28 12464]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-9-13 177504]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-10-20 26984]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2011-3-10 3026]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-10-2 5783672]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-2 193568]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-23 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-23 676936]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-9-23 641832]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-12-8 2214504]
R2 TuneUp.UtilitiesSvc;AVG PC TuneUp Service;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesService32.exe [2012-8-23 1532280]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]
R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [2012-10-20 711112]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-23 22856]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\avg\avg pc tuneup\TuneUpUtilitiesDriver32.sys [2012-7-4 10088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 rrkf;rrkf;c:\users\allan\appdata\roaming\61t6w.bat [2012-10-17 86]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-5 250808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 hidmini;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidmini.sys [2010-10-14 3712]
S3 hidtopgun;HID Minidriver for EMS TopGun;c:\windows\system32\drivers\hidtopgun.sys [2010-10-20 25728]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 99272]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2010-11-10 176640]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-22 1343400]
.
=============== Created Last 30 ================
.
2012-10-23 21:46:26 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bc4c46d3-f603-40e9-897c-dda88ce28034}\mpengine.dll
2012-10-23 01:58:05 32120 ----a-w- c:\windows\system32\TURegOpt.exe
2012-10-23 01:58:03 21880 ----a-w- c:\windows\system32\authuitu.dll
2012-10-23 01:57:34 -------- d-----w- c:\users\allan\appdata\roaming\AVG
2012-10-23 01:57:01 -------- d-----w- c:\programdata\AVG
2012-10-23 01:56:32 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-10-23 00:44:17 -------- d-----w- c:\users\allan\appdata\roaming\Malwarebytes
2012-10-23 00:44:00 -------- d-----w- c:\programdata\Malwarebytes
2012-10-23 00:43:59 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-23 00:43:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-22 15:50:52 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-20 18:21:17 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-20 15:18:05 19076 ----a-w- C:\FixitRegBackup.reg
2012-10-20 13:53:31 -------- d-----w- c:\users\allan\appdata\roaming\AVG2013
2012-10-20 13:52:29 -------- d-----w- c:\users\allan\appdata\local\AVG Secure Search
2012-10-20 13:52:21 -------- d-----w- c:\users\allan\appdata\roaming\TuneUp Software
2012-10-20 13:52:19 -------- d-----w- c:\programdata\AVG Secure Search
2012-10-20 13:52:10 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-10-20 13:52:09 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-10-20 13:52:09 -------- d-----w- c:\program files\AVG Secure Search
2012-10-20 13:51:34 -------- d--h--w- C:\$AVG
2012-10-20 13:51:34 -------- d-----w- c:\programdata\AVG2013
2012-10-20 13:51:28 -------- d-----w- c:\program files\AVG
2012-10-20 13:49:20 -------- d--h--w- c:\programdata\Common Files
2012-10-20 13:49:20 -------- d-----w- c:\users\allan\appdata\local\MFAData
2012-10-20 13:49:20 -------- d-----w- c:\users\allan\appdata\local\Avg2013
2012-10-20 13:49:20 -------- d-----w- c:\programdata\MFAData
2012-10-16 23:42:11 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-10-16 23:28:20 86 ---h--w- c:\users\allan\appdata\roaming\61t6w.bat
2012-10-02 01:30:38 159712 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
==================== Find3M ====================
.
2012-10-20 18:21:09 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-08 22:01:11 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-08 22:01:11 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 01:46:06 164832 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-09-21 01:46:00 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
2012-09-21 01:45:54 19936 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2012-09-21 01:45:52 55008 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-09-14 01:05:20 35552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2012-09-13 01:11:20 177504 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2012-08-30 20:03:50 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 20:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-07 14:18:24 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 6:16:43,11 ===============
 
This is the DDS attach text (There where no OTL.txt or Extras.txt from the DDS log as mentioned in the removal instructions)
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 07.03.2010 01:39:22
System Uptime: 24.10.2012 06:09:04 (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | P55-UD6
Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | Socket 1156 | 2870/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 146 GiB total, 40,915 GiB free.
D: is FIXED (NTFS) - 117 GiB total, 100,741 GiB free.
E: is FIXED (NTFS) - 332 GiB total, 51,956 GiB free.
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: AM1L1FI4 IDE Controller
Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_093557B6&REV_01\4&5D18F2DF&0
Manufacturer: (Standard mass storage controllers)
Name: AM1L1FI4 IDE Controller
PNP Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_093557B6&REV_01\4&5D18F2DF&0
Service: acr564ru
.
==== System Restore Points ===================
.
RP279: 24.10.2012 04:07:38 - Planlagt kontrollpunkt
.
==== Installed Programs ======================
.
«Achtung Panzer - Kharkov 1943»
12noon Display Changer
3D Rad v7.12
7-Zip 4.65
A2 Oasis
Acronis True Image Home
Adobe Acrobat Reader 3.02
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 11 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.2.5
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Age of Mythology
Age of Mythology - The Titans Expansion
Any Video Converter 3.2.2
Any Video Converter Professional 3.1.1
AnyToISO
Ask Toolbar
Ask Toolbar Updater
Atari800Win PLus 4.0
µTorrent
AVG 2013
AVG PC TuneUp
AVG PC TuneUp Language Pack (en-US)
BeebEm V4.13
Blockbuster Ent., 2nd Ed.
calibre
CBR to PDF converter version 2.5
CCS64 V3.8
CDisplay 1.8
CinemaForge
CopyFilenames 3.1
D-Fend Reloaded 1.1.0 (deinstall)
D3DX10
DAEMON Tools Lite
DebugMode Wax 2.0
Defenstar
Defenstar version 1.1
DemonStar Full v3.25
Do It Again
Driver Whiz
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EMU7800 v0.95
Eye Candy 4000
Facemoods Toolbar
Falcon 4.0: Allied Force
FileZilla Client 3.5.3
Flight Simulator X
Flight Simulator X Service Pack 1
Fraps (remove only)
Free Audio Converter 4.1
Free Screen To Video V 1.2
Gamebase 264 version 0.6
GameBase Amiga v1.6
GameBase v1.2
Gigabyte Raid Configurer
Half-Life Source
HD Tune Pro 4.01
High-Definition Video Playback
Hoxs64
Hurrican 1.0.0.4
Java Auto Updater
Java(TM) 6 Update 37
JDownloader 0.9
kat5200 version 0.6.2
Khameleon version 2011-08-26
Magic ISO Maker v5.5 (build 0281)
Malwarebytes Anti-Malware versjon 1.65.1.1000
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile NOR Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended NOR Language Pack
Microsoft Age of Empires
Microsoft Age of Empires II
Microsoft Application Error Reporting
Microsoft Flight Simulator X
Microsoft Flight Simulator X: Acceleration
Microsoft Office Excel Viewer
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
ModPlug Player
Moyea YouTube FLV Downloader version: 3.1.2.26
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Nero 11
Nero 11 Disc Menus Basic
Nero 11 Effects Basic
Nero 11 Image Samples
Nero 11 Kwik Themes Basic
Nero 11 PiP Effects Basic
Nero Audio Pack 1
Nero BackItUp 11
Nero BackItUp 11 Help (CHM)
Nero Backup Drivers
Nero Burning ROM 11
Nero Burning ROM 11 Help (CHM)
Nero ControlCenter 11
Nero ControlCenter 11 Help (CHM)
Nero Core Components 11
Nero CoverDesigner 11
Nero CoverDesigner 11 Help (CHM)
Nero Express 11
Nero Express 11 Help (CHM)
Nero Kwik Media
Nero Kwik Media Help (CHM)
Nero Recode 11
Nero Recode 11 Help (CHM)
Nero RescueAgent 11
Nero RescueAgent 11 Help (CHM)
Nero SoundTrax 11
Nero SoundTrax 11 Help (CHM)
Nero Update
Nero Video 11
Nero Video 11 Help (CHM)
Nero WaveEditor 11
Nero WaveEditor 11 Help (CHM)
nero.prerequisites.msi
NVIDIA Display Control Panel
NVIDIA Grafikkdriver 275.33
NVIDIA Install Application
NVIDIA kontrollpanel 275.33
NVIDIA oppdateringer 1.3.5
NVIDIA PhysX
NVIDIA Update Components
PCSX2 - Playstation 2 Emulator
PDF Reader 3
PDF Settings
PJP's JoyIDs
PowerISO
Project64 1.6
PVSonyDll
Realtek High Definition Audio Driver
Red Alert Themes
Red Alert Windows 95
RPCEmu
Saitek SD6 Programming Software 6.6.6.9
Samsung_MonSetup
Secret Weapons Over Normandy
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile NOR Language Pack (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile NOR Language Pack (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
SolveigMM AVI Trimmer
Spectaculator 7.0.1
Starcraft
TED Notepad
TextMaker Viewer
The GameBase64 Collection v07
The KMPlayer (remove only)
The Settlers IV
tools-freebsd
tools-linux
tools-netware
tools-solaris
tools-windows
tools-winPre2k
Total Annihilation
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VB64
Vcc Color Computer 3 Emulator Ver 1.42
VLC media player 1.1.7
VMware Workstation
welcome
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotogalleri
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinRAR archiver
WinUAE 1.5.0
Xvid 1.1.3 final uninstall
ZD Soft Game Recorder
Zip Motion Block Video codec (Remove Only)
.
==== End Of File ===========================
 
Sending 2 last logs from Malwarebytes. Doesn't seem the program could find any troubles, but my computer
still has to be restarted because Windows 7 is freezing up on icons and taskbars. Even Taskmanager won't run, so I'll have to physically turn off the PC each time.

Malwarebytes Anti-Malware (Prøveversjon) 1.65.1.1000
www.malwarebytes.org
Databaseversjon: v2012.10.22.06
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Allan :: UD6 [administrator]
Beskyttelse: Aktivert
24.10.2012 05:18:54
mbam-log-2012-10-24 (05-18-54).txt
Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 248066
Tid tilbakelagt: 3 minutt(er), 49 sekund(er)
Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)
Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)
Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)
Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)
Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)
Mapper oppdaget: 0
(Ingen skadelige objekter funnet)
Filer oppdaget 0
(Ingen skadelige objekter funnet)
(klar)
----------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Prøveversjon) 1.65.1.1000
www.malwarebytes.org
Databaseversjon: v2012.10.22.06
Windows 7 Service Pack 1 x86 NTFS (Sikkerhetsmodus)
Internet Explorer 9.0.8112.16421
Allan :: UD6 [administrator]
Beskyttelse: Deaktivert
24.10.2012 18:12:49
mbam-log-2012-10-24 (18-12-49).txt
Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 245610
Tid tilbakelagt: 2 minutt(er), 23 sekund(er)
Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)
Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)
Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)
Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)
Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)
Mapper oppdaget: 0
(Ingen skadelige objekter funnet)
Filer oppdaget 0
(Ingen skadelige objekter funnet)
(klar)
 
  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

=============================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
On top of that when PC working, the firewall can't be turned on, getting the error message 0x8007042c. Perhaps it has something to do with MSE, AVG or Malwarebytes running.

I was able to make a system repair disk though, which earlier where blocked with another error message.
 
Report 2

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Allan [Admin rights]
Mode : Remove -- Date : 10/24/2012 19:21:04
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> REMOVED
¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\AS\NTUSER.DAT
-> D:\Users\Default\NTUSER.DAT
-> D:\Users\Default User\NTUSER.DAT
-> D:\Documents and Settings\Default\NTUSER.DAT
-> D:\Documents and Settings\Default User\NTUSER.DAT
-> D:\Documents and Settings\JEJ\NTUSER.DAT
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
--- User ---
[MBR] 3abadc3e0a09666d883124ca372a879d
[BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
 
Report 1

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Allan [Admin rights]
Mode : Scan -- Date : 10/24/2012 19:20:01
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2559753181-3935304610-3998308970-1005\$cd0e6de232e129f5b1eb56730fd3d2a7\L --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\AS\NTUSER.DAT
-> D:\Users\Default\NTUSER.DAT
-> D:\Users\Default User\NTUSER.DAT
-> D:\Documents and Settings\Default\NTUSER.DAT
-> D:\Documents and Settings\Default User\NTUSER.DAT
-> D:\Documents and Settings\JEJ\NTUSER.DAT
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
--- User ---
[MBR] 3abadc3e0a09666d883124ca372a879d
[BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-24 19:27:39
-----------------------------
19:27:39.877 OS Version: Windows 6.1.7601 Service Pack 1
19:27:39.877 Number of processors: 4 586 0x1E05
19:27:39.878 ComputerName: UD6 UserName:
19:27:40.654 Initialize success
19:28:45.084 AVAST engine defs: 12102400
19:29:20.317 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
19:29:20.319 Disk 0 Vendor: WDC_WD6401AALS-00L3B2 01.03B01 Size: 610480MB BusType: 11
19:29:20.327 Disk 0 MBR read successfully
19:29:20.329 Disk 0 MBR scan
19:29:20.332 Disk 0 Windows 7 default MBR code
19:29:20.336 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
19:29:20.365 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 149900 MB offset 206848
19:29:20.410 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 120000 MB offset 307202048
19:29:20.446 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 340478 MB offset 552962048
19:29:20.485 Disk 0 scanning sectors +1250260992
19:29:20.564 Disk 0 scanning C:\Windows\system32\drivers
19:29:35.088 Service scanning
19:29:43.109 Service MpKslb3f0ff26 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BC4C46D3-F603-40E9-897C-DDA88CE28034}\MpKslb3f0ff26.sys **LOCKED** 32
19:29:50.768 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
19:29:56.935 Modules scanning
19:30:27.924 Disk 0 trace - called modules:
19:30:27.933 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86ce91e8]<<
19:30:27.938 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87efc030]
19:30:27.942 3 CLASSPNP.SYS[8e25f59e] -> nt!IofCallDriver -> [0x86cb9918]
19:30:27.946 5 ACPI.sys[8d79e3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x87aed908]
19:30:27.951 \Driver\atapi[0x87a6fac0] -> IRP_MJ_CREATE -> 0x86ce91e8
19:30:28.572 AVAST engine scan C:\Windows
19:30:33.973 AVAST engine scan C:\Windows\system32
19:33:04.055 AVAST engine scan C:\Windows\system32\drivers
19:33:20.069 AVAST engine scan C:\Users\Allan
19:38:24.064 AVAST engine scan C:\ProgramData
19:39:15.970 Scan finished successfully
19:39:45.226 Disk 0 MBR has been saved successfully to "C:\Users\Allan\Desktop\MBR.dat"
19:39:45.278 The log file has been saved successfully to "C:\Users\Allan\Desktop\aswMBR.txt"
 
Has to run from safemode with network connection now. Explorer not able to download webcontent. Long intervals followed by locking scrolling ability inside windows and different pointer icons. Nothing happens when using right mousebutton inside window, no menu or chance to update website.
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-10-2012
Ran by SYSTEM at 25-10-2012 00:37:32
Running from H:\fix2012
Windows 7 Home Premium (X86) OS Language: Norwegian Bokmal
The current controlset is ControlSet003
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-20] ()
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7547424 2009-06-25] (Realtek Semiconductor)
HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595792 2008-04-09] (Acronis)
HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [909208 2008-04-09] (Acronis)
HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [136472 2008-04-09] (Acronis)
HKLM\...\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [129584 2010-01-22] (VMware, Inc.)
HKLM\...\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe [237568 2009-06-03] (Saitek)
HKLM\...\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe [131072 2009-06-03] (Saitek)
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
HKLM\...\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I [362200 2011-09-05] (facemoods.com)
HKLM\...\Run: [NBAgent] "C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1493288 2011-09-20] (Nero AG)
HKLM\...\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE -startup [312376 2011-11-15] (Power Software Ltd)
HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [x]
HKLM\...\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
HKU\Allan\...\Run: [DAEMON Tools Lite] "G:\Utilities\Daemon Tools Lite\DTLite.exe" -autorun [x]
HKU\Allan\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" [321328 2012-02-28] (BitTorrent, Inc.)
HKU\Allan\...\Policies\system: [LogonHoursAction] 2
HKU\Allan\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\JEJ\...\Run: [BrowserChoice] "C:\Windows\System32\browserchoice.exe" /run [293376 2010-02-11] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
Lsa: [Authentication Packages] msv1_0 relog_ap
==================== Services (Whitelisted) ===================
2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [431384 2008-04-09] (Acronis)
2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)
2 NAUpdate; "C:\Program Files\Nero\Update\NASvc.exe" [641832 2011-09-23] (Nero AG)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [287824 2012-09-12] (Microsoft Corporation)
2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation)
2 TryAndDecideService; "C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [492896 2008-04-09] ()
2 TuneUp.UtilitiesSvc; "C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe" [1532280 2012-08-23] (AVG)
2 VMAuthdService; "C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" [113200 2010-01-22] (VMware, Inc.)
2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [334384 2010-01-22] (VMware, Inc.)
2 VMUSBArbService; "C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe" [563760 2010-01-22] (VMware, Inc.)
2 VMware NAT Service; C:\Windows\system32\vmnat.exe [395824 2010-01-22] (VMware, Inc.)
2 vToolbarUpdater13.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-10-20] ()
3 ufad-ws60; "C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml [x]
==================== Drivers (Whitelisted) ====================
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-10-20] (AVG Technologies)
2 hcmon; \??\C:\Windows\system32\drivers\hcmon.sys [32304 2010-01-22] (VMware, Inc.)
3 hidmini; C:\Windows\System32\DRIVERS\hidmini.sys [3712 2008-04-21] (Windows (R) Codename Longhorn DDK provider)
3 hidtopgun; C:\Windows\System32\DRIVERS\hidtopgun.sys [25728 2008-04-21] (Windows (R) Codename Longhorn DDK provider)
1 hwinterface; C:\Windows\System32\Drivers\hwinterface.sys [3026 2011-03-10] (Logix4u)
0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [93024 2009-07-17] (JMicron Technology Corp.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
2 rrkf; C:\Users\Allan\AppData\Roaming\61t6w.bat [86 2012-10-17] ()
3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [14080 2009-06-10] (Saitek)
3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [36992 2009-06-10] (Saitek)
1 SCDEmu; C:\Windows\System32\Drivers\SCDEmu.sys [112096 2011-11-15] (Power Software Ltd)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [431672 2011-03-19] (Duplex Secure Ltd.)
0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368480 2010-03-07] (Acronis)
2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2010-03-07] (Acronis)
3 TrueSight; \??\C:\Windows\system32\drivers\TrueSight.sys [13952 2012-10-24] ()
3 TuneUpUtilitiesDrv; \??\C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys [10088 2012-07-04] (TuneUp Software)
2 vmci; \??\C:\Windows\system32\Drivers\vmci.sys [70704 2010-01-22] (VMware, Inc.)
3 vmkbd; \??\C:\Windows\system32\drivers\VMkbd.sys [23216 2010-01-22] (VMware, Inc.)
3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16560 2010-01-22] (VMware, Inc.)
2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [36400 2010-01-22] (VMware, Inc.)
2 VMnetuserif; \??\C:\Windows\system32\drivers\vmnetuserif.sys [26288 2010-01-22] (VMware, Inc.)
3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2010-01-22] (VMware, Inc.)
2 vmx86; \??\C:\Windows\system32\Drivers\vmx86.sys [854192 2010-01-22] (VMware, Inc.)
2 vstor2-ws60; \??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [22448 2009-10-12] (VMware, Inc.)
1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [x]
3 gdrv; \??\C:\Windows\gdrv.sys [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2012-10-25 00:33 - 2012-10-25 00:33 - 00000000 ____D C:\FRST
2012-10-24 18:39 - 2012-10-24 18:39 - 00002463 ____A C:\Users\Allan\Desktop\aswMBR.txt
2012-10-24 18:39 - 2012-10-24 18:39 - 00000512 ____A C:\Users\Allan\Desktop\MBR.dat
2012-10-24 18:27 - 2012-10-24 18:27 - 04731392 ____A (AVAST Software) C:\Users\Allan\Desktop\aswMBR.exe
2012-10-24 18:21 - 2012-10-24 18:21 - 00003648 ____A C:\Users\Allan\Desktop\RKreport[2].txt
2012-10-24 18:20 - 2012-10-24 18:20 - 00003336 ____A C:\Users\Allan\Desktop\RKreport[1].txt
2012-10-24 18:19 - 2012-10-24 18:21 - 00000000 ____D C:\Users\Allan\Desktop\RK_Quarantine
2012-10-24 18:19 - 2012-10-24 18:19 - 00013952 ____A C:\Windows\System32\Drivers\TrueSight.sys
2012-10-24 18:17 - 2012-10-24 18:17 - 01580544 ____A C:\Users\Allan\Desktop\RogueKiller.exe
2012-10-24 18:08 - 2012-10-24 18:11 - 00488582 ____A C:\Users\Allan\Desktop\avgremover.log
2012-10-24 18:05 - 2012-10-24 18:05 - 02586752 ____A (AVG Technologies CZ, s.r.o.) C:\Users\Allan\Desktop\avg_remover_stf_x86_2013_2706.exe
2012-10-24 05:16 - 2012-10-24 05:16 - 00015834 ____A C:\Users\Allan\Desktop\dds.txt
2012-10-24 05:16 - 2012-10-24 05:16 - 00008294 ____A C:\Users\Allan\Desktop\attach.txt
2012-10-24 05:12 - 2012-10-24 05:12 - 00687724 ____R (Swearware) C:\Users\Allan\Desktop\dds.com
2012-10-24 05:02 - 2012-10-24 05:02 - 00008717 ____A C:\Users\Allan\Desktop\gmer.log
2012-10-24 04:31 - 2012-10-24 04:31 - 00302592 ____A C:\Users\Allan\Desktop\ww4t5lph.exe
2012-10-23 04:02 - 2012-10-23 04:02 - 00000632 _RASH C:\Users\Allan\ntuser.pol
2012-10-23 02:58 - 2012-08-23 10:31 - 00032120 ____A (AVG) C:\Windows\System32\TURegOpt.exe
2012-10-23 02:58 - 2012-08-23 10:31 - 00021880 ____A (AVG) C:\Windows\System32\authuitu.dll
2012-10-23 02:57 - 2012-10-23 02:58 - 00000000 ____D C:\Users\All Users\AVG
2012-10-23 02:57 - 2012-10-23 02:57 - 00002177 ____A C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
2012-10-23 02:57 - 2012-10-23 02:57 - 00002129 ____A C:\Users\Public\Desktop\AVG PC TuneUp.lnk
2012-10-23 02:57 - 2012-10-23 02:57 - 00000000 ____D C:\Users\Allan\AppData\Roaming\AVG
2012-10-23 02:56 - 2012-10-23 02:56 - 00000000 __SHD C:\Users\All Users\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-10-23 01:44 - 2012-10-23 01:44 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-23 01:44 - 2012-10-23 01:44 - 00000000 ____D C:\Users\Allan\AppData\Roaming\Malwarebytes
2012-10-23 01:44 - 2012-10-23 01:44 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-10-23 01:43 - 2012-10-23 01:44 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-10-23 01:43 - 2012-09-29 18:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-22 17:33 - 2012-10-23 02:55 - 00000000 ____D C:\Users\Allan\Downloads\Antivirus progs
2012-10-22 16:58 - 2012-10-22 16:58 - 16985648 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\Windows-KB890830-V4.13.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-10-20 19:21 - 2012-10-20 19:21 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00000000 ____D C:\Program Files\Java
2012-10-20 19:21 - 2012-10-20 19:21 - 00000000 ____D C:\Program Files\Common Files\Java
2012-10-20 19:20 - 2012-10-20 19:20 - 00000000 ____D C:\Users\All Users\McAfee
2012-10-20 16:26 - 2012-10-20 16:26 - 11088872 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\mseinstall.exe
2012-10-20 16:18 - 2012-10-20 16:18 - 00019076 ____A C:\FixitRegBackup.reg
2012-10-20 16:17 - 2012-10-20 16:17 - 00899584 ____A C:\Users\Allan\Downloads\MicrosoftFixit50535.msi
2012-10-20 14:52 - 2012-10-24 18:08 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-10-20 14:52 - 2012-10-20 14:52 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2012-10-20 14:52 - 2012-10-20 14:52 - 00000000 ____D C:\Users\Allan\AppData\Roaming\TuneUp Software
2012-10-20 14:52 - 2012-10-20 14:52 - 00000000 ____D C:\Users\Allan\AppData\Local\AVG Secure Search
2012-10-20 14:52 - 2012-10-20 14:52 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2012-10-20 14:51 - 2012-10-24 18:11 - 00000000 ____D C:\Program Files\AVG
2012-10-20 14:51 - 2012-10-20 14:51 - 00000000 ___HD C:\$AVG
2012-10-20 14:48 - 2012-10-20 14:48 - 04420616 ____A (AVG Technologies) C:\Users\Allan\Downloads\avg_free_stb_all_2013_2741_cnet.exe
2012-10-20 05:41 - 2012-10-20 05:42 - 00000000 ____D C:\Users\Allan\Documents\TEMP DOCS
2012-10-17 00:42 - 2012-10-17 00:42 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-10-17 00:28 - 2012-10-17 00:28 - 00090176 ____A C:\Users\Allan\AppData\Roaming\gmzdanb.dat
2012-10-17 00:28 - 2012-10-17 00:28 - 00086080 ____A C:\Users\Allan\AppData\Roaming\asfebji.dat
2012-10-17 00:28 - 2012-10-17 00:28 - 00060992 ____A C:\Users\Allan\AppData\Roaming\ekseldi.dat
2012-10-17 00:28 - 2012-10-17 00:28 - 00000086 ____H C:\Users\Allan\AppData\Roaming\61t6w.bat
2012-10-17 00:27 - 2012-10-17 00:27 - 00000012 ____A C:\Windows\srun.log
2012-10-15 02:14 - 2012-10-15 02:24 - 00000000 ____D C:\Users\Allan\Documents\Utskrifter fra bank
==================== 3 Months Modified Files ==================
2012-10-24 21:01 - 2012-05-05 12:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-24 20:11 - 2009-07-14 05:34 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-24 20:11 - 2009-07-14 05:34 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-24 20:04 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-24 20:04 - 2009-07-14 05:39 - 00088403 ____A C:\Windows\setupact.log
2012-10-24 18:39 - 2012-10-24 18:39 - 00002463 ____A C:\Users\Allan\Desktop\aswMBR.txt
2012-10-24 18:39 - 2012-10-24 18:39 - 00000512 ____A C:\Users\Allan\Desktop\MBR.dat
2012-10-24 18:27 - 2012-10-24 18:27 - 04731392 ____A (AVAST Software) C:\Users\Allan\Desktop\aswMBR.exe
2012-10-24 18:21 - 2012-10-24 18:21 - 00003648 ____A C:\Users\Allan\Desktop\RKreport[2].txt
2012-10-24 18:20 - 2012-10-24 18:20 - 00003336 ____A C:\Users\Allan\Desktop\RKreport[1].txt
2012-10-24 18:19 - 2012-10-24 18:19 - 00013952 ____A C:\Windows\System32\Drivers\TrueSight.sys
2012-10-24 18:17 - 2012-10-24 18:17 - 01580544 ____A C:\Users\Allan\Desktop\RogueKiller.exe
2012-10-24 18:11 - 2012-10-24 18:08 - 00488582 ____A C:\Users\Allan\Desktop\avgremover.log
2012-10-24 18:09 - 2010-03-07 01:52 - 00029154 ____A C:\Windows\PFRO.log
2012-10-24 18:05 - 2012-10-24 18:05 - 02586752 ____A (AVG Technologies CZ, s.r.o.) C:\Users\Allan\Desktop\avg_remover_stf_x86_2013_2706.exe
2012-10-24 17:42 - 2010-03-07 01:34 - 01856002 ____A C:\Windows\WindowsUpdate.log
2012-10-24 05:16 - 2012-10-24 05:16 - 00015834 ____A C:\Users\Allan\Desktop\dds.txt
2012-10-24 05:16 - 2012-10-24 05:16 - 00008294 ____A C:\Users\Allan\Desktop\attach.txt
2012-10-24 05:12 - 2012-10-24 05:12 - 00687724 ____R (Swearware) C:\Users\Allan\Desktop\dds.com
2012-10-24 05:02 - 2012-10-24 05:02 - 00008717 ____A C:\Users\Allan\Desktop\gmer.log
2012-10-24 04:31 - 2012-10-24 04:31 - 00302592 ____A C:\Users\Allan\Desktop\ww4t5lph.exe
2012-10-23 04:02 - 2012-10-23 04:02 - 00000632 _RASH C:\Users\Allan\ntuser.pol
2012-10-23 02:57 - 2012-10-23 02:57 - 00002177 ____A C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
2012-10-23 02:57 - 2012-10-23 02:57 - 00002129 ____A C:\Users\Public\Desktop\AVG PC TuneUp.lnk
2012-10-23 01:44 - 2012-10-23 01:44 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-22 16:58 - 2012-10-22 16:58 - 16985648 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\Windows-KB890830-V4.13.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-10-20 19:21 - 2012-10-20 19:21 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-10-20 19:21 - 2012-10-20 19:21 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-10-20 19:21 - 2011-12-24 13:46 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-10-20 16:53 - 2011-03-12 19:44 - 00001912 ____A C:\Windows\epplauncher.mif
2012-10-20 16:48 - 2009-07-14 08:31 - 00494966 ____A C:\Windows\System32\perfh014.dat
2012-10-20 16:48 - 2009-07-14 08:31 - 00095282 ____A C:\Windows\System32\perfc014.dat
2012-10-20 16:26 - 2012-10-20 16:26 - 11088872 ____A (Microsoft Corporation) C:\Users\Allan\Downloads\mseinstall.exe
2012-10-20 16:18 - 2012-10-20 16:18 - 00019076 ____A C:\FixitRegBackup.reg
2012-10-20 16:17 - 2012-10-20 16:17 - 00899584 ____A C:\Users\Allan\Downloads\MicrosoftFixit50535.msi
2012-10-20 15:31 - 2010-03-07 01:45 - 01369214 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-20 15:23 - 2009-07-14 05:53 - 00032560 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-20 14:52 - 2012-10-20 14:52 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2012-10-20 14:48 - 2012-10-20 14:48 - 04420616 ____A (AVG Technologies) C:\Users\Allan\Downloads\avg_free_stb_all_2013_2741_cnet.exe
2012-10-19 00:17 - 2010-05-15 09:09 - 00001119 ____A C:\Windows\Sidplay2w.ini
2012-10-17 00:28 - 2012-10-17 00:28 - 00090176 ____A C:\Users\Allan\AppData\Roaming\gmzdanb.dat
2012-10-17 00:28 - 2012-10-17 00:28 - 00086080 ____A C:\Users\Allan\AppData\Roaming\asfebji.dat
2012-10-17 00:28 - 2012-10-17 00:28 - 00060992 ____A C:\Users\Allan\AppData\Roaming\ekseldi.dat
2012-10-17 00:28 - 2012-10-17 00:28 - 00000086 ____H C:\Users\Allan\AppData\Roaming\61t6w.bat
2012-10-17 00:27 - 2012-10-17 00:27 - 00000012 ____A C:\Windows\srun.log
2012-10-08 23:01 - 2012-05-05 12:25 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-08 23:01 - 2011-06-08 10:41 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-10-06 21:14 - 2011-09-19 13:38 - 00000128 ____A C:\Users\All Users\Tempest 2000.eeprom
2012-09-29 18:54 - 2012-10-23 01:43 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-27 23:32 - 2010-03-07 01:48 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-22 21:16 - 2011-10-19 10:45 - 00007606 ____A C:\Users\Allan\AppData\Local\Resmon.ResmonCfg
2012-09-21 23:50 - 2009-07-14 03:04 - 00000425 ____A C:\Windows\win.ini
2012-09-10 19:49 - 2009-07-14 05:33 - 02090584 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-30 21:03 - 2012-08-30 21:03 - 00193552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 21:03 - 2010-10-24 21:25 - 00099272 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-23 10:31 - 2012-10-23 02:58 - 00032120 ____A (AVG) C:\Windows\System32\TURegOpt.exe
2012-08-23 10:31 - 2012-10-23 02:58 - 00021880 ____A (AVG) C:\Windows\System32\authuitu.dll
2012-08-07 15:18 - 2010-03-07 01:47 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-10-24 03:07:49
==================== Memory info ===========================
Percentage of memory in use: 13%
Total physical RAM: 4091.3 MB
Available physical RAM: 3555.73 MB
Total Pagefile: 4089.57 MB
Available Pagefile: 3564.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.2 MB
==================== Partitions =============================
2 Drive c: (W7) (Fixed) (Total:146.39 GB) (Free:40.43 GB) NTFS
3 Drive e: (W7X64) (Fixed) (Total:117.19 GB) (Free:100.74 GB) NTFS
4 Drive f: (DATA) (Fixed) (Total:332.5 GB) (Free:51.96 GB) NTFS
6 Drive h: () (Removable) (Total:7.5 GB) (Free:3.7 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disknr. Status Str. Ledig Dyn GPT
-------- ------------- ------- ------- --- ---
Disk 0 Tilkoblet 596 G byte 0 byte
Disk 1 Tilkoblet 7686 M byte 0 byte
Forlater DiskPart...
Partitions of Disk 0:
===============
Disk 0 er n† den valgte disken.
Partisjonsnr. Type Str. Forskyvning
------------- ---------------- ------- -----------
Partisjon 1 Prim‘r 100 M 1024 K byte
Partisjon 2 Prim‘r 146 G 101 M byte
Partisjon 3 Prim‘r 117 G 146 G byte
Partisjon 4 Prim‘r 332 G 263 G byte
Forlater DiskPart...
=========================================================
Disk: 0
Disk 0 er n† den valgte disken.
Partisjonen 1 er n† den valgte partisjonen.
Partisjon 1
Type : 07
Skjult: Nei
Aktiv : Ja
Forskyvning I byte: 1048576
Volumnr. Bks Etikett Fs Type Str. Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volum 1 Y System Rese NTFS Partisjon 100 M OK
Forlater DiskPart...
=========================================================
Disk: 0
Disk 0 er n† den valgte disken.
Partisjonen 2 er n† den valgte partisjonen.
Partisjon 2
Type : 07
Skjult: Nei
Aktiv : Nei
Forskyvning I byte: 105906176
Volumnr. Bks Etikett Fs Type Str. Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volum 2 C W7 NTFS Partisjon 146 G OK
Forlater DiskPart...
=========================================================
Disk: 0
Disk 0 er n† den valgte disken.
Partisjonen 3 er n† den valgte partisjonen.
Partisjon 3
Type : 07
Skjult: Nei
Aktiv : Nei
Forskyvning I byte: 157287448576
Volumnr. Bks Etikett Fs Type Str. Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volum 3 E W7X64 NTFS Partisjon 117 G OK
Forlater DiskPart...
=========================================================
Disk: 0
Disk 0 er n† den valgte disken.
Partisjonen 4 er n† den valgte partisjonen.
Partisjon 4
Type : 07
Skjult: Nei
Aktiv : Nei
Forskyvning I byte: 283116568576
Volumnr. Bks Etikett Fs Type Str. Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volum 4 F DATA NTFS Partisjon 332 G OK
Forlater DiskPart...
=========================================================
Partitions of Disk 1:
===============
Disk 1 er n† den valgte disken.
Partisjonsnr. Type Str. Forskyvning
------------- ---------------- ------- -----------
Partisjon 1 Prim‘r 7682 M 4032 K byte
Forlater DiskPart...
=========================================================
Disk: 1
Disk 1 er n† den valgte disken.
Partisjonen 1 er n† den valgte partisjonen.
Partisjon 1
Type : 0C
Skjult: Nei
Aktiv : Nei
Forskyvning I byte: 4128768
Volumnr. Bks Etikett Fs Type Str. Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volum 5 H FAT32 Flyttbar 7682 M OK
Forlater DiskPart...
=========================================================
Last Boot: 2012-10-18 00:03
==================== End Of Log ============================
 
Farbar Recovery Scan Tool (x86) Version: 21-10-2012
Ran by SYSTEM at 2012-10-25 00:43:48
Running from H:\fix2012
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
=== End Of Search ===
 
The recovery option seemed to switch partition letters, so I'm not absolutly sure if the scan was from C: or D: partision. The system reported more than one OS.
 
When trying to run Win7 there is a script error report now. Line 64 - value is 0 or undefined, not a functional object. Code 0.
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally.

Re-run RogueKiller and post new log.
Also update me on computer's issues.
 

Attachments

  • fixlist.txt
    301 bytes · Views: 2
Fixlog text:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-10-2012
Ran by SYSTEM at 2012-10-25 04:24:57 Run:1
Running from H:\fix2012
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet003\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
rrkf service deleted successfully.
C:\Users\Allan\AppData\Roaming\61t6w.bat moved successfully.
==== End of Fixlog ====
 
Report 3:

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Allan [Admin rights]
Mode : Scan -- Date : 10/25/2012 04:33:01
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_PNP] : \SystemRoot
\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\AS\NTUSER.DAT
-> D:\Users\Default\NTUSER.DAT
-> D:\Users\Default User\NTUSER.DAT
-> D:\Documents and Settings\Default\NTUSER.DAT
-> D:\Documents and Settings\Default User\NTUSER.DAT
-> D:\Documents and Settings\JEJ\NTUSER.DAT
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
--- User ---
[MBR] 3abadc3e0a09666d883124ca372a879d
[BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: USB Flash Memory USB Device +++++
--- User ---
[MBR] 08d4a4ff7771df7294cef168b07ba0fe
[BSP] 0b303904ef3a366223eac251a6bd315d : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7682 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
 
Report 4 (after deleting in RogueKiller)

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Allan [Admin rights]
Mode : Remove -- Date : 10/25/2012 04:43:13
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\AS\NTUSER.DAT
-> D:\Users\Default\NTUSER.DAT
-> D:\Users\Default User\NTUSER.DAT
-> D:\Documents and Settings\Default\NTUSER.DAT
-> D:\Documents and Settings\Default User\NTUSER.DAT
-> D:\Documents and Settings\JEJ\NTUSER.DAT
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
--- User ---
[MBR] 3abadc3e0a09666d883124ca372a879d
[BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: USB Flash Memory USB Device +++++
--- User ---
[MBR] 08d4a4ff7771df7294cef168b07ba0fe
[BSP] 0b303904ef3a366223eac251a6bd315d : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7682 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt
 
Good :)

Create new restore point before proceeding with the next step....
How to:
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

=================================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
You must log in or register to reply here.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
831
losdavos
losdavos
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
478
eriksnyman1
E
A
Ancient pre-release version of OS/2 2.0 discovered, released in VM-friendly packages
Replies
5
Views
146
ZedRM
ZedRM

Latest posts

Back