TechSpot

System Check virus, a lot of problems

Inactive
By MjuTaS
Feb 8, 2012
  1. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    No. Just straight scan.
     
  2. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Yes still got that message and now it restarted
     
  3. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    aand desktop and all gone again, restart into safe mode?
     
  4. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Go ahead.....
     
  5. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    i guess u like my computer as much as i do :) allways something wrong haha

    i started in safe mode and the combofix started again and finnished the scan just like last time
     
  6. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Post the resulting log please.
     
  7. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    it says tdx.sys was recreated but its not in the folder after a restart

    ComboFix 12-02-13.01 - Simon 2012-02-14 2:56.10.4 - x86 MINIMAL
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2679 [GMT 1:00]
    Körs från: c:\users\Simon\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Skapade en ny återställningspunkt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\$NtUninstallKB21072$\3774533322
    c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
    .
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-14 till 2012-02-14 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-14 02:01 . 2012-02-14 02:03 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-14 02:01 . 2012-02-14 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-14 01:39 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-12 22:21 . 2012-02-12 22:21 -------- d-----w- c:\users\Simon\AppData\Roaming\SUPERAntiSpyware.com
    2012-02-12 22:20 . 2012-02-12 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-12 22:20 . 2012-02-12 22:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-12 22:01 . 2012-02-12 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-12 22:01 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-14 01:30 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-14 239168]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    pxfhmdfl
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\taskhost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-14 03:06:11 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-14 02:06
    ComboFix2.txt 2012-02-14 01:27
    ComboFix3.txt 2012-02-14 00:47
    ComboFix4.txt 2012-02-11 03:11
    ComboFix5.txt 2012-02-14 01:38
    .
    Före genomsökningen: 32*522*547*200 byte ledigt
    Efter genomsökningen: 32*424*030*208 byte ledigt
    .
    - - End Of File - - BB0A33B5600D30745D1E60F721DA482C
     
  8. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Hold on there.
    I need to review this entire topic.
     
  9. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    it has to be something with the superantispyware quarantine of that file, or what do u think
     
  10. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Redo steps from my reply #29.

    When done, re-run Combofix.
     
  11. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Still no internetaccess, and still "zeroaccess root kit was found in tcp/ip comp will restart"

    ComboFix 12-02-13.01 - Simon 2012-02-14 4:02.11.4 - x86 MINIMAL
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2673 [GMT 1:00]
    Körs från: c:\users\Simon\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Skapade en ny återställningspunkt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\$NtUninstallKB21072$\2680881913
    c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
    c:\windows\$NtUninstallKB21072$ . . . . misslyckades radera
    .
    c:\windows\system32\drivers\afd.sys saknades
    Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
    .
    c:\windows\system32\drivers\cdrom.sys saknades
    Återställd kopia från - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
    .
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-14 till 2012-02-14 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-14 03:07 . 2012-02-14 03:09 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-14 03:07 . 2012-02-14 03:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-14 03:07 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-02-14 03:07 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-14 02:56 . 2012-02-14 02:56 -------- d-----w- C:\DAEMON Tools Lite
    2012-02-12 22:21 . 2012-02-12 22:21 -------- d-----w- c:\users\Simon\AppData\Roaming\SUPERAntiSpyware.com
    2012-02-12 22:20 . 2012-02-12 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-12 22:20 . 2012-02-12 22:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-12 22:01 . 2012-02-12 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-12 22:01 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-14 01:30 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    pxfhmdfl
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-14 04:11:57 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-14 03:11
    ComboFix2.txt 2012-02-14 02:06
    ComboFix3.txt 2012-02-14 01:27
    ComboFix4.txt 2012-02-14 00:47
    ComboFix5.txt 2012-02-14 03:00
    .
    Före genomsökningen: 32*516*055*040 byte ledigt
    Efter genomsökningen: 32*404*066*304 byte ledigt
    .
    - - End Of File - - 69C8421654C2A23BA3CDCAAC06AE6533
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Were those two commands executed successfully?

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    DeleteFolder: 
    c:\windows\$NtUninstallKB21072$
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
     
  13. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    yes it went successfully on both of them
     
  14. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    OK. Go on......
     
  15. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    computer restarted by the blitzblank, alot of text showed up at the start and then i got bluescreen, now i cant start windows,

    "windows failed to start. a recent hardware or software change might be the cause. to fix the problem:
    1 insert windows install disc and restart
    2- choose language settings click next
    3 click repair computer

    if u dont have this disc concatc blabla for assistance

    file \windows\system32\config\system
    status 0xc000000f
    info windows failed to load because the system regestry file is missing or corrupt
     
  16. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Boot to the System Recovery Options

    Try Startup Repair.
    If that doesn't work try System Restore.
     
  17. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    this looks bad broni!

    Repair did not work
    System restore failed
    "details: system restore failed to extract the file C:\windows\$NtUninstallKB21072$\2418786939\desktop.ini) from restore point.

    i only had one restore point for some reason, one yesterday.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    I think that at this point your best option would be to reinstall Windows.
    This computer has been too heavily infected and most likely Windows installation is simply whacked.
    Do you have any important data there?

    I'm sorry.
    We tried.
     
  19. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    sad, it was working so good yesterday before i lost the internet :/

    DeleteFolder:
    c:\windows\$NtUninstallKB21072$

    shouldnt it have been something else written after that also?
     
  20. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    No.
    It was working yesterday but your computer wasn't clean.
    We had a combination of TDL rootkit, which created fake partition (we removed that) and then ZeroAccess rootkit, which apparently is still there.

    Plus all bunch of other infections, which were removed by MBAM, Super and Combofix.
    Even if successful I don't think your computer would ever be the same.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.