TechSpot

Virus: Sirefef.AH & co. + 1 min reboot

Solved
By Kutunluu
Sep 7, 2012
Topic Status:
Not open for further replies.
  1. Hey,
    I'm one of the people hit by the delightful Sirefef virus and my computer is now in the 1 minute reboot cycle. Any help would be really appreciated. I'm using Windows 7 and MSE.

    I'm quite n00b with this stuff, but read enough about the problem to run Farbar. Here are the logs:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) (x86) Version: 05-09-2012
    Ran by SYSTEM at 07-09-2012 19:05:38
    Running from H:\
    Windows 7 Home Premium (X86) OS Language: 040B
    The current controlset is ControlSet001
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [Skytel] Skytel.exe [x]
    HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [111936 2008-09-03] (Apple Inc.)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM\...\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe" [147456 2007-11-20] (Razer USA Ltd.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM\...\Run: [SteelSeries World of Warcraft(R) MMO Gaming Mouse Legendary Edition] "C:\Program Files\SteelSeries\World of Warcraft(R) MMO Gaming Mouse Legendary Edition\WoWMHID4.exe" [1945600 2011-10-03] ()
    HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-29] ()
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-31] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Miika Huttunen\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [144384 2010-11-20] (Microsoft Corporation)
    HKU\Miika Huttunen\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-06-29] (Google Inc.)
    HKU\Miika Huttunen\...\Run: [{56648676-72F0-2F72-FD54-802FED267567}] "C:\Users\Miika Huttunen\AppData\Roaming\Rybyun\moubifi.exe" [212992 2012-07-05] (Four Hundred paper)
    HKU\Miika Huttunen\...\Run: [C3] [x]
    HKU\UpdatusUser\...\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade [x]
    HKU\UpdatusUser\...\RunOnce: [DPAPIKeyMig] %SystemRoot%\system32\dpapimig.exe -quiet [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
    ==================== Services ================================
    3 Creative ALchemy AL6 Licensing Service; "C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe" [79360 2010-12-16] (Creative Labs)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2010-06-29] ()
    2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [189248 2010-06-29] ()
    3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
    ==================== Drivers =================================
    1 AsIO; C:\Windows\System32\drivers\AsIO.sys [12664 2006-10-18] ()
    2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [83872 2012-07-03] ()
    3 bfturboh; C:\Windows\System32\drivers\bfturboh.sys [17280 2008-07-22] (BUFFALO INC.)
    3 busenum; C:\Windows\System32\DRIVERS\SteelBus.sys [83840 2010-08-28] (SteelSeries Corporation)
    3 DynamicEDController; \??\C:\Windows\system32\drivers\TSSFSFD.SYS [52224 2006-11-30] (TSS - www.trinity-ss.com)
    3 ENTECH; \??\C:\Windows\system32\DRIVERS\ENTECH.sys [21664 2004-10-25] (EnTech Taiwan)
    2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [25888 2012-07-03] ()
    3 LycoFltr; C:\Windows\System32\Drivers\Lycosa.sys [16128 2008-01-18] (Razer USA Ltd.)
    3 Mo3Fltr; C:\Windows\System32\drivers\Mo3Fltr.sys [11136 2008-04-15] ()
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    1 MpKsl83391dc8; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{23515FBF-24D8-4497-88E1-B26C32A04612}\MpKsl83391dc8.sys [29904 2012-09-07] (Microsoft Corporation)
    3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [7680 2006-10-18] ()
    3 SAlphamHid; C:\Windows\System32\DRIVERS\SAlpham.sys [31488 2010-09-08] (SteelSeries Corporation)
    3 SSMO4Filter; C:\Windows\System32\drivers\MO4Driver.sys [16896 2011-07-26] (Sagatek Co. Ltd.)
    2 TSSFLT; C:\Windows\System32\DRIVERS\tssflt.sys [52224 2006-11-30] (TSS - www.trinity-ss.com)
    3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [315392 2009-09-28] ()
    3 CTMOV2; \??\D:\TTST\RJ096390\CTMOV.SYS [x]
    ==================== NetSvcs (Whitelisted) =================

    ============ One Month Created Files and Folders ==============
    2012-09-07 18:31 - 2012-09-07 18:32 - 00000000 ____D C:\FRST
    2012-09-06 18:36 - 2012-09-06 18:37 - 00140248 ____A C:\Windows\Minidump\090612-29312-01.dmp
    2012-09-06 18:36 - 2012-09-06 18:36 - 193430492 ____A C:\Windows\MEMORY.DMP
    2012-09-06 18:36 - 2012-09-06 18:36 - 00000000 ____D C:\Windows\Minidump
    2012-09-06 17:37 - 2012-09-06 17:37 - 00001853 ____A C:\Windows\WindowsUpdate.log
    2012-09-06 17:37 - 2012-09-06 17:37 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-09-06 17:36 - 2012-09-06 17:36 - 10299264 ____A (Microsoft Corporation) C:\Users\Miika Huttunen\Desktop\mseinstall.exe
    2012-09-06 16:57 - 2012-09-07 18:01 - 01488860 ____A C:\Windows\setupact.log
    2012-09-06 16:57 - 2012-09-06 16:57 - 00000000 ____A C:\Windows\setuperr.log
    2012-09-06 15:36 - 2012-09-06 15:36 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{92B76C5F-CC0F-442A-AB7C-FEBCA45C1F0B}
    2012-09-05 17:53 - 2012-09-05 17:53 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{C70A293C-4562-4077-8274-9D8D1D61FD19}
    2012-09-04 17:27 - 2012-09-04 17:27 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{BC4B2672-4CDD-46AA-ABD8-11DBA558DF6B}
    2012-09-03 19:30 - 2012-09-03 19:30 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{A77477A1-C815-408F-8341-1DF2FF58C5FA}
    2012-09-02 23:31 - 2012-09-02 23:31 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{F34AA137-1605-4E1F-80F7-FBBAC3636922}
    2012-09-02 09:51 - 2012-09-02 09:51 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{6498052A-6F50-4960-8B4A-474B64D24E69}
    2012-09-01 09:53 - 2012-09-01 09:53 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{277B7FC0-0CFC-4C05-AC9A-765F6C29B72B}
    2012-08-31 16:51 - 2012-08-31 16:51 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{50E2F717-E410-4C18-8B17-3D1588AE78C8}
    2012-08-30 21:37 - 2012-08-30 21:37 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{305D4370-F530-4D1F-AF7D-EA9D3692924F}
    2012-08-30 09:03 - 2012-08-30 09:03 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{E929B1C4-55C0-4E52-AAF8-F5FAC98FFD2D}
    2012-08-29 17:17 - 2012-08-29 17:17 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{F0DF6D00-FBFB-4DDE-93F9-5479DA73DCB4}
    2012-08-28 18:07 - 2012-08-28 18:07 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{B3576A8D-A775-4C3B-B4AD-195A28BA96A9}
    2012-08-27 17:46 - 2012-08-27 17:46 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{72AA6832-FA0B-4407-AF31-CA54BB65100F}
    2012-08-26 21:05 - 2012-08-26 21:05 - 00000000 ____D C:\Users\Miika Huttunen\Documents\My Curse
    2012-08-26 21:04 - 2012-08-30 17:19 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\Deployment
    2012-08-26 13:04 - 2012-08-26 13:04 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{69AE4896-851A-4B6F-B9E7-D62086F8F310}
    2012-08-25 22:22 - 2012-08-25 22:22 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{851BEC68-ED53-427A-8D7C-935E2FC27D6C}
    2012-08-25 09:14 - 2012-08-25 09:14 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{F23C13CE-A93F-464A-AB80-2D0B87E86787}
    2012-08-24 17:04 - 2012-08-24 17:04 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{98AA78F1-CEAC-4E5E-BD63-21EC63B2817C}
    2012-08-23 18:40 - 2012-08-23 18:40 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{42C89C6A-2CFE-45C8-9DA7-99CE6FE8A592}
    2012-08-22 20:14 - 2012-08-22 20:14 - 150603838 ____A C:\Users\Miika Huttunen\Desktop\dbcjbsk2.zip
    2012-08-22 20:14 - 2012-08-22 20:14 - 00000000 ____D C:\Users\Miika Huttunen\Desktop\dbcjbsk2
    2012-08-22 18:06 - 2012-08-22 18:06 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{89008E8A-2CA1-44AD-80B4-338B5C89586E}
    2012-08-21 16:57 - 2012-08-21 16:57 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{807303E0-A9B9-4ADA-B6BD-86FB2A4F44B4}
    2012-08-20 21:31 - 2012-08-20 21:31 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\Vivox
    2012-08-20 21:21 - 2012-08-20 21:21 - 00001959 ____A C:\Users\Miika Huttunen\Desktop\C3.lnk
    2012-08-20 21:21 - 2012-08-20 21:21 - 00000000 ____D C:\Program Files\Vivox
    2012-08-20 18:28 - 2012-08-20 18:28 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{FC77D3ED-3D61-4D0E-A33C-07CDE5AD820E}
    2012-08-19 09:16 - 2012-08-19 09:16 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{B84B6769-C41E-4BBE-AA54-DD5B9FF6D855}
    2012-08-18 09:09 - 2012-08-18 09:09 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{82A1792E-CC23-4045-A504-9A2F1A5AEB4D}
    2012-08-18 09:09 - 2012-08-18 09:09 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{5116AB71-947C-45B6-8BE2-B0967A449456}
    2012-08-17 17:26 - 2012-08-17 17:26 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{FAA81FB5-9FE7-45BE-8D94-6A2B05BA368D}
    2012-08-17 17:26 - 2012-08-17 17:26 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{14B1B6F1-2CA2-429F-9DA9-71A7F9531020}
    2012-08-16 09:04 - 2012-08-16 09:04 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{124EA4A8-9300-4869-BF63-F851EE32F01F}
    2012-08-16 09:03 - 2012-08-16 09:04 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{4697AFAD-23BA-4B6F-960B-F9A88B76900C}
    2012-08-15 14:55 - 2012-08-15 14:55 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{EFE6855D-AAA7-454C-BF6E-D5647A8E1D04}
    2012-08-15 14:55 - 2012-08-15 14:55 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{7A67C5CE-02F4-426B-8D6A-6E3472409116}
    2012-08-14 19:18 - 2012-08-14 21:34 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Roaming\Atappo
    2012-08-14 19:18 - 2012-08-14 19:18 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Roaming\Rybyun
    2012-08-14 18:58 - 2012-08-14 18:58 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{C979CBF4-B506-40EF-AFB1-79DD9E0D6601}
    2012-08-14 18:58 - 2012-08-14 18:58 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{40C096E8-303A-4FB6-A7C5-702C7B6CCB8D}
    2012-08-13 16:57 - 2012-08-13 16:57 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2012-08-13 16:55 - 2012-08-13 16:55 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{B58C9616-D20A-4678-BC4D-B3701D327007}
    2012-08-13 16:55 - 2012-08-13 16:55 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{B4B2864D-9151-42F9-A0C2-E4003BBC23AD}
    2012-08-12 12:23 - 2012-08-12 12:23 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{54C30DF3-53AA-4278-AE79-43B15A5A3872}
    2012-08-12 12:23 - 2012-08-12 12:23 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{484A1DC6-8F70-4F74-911F-2C8CC2411788}
    2012-08-11 21:35 - 2012-08-11 21:35 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{846C10BA-DF1A-454B-B7CD-FCBDFEA4F588}
    2012-08-11 21:35 - 2012-08-11 21:35 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{50A0A0E0-8CE0-462D-AC90-41BF598FF8D0}
    2012-08-11 08:31 - 2012-08-11 08:31 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{D539C5E1-74CB-43BA-AA50-A07BE8F49AC5}
    2012-08-11 08:31 - 2012-08-11 08:31 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{01C8530C-49D7-413F-A9DE-19A9EA03C50C}
    2012-08-10 16:24 - 2012-08-10 16:24 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{E4C89827-4D6C-4F73-8EEE-315AA9D54F86}
    2012-08-10 16:24 - 2012-08-10 16:24 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{7AE0A846-700C-4779-88EF-01D5B8F57886}
    2012-08-08 17:52 - 2012-08-08 17:52 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{68C587F9-A1AA-4D1A-BF3A-ABE4B8B41EE9}
    2012-08-08 17:52 - 2012-08-08 17:52 - 00000000 ____D C:\Users\Miika Huttunen\AppData\Local\{049B8D47-8B1C-4C95-B33B-EF3E569CD8DC}
    ============ 3 Months Modified Files ========================
    2012-09-07 18:02 - 2012-06-29 15:52 - 00001008 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-07 18:02 - 2009-07-14 01:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-09-07 18:01 - 2012-09-06 16:57 - 01488860 ____A C:\Windows\setupact.log
    2012-09-07 18:01 - 2009-07-14 06:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-07 17:25 - 2009-07-14 06:34 - 00015360 _____ C:\Windows\System32\umstartup.etl
    2012-09-06 18:37 - 2012-09-06 18:36 - 00140248 ____A C:\Windows\Minidump\090612-29312-01.dmp
    2012-09-06 18:36 - 2012-09-06 18:36 - 193430492 ____A C:\Windows\MEMORY.DMP
    2012-09-06 17:37 - 2012-09-06 17:37 - 00001853 ____A C:\Windows\WindowsUpdate.log
    2012-09-06 17:37 - 2012-07-03 18:49 - 01334164 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-06 17:37 - 2011-06-17 17:19 - 00001912 ____A C:\Windows\epplauncher.mif
    2012-09-06 17:36 - 2012-09-06 17:36 - 10299264 ____A (Microsoft Corporation) C:\Users\Miika Huttunen\Desktop\mseinstall.exe
    2012-09-06 17:08 - 2012-06-29 15:52 - 00001012 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-06 17:04 - 2012-07-03 17:59 - 00010048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-06 17:04 - 2012-07-03 17:59 - 00010048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-06 16:57 - 2012-09-06 16:57 - 00000000 ____A C:\Windows\setuperr.log
    2012-09-06 15:31 - 2011-01-02 18:54 - 00000969 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-08-29 18:35 - 2008-08-08 21:45 - 00000770 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
    2012-08-28 18:07 - 2012-07-09 10:05 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-28 18:07 - 2011-05-15 07:52 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-22 20:14 - 2012-08-22 20:14 - 150603838 ____A C:\Users\Miika Huttunen\Desktop\dbcjbsk2.zip
    2012-08-20 21:21 - 2012-08-20 21:21 - 00001959 ____A C:\Users\Miika Huttunen\Desktop\C3.lnk
    2012-08-13 16:57 - 2012-08-13 16:57 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2012-08-12 21:14 - 2008-09-28 14:55 - 00000687 ____A C:\Users\Miika Huttunen\Desktop\lainat.txt
    2012-08-04 15:25 - 2012-08-04 15:25 - 00000000 ____A C:\Windows\startup.INI
    2012-08-04 09:17 - 2012-08-04 09:17 - 00001984 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk
    2012-08-02 18:00 - 2012-08-02 18:00 - 00001631 ____A C:\Users\Miika Huttunen\Desktop\MechWarrior Online.lnk
    2012-07-15 19:24 - 2009-07-14 06:33 - 00285272 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-15 19:06 - 2012-07-04 19:37 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-06 11:21 - 2008-06-07 17:50 - 00062320 ____A C:\Users\Miika Huttunen\AppData\Roaming\GDIPFONTCACHEV1.DAT
    2012-07-04 20:29 - 2009-07-14 04:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-07-04 00:21 - 2012-07-04 00:21 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
    2012-07-04 00:21 - 2012-07-04 00:21 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
    2012-07-04 00:21 - 2012-07-04 00:21 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
    2012-07-04 00:21 - 2012-07-04 00:21 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-07-04 00:21 - 2012-07-04 00:21 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
    2012-07-04 00:20 - 2012-07-04 00:20 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
    2012-07-04 00:20 - 2012-07-04 00:20 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
    2012-07-04 00:20 - 2012-07-04 00:20 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
    2012-07-04 00:20 - 2012-07-04 00:20 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2012-07-04 00:20 - 2012-07-04 00:20 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-07-04 00:20 - 2012-07-04 00:20 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
    2012-07-03 19:44 - 2012-07-03 19:44 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-07-03 19:33 - 2008-08-31 22:19 - 00083872 ____A C:\Windows\System32\Drivers\atksgt.sys
    2012-07-03 19:33 - 2008-08-31 22:19 - 00025888 ____A C:\Windows\System32\Drivers\lirsgt.sys
    2012-07-03 19:17 - 2012-07-03 19:17 - 00001086 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
    2012-07-03 19:15 - 2008-07-09 12:39 - 00001950 ____A C:\Users\Public\Desktop\FileZilla Client.lnk
    2012-07-03 18:57 - 2012-07-03 18:57 - 00062320 ____A C:\Users\Miika Huttunen\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-03 18:55 - 2012-07-03 18:55 - 00000020 ___SH C:\Users\Miika Huttunen\ntuser.ini
    2012-07-03 18:54 - 2009-07-14 06:57 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
    2012-07-03 18:54 - 2009-07-14 06:52 - 00028672 ____A C:\Windows\System32\config\BCD-Template
    2012-07-03 18:54 - 2008-05-29 19:35 - 00008192 _RASH C:\BOOTSECT.BAK
    2012-07-03 18:52 - 2012-07-03 18:52 - 00262144 ____A C:\Windows\System32\config\userdiff
    2012-07-03 18:44 - 2012-07-03 18:44 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
    2012-07-03 18:27 - 2012-07-03 18:27 - 00021460 ____A C:\Windows\System32\emptyregdb.dat
    2012-07-03 17:59 - 2012-07-03 17:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2012-07-03 17:58 - 2012-07-03 17:58 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_MO4Driver_01009.Wdf
    2012-07-03 17:32 - 2006-11-02 14:47 - 00004176 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-03 17:32 - 2006-11-02 14:47 - 00004176 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-03 16:52 - 2012-07-03 16:38 - 00002540 ____A C:\Windows\diagwrn.xml
    2012-07-03 16:52 - 2012-07-03 16:38 - 00001890 ____A C:\Windows\diagerr.xml
    2012-07-03 16:48 - 2008-05-30 17:58 - 00000012 ____A C:\Windows\bthservsdp.dat
    2012-07-03 16:02 - 2012-07-03 16:01 - 03536310 ____A (FreeDownloadManager.ORG ) C:\Users\Miika Huttunen\Desktop\fdminst-lite.exe
    2012-06-30 14:13 - 2012-06-30 14:13 - 00000551 ____A C:\Users\Public\Desktop\The Secret World.lnk
    2012-06-12 04:40 - 2012-07-15 19:06 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    ZeroAccess:
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\@
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\L
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\n
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\U
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\U\00000001.@
    ZeroAccess:
    C:\Users\Miika Huttunen\AppData\Local\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}
    C:\Users\Miika Huttunen\AppData\Local\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\@
    C:\Users\Miika Huttunen\AppData\Local\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\L
    C:\Users\Miika Huttunen\AppData\Local\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\U
    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================

    ==================== Memory info ===========================
    Percentage of memory in use: 11%
    Total physical RAM: 4095.12 MB
    Available physical RAM: 3622.61 MB
    Total Pagefile: 4093.39 MB
    Available Pagefile: 3626.91 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1969.62 MB
    ==================== Partitions ============================
    2 Drive c: () (Fixed) (Total:97.66 GB) (Free:11.18 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive d: () (Fixed) (Total:368.1 GB) (Free:212.08 GB) NTFS
    5 Drive f: (HD-PCU2) (Fixed) (Total:465.65 GB) (Free:70.93 GB) FAT32
    7 Drive h: (USB DISK) (Fixed) (Total:0.93 GB) (Free:0.57 GB) FAT
    8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Levy tila koko vapaana dyn GPT
    -------- ------------- ------- ----------- --- ---
    Levy 0 Online 465 Gt 0 tavua
    Levy 1 Online 465 Gt 1024 Kt
    Levy 2 Ei tietov„lin 0 tavua 0 tavua
    Levy 3 Online 956 Mt 0 tavua
    Suljetaan DiskPart...

    Last Boot: 2012-08-26 23:12
    ==================== End Of Log =============================
  2. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    And search log:

    Farbar Recovery Scan Tool (x86) Version: 05-09-2012
    Ran by SYSTEM at 2012-09-07 19:11:35
    Running from H:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-14 01:11] - [2009-07-14 03:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
    C:\Windows\System32\services.exe
    [2009-07-14 01:11] - [2012-09-07 18:02] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
    === End Of Search ===
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  4. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Thanks for the reply. I did as you said, but nothing changed. Still getting the 1 min shutdown. Did I do something wrong?

    Here's the fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 05-09-2012
    Ran by SYSTEM at 2012-09-07 21:52:38 Run:2
    Running from H:\
    ==============================================
    Could not find C:\Windows\System32\services.exe.
    Could not find C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe.
    ==== End of Fixlog ====
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Download the attached file, please. Save it on your flash drive to replace the current fixlist.txt. Make sure it maintains its current name fixlist.txt.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Attached Files:

  6. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Thanks, that did the trick, the 1 min rebooting has stopped. Computer still boots up really slow and is very sluggish to use, especially internet. Here's the log:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 05-09-2012
    Ran by SYSTEM at 2012-09-08 23:18:33 Run:3
    Running from H:\
    ==============================================
    C:\Windows\Installer\{ba90aa56-8e63-0963-13b5-8a8e7278b06b} moved successfully.
    C:\Users\Miika Huttunen\AppData\Local\{ba90aa56-8e63-0963-13b5-8a8e7278b06b} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We've got more cleaning to do...

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  8. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Okay, did that without problems. Here's the log:

    ComboFix 12-09-09.02 - Miika Huttunen 09.09.2012 13:51:25.1.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.358.1035.18.3327.2383 [GMT 3:00]
    Sijainti: c:\users\Miika Huttunen\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Uusi palautuspiste luotu
    .
    .
    (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Windows
    c:\users\Miika Huttunen\AppData\Roaming\.#
    c:\users\Miika Huttunen\AppData\Roaming\.#\MBX@1084@B72930.###
    c:\users\Miika Huttunen\AppData\Roaming\.#\MBX@1084@B72960.###
    c:\users\Miika Huttunen\AppData\Roaming\.#\MBX@1084@B72990.###
    c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
    D:\install.exe
    G:\svchost.exe
    .
    .
    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2012-08-09 to 2012-09-09 )))))))))))))))))
    .
    .
    2012-09-09 10:56 . 2012-09-09 10:59 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\temp
    2012-09-09 10:33 . 2012-09-09 10:33 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23515FBF-24D8-4497-88E1-B26C32A04612}\MpKsl70ef42a0.sys
    2012-09-09 10:32 . 2012-09-09 10:58 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23515FBF-24D8-4497-88E1-B26C32A04612}\offreg.dll
    2012-09-07 16:31 . 2012-09-07 16:32 -------- d-----w- C:\FRST
    2012-09-06 15:38 . 2012-02-09 11:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A03A25E-A125-4CC6-BA46-DD48A3A55358}\gapaengine.dll
    2012-09-06 15:38 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23515FBF-24D8-4497-88E1-B26C32A04612}\mpengine.dll
    2012-09-06 15:37 . 2012-09-06 15:37 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-26 19:04 . 2012-08-30 15:19 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\Deployment
    2012-08-20 19:31 . 2012-08-20 19:31 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\Vivox
    2012-08-20 19:21 . 2012-08-20 19:21 2817592 ----a-r- c:\users\Miika Huttunen\AppData\Roaming\Microsoft\Installer\{445D1DBA-2C75-417B-A40A-10B6BEECA459}\Icon_2.exe
    2012-08-20 19:21 . 2012-08-20 19:21 2817592 ----a-r- c:\users\Miika Huttunen\AppData\Roaming\Microsoft\Installer\{445D1DBA-2C75-417B-A40A-10B6BEECA459}\Icon_1.exe
    2012-08-20 19:21 . 2012-08-20 19:21 -------- d-----w- c:\program files\Vivox
    2012-08-14 17:18 . 2012-08-14 19:34 -------- d-----w- c:\users\Miika Huttunen\AppData\Roaming\Atappo
    2012-08-14 17:18 . 2012-08-14 17:18 -------- d-----w- c:\users\Miika Huttunen\AppData\Roaming\Rybyun
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-28 16:07 . 2012-07-09 08:05 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-28 16:07 . 2011-05-15 05:52 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-04 18:29 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-07-03 22:21 . 2012-07-03 22:21 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-07-03 22:21 . 2012-07-03 22:21 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-07-03 22:21 . 2012-07-03 22:21 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-07-03 22:21 . 2012-07-03 22:21 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-07-03 22:21 . 2012-07-03 22:21 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-07-03 22:21 . 2012-07-03 22:21 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-07-03 22:21 . 2012-07-03 22:21 367104 ----a-w- c:\windows\system32\html.iec
    2012-07-03 22:21 . 2012-07-03 22:21 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-07-03 22:20 . 2012-07-03 22:20 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-07-03 22:20 . 2012-07-03 22:20 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-07-03 22:20 . 2012-07-03 22:20 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-03 22:20 . 2012-07-03 22:20 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-07-03 22:20 . 2012-07-03 22:20 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-07-03 22:20 . 2012-07-03 22:20 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-07-03 22:20 . 2012-07-03 22:20 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-07-03 22:20 . 2012-07-03 22:20 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-07-03 17:33 . 2008-08-31 20:19 83872 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-07-03 17:33 . 2008-08-31 20:19 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-07-03 17:24 . 2011-03-28 15:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-06-12 02:40 . 2012-07-15 17:06 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-08-08 20:23 . 2012-05-14 20:32 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-29 39408]
    "{56648676-72F0-2F72-FD54-802FED267567}"="c:\users\Miika Huttunen\AppData\Roaming\Rybyun\moubifi.exe" [2012-07-05 212992]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
    "Skytel"="Skytel.exe" [2007-08-03 1826816]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
    "SteelSeries World of Warcraft(R) MMO Gaming Mouse Legendary Edition"="c:\program files\SteelSeries\World of Warcraft(R) MMO Gaming Mouse Legendary Edition\WoWMHID4.exe" [2011-10-03 1945600]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 gupdate;Google-päivityspalvelu (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
    R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [x]
    R3 busenum;SteelBusSvc;c:\windows\system32\DRIVERS\SteelBus.sys [x]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
    R3 CTMOV2;CTMOV2;d:\ttst\RJ096390\CTMOV.SYS [x]
    R3 DynamicEDController;Dynamic ED Controller;c:\windows\system32\drivers\TSSFSFD.SYS [x]
    R3 gupdatem;Google Päivitä-palvelu (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoftin verkon tarkastus;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 SAlphamHid;SteelHIDSvc;c:\windows\system32\DRIVERS\SAlpham.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windowsin aktivointitekniikoiden palvelu;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 MpKsl70ef42a0;MpKsl70ef42a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23515FBF-24D8-4497-88E1-B26C32A04612}\MpKsl70ef42a0.sys [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S2 TSSFLT;TriSecurity System - Filter Driver;c:\windows\system32\DRIVERS\tssflt.sys [x]
    S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [x]
    S3 SSMO4Filter;MMO-4 Mouse;c:\windows\system32\drivers\MO4Driver.sys [x]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
    .
    .
    --- Muut muistissa olevat ajurit/palvelut ---
    .
    *NewlyCreated* - WS2IFSL
    *Deregistered* - TSS_FSFILTER
    .
    'Ajoitetut tehtävät'-kansion sisältö
    .
    2012-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 13:52]
    .
    2012-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 13:52]
    .
    .
    ------- Täydentävä tarkistus -------
    .
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Miika Huttunen\AppData\Roaming\Mozilla\Firefox\Profiles\49l7cwkg.default\
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - POISTETUT JÄMÄRIVIT - - - -
    .
    AddRemove-Battlelog Web Plugins - c:\program files\Battlelog Web Plugins\uninstall.exe
    .
    .
    .
    --------------------- LUKITUT REKISTERIAVAIMET ---------------------
    .
    [HKEY_USERS\S-1-5-21-1870539120-2445770976-2940662545-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1870539120-2445770976-2940662545-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Muut prosessit ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Creative\Shared Files\CTAudSvc.exe
    c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\taskhost.exe
    c:\program files\ASUS\AASP\1.00.40\aaCenter.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\PnkBstrB.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\conhost.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\Razer\Lycosa\razertra.exe
    c:\program files\SteelSeries\World of Warcraft(R) MMO Gaming Mouse Legendary Edition\WoWMTray4.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\sppsvc.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Valmistumisajankohta: 2012-09-09 14:02:42 - kone käynnistettiin uudelleen
    ComboFix-quarantined-files.txt 2012-09-09 11:02
    .
    Ennen ajoa: 11 592 781 824 tavua vapaana
    Ajon jälkeen: 11 514 077 184 tavua vapaana
    .
    - - End Of File - - D6C3FC9DB548B0C77D5DCEB30A52AA8F
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  10. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Okay, done and done. Here are the logs:

    ComboFix:
    ComboFix 12-09-10.03 - Miika Huttunen 10.09.2012 19:11:25.2.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.358.1035.18.3327.2478 [GMT 3:00]
    Sijainti: G:\ComboFix.exe
    Käytetyt komentorivivalitsimet :: c:\users\Miika Huttunen\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2012-08-10 to 2012-09-10 )))))))))))))))))
    .
    .
    2012-09-10 16:16 . 2012-09-10 16:16 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-09-10 16:16 . 2012-09-10 16:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-10 16:06 . 2012-09-10 16:06 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD1EDE3C-69B4-48E3-BCCA-AE793B8706A8}\offreg.dll
    2012-09-10 15:50 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8B66122F-C944-4A57-925F-1ED93F64D514}\mpengine.dll
    2012-09-10 15:41 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD1EDE3C-69B4-48E3-BCCA-AE793B8706A8}\mpengine.dll
    2012-09-09 11:08 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-09 10:56 . 2012-09-10 16:16 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\temp
    2012-09-07 16:31 . 2012-09-07 16:32 -------- d-----w- C:\FRST
    2012-09-06 15:38 . 2012-02-09 11:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A03A25E-A125-4CC6-BA46-DD48A3A55358}\gapaengine.dll
    2012-09-06 15:37 . 2012-09-06 15:37 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-26 19:04 . 2012-08-30 15:19 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\Deployment
    2012-08-20 19:31 . 2012-08-20 19:31 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\Vivox
    2012-08-20 19:21 . 2012-08-20 19:21 2817592 ----a-r- c:\users\Miika Huttunen\AppData\Roaming\Microsoft\Installer\{445D1DBA-2C75-417B-A40A-10B6BEECA459}\Icon_2.exe
    2012-08-20 19:21 . 2012-08-20 19:21 2817592 ----a-r- c:\users\Miika Huttunen\AppData\Roaming\Microsoft\Installer\{445D1DBA-2C75-417B-A40A-10B6BEECA459}\Icon_1.exe
    2012-08-20 19:21 . 2012-08-20 19:21 -------- d-----w- c:\program files\Vivox
    2012-08-14 17:18 . 2012-08-14 19:34 -------- d-----w- c:\users\Miika Huttunen\AppData\Roaming\Atappo
    2012-08-14 17:18 . 2012-08-14 17:18 -------- d-----w- c:\users\Miika Huttunen\AppData\Roaming\Rybyun
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-28 16:07 . 2012-07-09 08:05 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-28 16:07 . 2011-05-15 05:52 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-04 18:29 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-07-03 22:21 . 2012-07-03 22:21 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-07-03 22:21 . 2012-07-03 22:21 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-07-03 22:21 . 2012-07-03 22:21 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-07-03 22:21 . 2012-07-03 22:21 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-07-03 22:21 . 2012-07-03 22:21 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-07-03 22:21 . 2012-07-03 22:21 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-07-03 22:21 . 2012-07-03 22:21 367104 ----a-w- c:\windows\system32\html.iec
    2012-07-03 22:21 . 2012-07-03 22:21 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-07-03 22:20 . 2012-07-03 22:20 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-07-03 22:20 . 2012-07-03 22:20 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-07-03 22:20 . 2012-07-03 22:20 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-03 22:20 . 2012-07-03 22:20 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-07-03 22:20 . 2012-07-03 22:20 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-07-03 22:20 . 2012-07-03 22:20 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-07-03 22:20 . 2012-07-03 22:20 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-07-03 22:20 . 2012-07-03 22:20 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-07-03 17:33 . 2008-08-31 20:19 83872 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-07-03 17:33 . 2008-08-31 20:19 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-07-03 17:24 . 2011-03-28 15:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-08-08 20:23 . 2012-05-14 20:32 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-29 39408]
    "{56648676-72F0-2F72-FD54-802FED267567}"="c:\users\Miika Huttunen\AppData\Roaming\Rybyun\moubifi.exe" [2012-07-05 212992]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
    "Skytel"="Skytel.exe" [2007-08-03 1826816]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
    "SteelSeries World of Warcraft(R) MMO Gaming Mouse Legendary Edition"="c:\program files\SteelSeries\World of Warcraft(R) MMO Gaming Mouse Legendary Edition\WoWMHID4.exe" [2011-10-03 1945600]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 gupdate;Google-päivityspalvelu (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
    R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [x]
    R3 busenum;SteelBusSvc;c:\windows\system32\DRIVERS\SteelBus.sys [x]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
    R3 CTMOV2;CTMOV2;d:\ttst\RJ096390\CTMOV.SYS [x]
    R3 DynamicEDController;Dynamic ED Controller;c:\windows\system32\drivers\TSSFSFD.SYS [x]
    R3 gupdatem;Google Päivitä-palvelu (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoftin verkon tarkastus;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 SAlphamHid;SteelHIDSvc;c:\windows\system32\DRIVERS\SAlpham.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windowsin aktivointitekniikoiden palvelu;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 MpKsl70ef42a0;MpKsl70ef42a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23515FBF-24D8-4497-88E1-B26C32A04612}\MpKsl70ef42a0.sys [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S2 TSSFLT;TriSecurity System - Filter Driver;c:\windows\system32\DRIVERS\tssflt.sys [x]
    S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [x]
    S3 SSMO4Filter;MMO-4 Mouse;c:\windows\system32\drivers\MO4Driver.sys [x]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
    .
    .
    --- Muut muistissa olevat ajurit/palvelut ---
    .
    *NewlyCreated* - WS2IFSL
    *Deregistered* - TSS_FSFILTER
    .
    'Ajoitetut tehtävät'-kansion sisältö
    .
    2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 13:52]
    .
    2012-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 13:52]
    .
    .
    ------- Täydentävä tarkistus -------
    .
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Miika Huttunen\AppData\Roaming\Mozilla\Firefox\Profiles\49l7cwkg.default\
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    --------------------- LUKITUT REKISTERIAVAIMET ---------------------
    .
    [HKEY_USERS\S-1-5-21-1870539120-2445770976-2940662545-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1870539120-2445770976-2940662545-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Valmistumisajankohta: 2012-09-10 19:18:40
    ComboFix-quarantined-files.txt 2012-09-10 16:18
    .
    Ennen ajoa: 11 189 567 488 tavua vapaana
    Ajon jälkeen: 11 098 779 648 tavua vapaana
    .
    - - End Of File - - 3AB7B3C054F636CCAD61932DAA39E8EA
  11. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    # AdwCleaner v2.001 - Logfile created 09/10/2012 at 19:21:51
    # Updated 09/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
    # User : Miika Huttunen - MIIKAHUTTUNE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Miika Huttunen\Desktop\adwcleaner.exe
    # Option [Search]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    -\\ Mozilla Firefox v14.0.1 (en-US)

    Profile name : default
    File : C:\Users\Miika Huttunen\AppData\Roaming\Mozilla\Firefox\Profiles\49l7cwkg.default\prefs.js
    [OK] File is clean.
    *************************
    AdwCleaner[R1].txt - [728 octets] - [10/09/2012 19:21:51]
    ########## EOF - C:\AdwCleaner[R1].txt - [787 octets] ##########
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    1. ComboFix re-run
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the box below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
    2. Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Make sure to post these logs for my review:
    • ComboFix log
    • ESET Scan log
    Also, let me know how your computer is running.

    Thanks! :)
  13. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Okay, here are the logs. Computer seems to running smoothly, no sign of previous sluggishness or slow boot up. MSE gives warnings of trojan files in quarantine and I haven't done anything to those.

    ComboFix 12-09-11.02 - Miika Huttunen 11.09.2012 20:10:18.3.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.358.1035.18.3327.2264 [GMT 3:00]
    Sijainti: c:\users\Miika Huttunen\Desktop\ComboFix.exe
    Käytetyt komentorivivalitsimet :: c:\users\Miika Huttunen\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Uusi palautuspiste luotu
    .
    .
    (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Miika Huttunen\AppData\Roaming\Atappo
    c:\users\Miika Huttunen\AppData\Roaming\Atappo\omizsa.kua
    c:\users\Miika Huttunen\AppData\Roaming\Atappo\omizsa.tmp
    c:\users\Miika Huttunen\AppData\Roaming\Rybyun
    c:\users\Miika Huttunen\AppData\Roaming\Rybyun\moubifi.exe
    .
    .
    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2012-08-11 to 2012-09-11 )))))))))))))))))
    .
    .
    2012-09-11 17:16 . 2012-09-11 17:16 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-09-11 17:16 . 2012-09-11 17:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-11 17:16 . 2012-09-11 17:16 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD1EDE3C-69B4-48E3-BCCA-AE793B8706A8}\offreg.dll
    2012-09-11 17:05 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DEAE6194-201D-48E8-9F4D-CA99322FE82B}\mpengine.dll
    2012-09-10 15:50 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-10 15:41 . 2012-08-27 22:50 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD1EDE3C-69B4-48E3-BCCA-AE793B8706A8}\mpengine.dll
    2012-09-09 10:56 . 2012-09-11 17:16 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\temp
    2012-09-07 16:31 . 2012-09-07 16:32 -------- d-----w- C:\FRST
    2012-09-06 15:38 . 2012-02-09 11:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A03A25E-A125-4CC6-BA46-DD48A3A55358}\gapaengine.dll
    2012-09-06 15:37 . 2012-09-06 15:37 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-26 19:04 . 2012-08-30 15:19 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\Deployment
    2012-08-20 19:31 . 2012-08-20 19:31 -------- d-----w- c:\users\Miika Huttunen\AppData\Local\Vivox
    2012-08-20 19:21 . 2012-08-20 19:21 2817592 ----a-r- c:\users\Miika Huttunen\AppData\Roaming\Microsoft\Installer\{445D1DBA-2C75-417B-A40A-10B6BEECA459}\Icon_2.exe
    2012-08-20 19:21 . 2012-08-20 19:21 2817592 ----a-r- c:\users\Miika Huttunen\AppData\Roaming\Microsoft\Installer\{445D1DBA-2C75-417B-A40A-10B6BEECA459}\Icon_1.exe
    2012-08-20 19:21 . 2012-08-20 19:21 -------- d-----w- c:\program files\Vivox
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-28 16:07 . 2012-07-09 08:05 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-28 16:07 . 2011-05-15 05:52 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-04 18:29 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-07-03 22:21 . 2012-07-03 22:21 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-07-03 22:21 . 2012-07-03 22:21 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-07-03 22:21 . 2012-07-03 22:21 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-07-03 22:21 . 2012-07-03 22:21 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-07-03 22:21 . 2012-07-03 22:21 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-07-03 22:21 . 2012-07-03 22:21 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-07-03 22:21 . 2012-07-03 22:21 367104 ----a-w- c:\windows\system32\html.iec
    2012-07-03 22:21 . 2012-07-03 22:21 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-07-03 22:20 . 2012-07-03 22:20 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-07-03 22:20 . 2012-07-03 22:20 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-07-03 22:20 . 2012-07-03 22:20 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-03 22:20 . 2012-07-03 22:20 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-07-03 22:20 . 2012-07-03 22:20 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-07-03 22:20 . 2012-07-03 22:20 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-07-03 22:20 . 2012-07-03 22:20 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-07-03 22:20 . 2012-07-03 22:20 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-07-03 17:33 . 2008-08-31 20:19 83872 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-07-03 17:33 . 2008-08-31 20:19 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-07-03 17:24 . 2011-03-28 15:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-08-08 20:23 . 2012-05-14 20:32 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-29 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
    "Skytel"="Skytel.exe" [2007-08-03 1826816]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
    "SteelSeries World of Warcraft(R) MMO Gaming Mouse Legendary Edition"="c:\program files\SteelSeries\World of Warcraft(R) MMO Gaming Mouse Legendary Edition\WoWMHID4.exe" [2011-10-03 1945600]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 gupdate;Google-päivityspalvelu (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
    R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [x]
    R3 busenum;SteelBusSvc;c:\windows\system32\DRIVERS\SteelBus.sys [x]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
    R3 CTMOV2;CTMOV2;d:\ttst\RJ096390\CTMOV.SYS [x]
    R3 DynamicEDController;Dynamic ED Controller;c:\windows\system32\drivers\TSSFSFD.SYS [x]
    R3 gupdatem;Google Päivitä-palvelu (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoftin verkon tarkastus;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 SAlphamHid;SteelHIDSvc;c:\windows\system32\DRIVERS\SAlpham.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windowsin aktivointitekniikoiden palvelu;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S2 TSSFLT;TriSecurity System - Filter Driver;c:\windows\system32\DRIVERS\tssflt.sys [x]
    S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [x]
    S3 SSMO4Filter;MMO-4 Mouse;c:\windows\system32\drivers\MO4Driver.sys [x]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
    .
    .
    --- Muut muistissa olevat ajurit/palvelut ---
    .
    *Deregistered* - TSS_FSFILTER
    .
    'Ajoitetut tehtävät'-kansion sisältö
    .
    2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 13:52]
    .
    2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 13:52]
    .
    .
    ------- Täydentävä tarkistus -------
    .
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Miika Huttunen\AppData\Roaming\Mozilla\Firefox\Profiles\49l7cwkg.default\
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - POISTETUT JÄMÄRIVIT - - - -
    .
    HKCU-Run-{56648676-72F0-2F72-FD54-802FED267567} - c:\users\Miika Huttunen\AppData\Roaming\Rybyun\moubifi.exe
    .
    .
    .
    --------------------- LUKITUT REKISTERIAVAIMET ---------------------
    .
    [HKEY_USERS\S-1-5-21-1870539120-2445770976-2940662545-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1870539120-2445770976-2940662545-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Valmistumisajankohta: 2012-09-11 20:18:23
    ComboFix-quarantined-files.txt 2012-09-11 17:18
    .
    Ennen ajoa: 11 047 071 744 tavua vapaana
    Ajon jälkeen: 10 864 652 288 tavua vapaana
    .
    - - End Of File - - AB1B2F6743EC96BDE85EEF0B1987589D
  14. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    ESET Scan Log

    C:\FRST\Quarantine\services.exe Win32/Sirefef.FC trojan deleted - quarantined
    C:\FRST\Quarantine\{ba90aa56-8e63-0963-13b5-8a8e7278b06b}\n Win32/Sirefef.EV trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Users\Miika Huttunen\AppData\Roaming\Rybyun\moubifi.exe.vir Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined
    Operating memory a variant of Win32/Spy.Zbot.ZR trojan
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  16. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Done. Here's the log:

    Attached Files:

  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  18. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Done. No threats were found. Computer seems to be running normally and without any problems.
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  20. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Done, done, done and done. Although I did use regular CCleaner insteaf of Lite, as I have it installed. Here's the Security Check log:

    Results of screen317's Security Check version 0.99.50
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    CCleaner
    Java(TM) 6 Update 23
    Java 7 Update 7
    Adobe Flash Player 11.4.402.265
    Adobe Reader 8 Adobe Reader out of Date!
    Mozilla Firefox (15.0)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:
    ````````````````````End of Log``````````````````````
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's cool.

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

    Any other questions before I mark this topic solved?
  22. Kutunluu

    Kutunluu Newcomer, in training Topic Starter

    Updated.

    I read all the stuff and I think I got infected because my Java, Adobe Reader and Flash were way out of date. (I updated two of them before the final scan). Also noticed that I had quite a few older versions of them still installed, removed them now obviously. Learned quite a lot and I think I know how to be more careful in the future.

    Thanks a lot for you help, much appreciated!
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You're welcome. :D

    Marked as solved. √
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.