Solved Iexplorer.exe keeps popping up, 6 steps followed. Logs attached

[gubbe72]

So, I recently noticed in my task manager that iexplorer.exe kept popping up, in 2-4 instances. Weird, since I only use Chrome for browsing.
I tried to shut them down, but they kept popping up.
Looked here for suggestions, and found this thread.

After scanning with avast, I found "win32:unrury-j [drp]" which was put in quaranteen.
Did the rest of the steps, and attaching logs here.
(mbam log was clean, so I did not attach that)

 

[Broni]

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[gubbe72]

This doesnt look good.

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive1
MD5: b19ee33a0168d5f0bb9afbe12e2bc035
\\.\D: -> \\.\PhysicalDrive0
MD5: b19ee33a0168d5f0bb9afbe12e2bc035
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 Unknown boot code
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

(Thank you for extremely quick reply btw)

 

[Broni]

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
remover.exe fix \\.\PhysicalDrive1
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

 

[gubbe72]

It actually didnt want to boot up at all now. Had to start with cd-rom boot, press esc, and boot from there.
Anyway, here is the result:


Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive1
MD5: b19ee33a0168d5f0bb9afbe12e2bc035
\\.\D: -> \\.\PhysicalDrive0
MD5: bb4f1627d8b9beda49ac0d010229f3ff
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 Unknown boot code
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

 

[gubbe72]

(im sorry if this is a double post now, didnt see the last reply)


Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive1
MD5: b19ee33a0168d5f0bb9afbe12e2bc035
\\.\D: -> \\.\PhysicalDrive0
MD5: bb4f1627d8b9beda49ac0d010229f3ff
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 Unknown boot code
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

The computer didn't want to boot this time.
I had to boot from cd, <esc>, and go from there.

 

[Broni]

I didn't ask for rebooting for a reason....

MBR on disk D has been fixed, but not the one on drive C.
Let's retry...

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START 
remover.exe fix \\.\PhysicalDrive1
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

 

[gubbe72]

Yes, sorry about that reboot thing. The program suggested I'd do it to prevent the culprit to rewrite the code, heh.

Looks good now though.


Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive1
MD5: bb4f1627d8b9beda49ac0d010229f3ff
\\.\D: -> \\.\PhysicalDrive0
MD5: bb4f1627d8b9beda49ac0d010229f3ff
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Press any key to quit...

 

[Broni]

Looks good
Now, you can reboot and report on issues status.

 

[gubbe72]

Phew.
After the reboot, it seems the new MBR wasn't good after all, so
I had to use the repair tools on the Win 7 dvd.
After some (elsewhere) online searching I found the right way, managed to get the MBR restored, and now when rebooted, the iexplorer-things are gone.

I think you fixed it
Thanks a lot!
I'll bookmark this thread though if something connected to it happens.

 

[Broni]

I'm glad, your issue has been fixed, but we need to run couple more scans to make sure, your computer is 100% clean.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[gubbe72]

Allright, it did it's thing, here's the log:

ComboFix 10-07-21.02 - Adde 2010-07-22 14:07:17.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.46.1033.18.2047.1286 [GMT 2:00]
Körs från: c:\users\Adde\Desktop\ComboFix.exe
* Skapade en ny återställningspunkt
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\settings.reg
c:\windows\system32\%appdata%
c:\windows\system32\msvcsv60.dll

.
(((((((((((((((((((((((( Filer Skapade från 2010-06-22 till 2010-07-22 ))))))))))))))))))))))))))))))
.

2010-07-22 12:13 . 2010-07-22 12:14 -------- d-----w- c:\users\Adde\AppData\Local\temp
2010-07-21 03:00 . 2010-07-21 03:00 -------- d-----w- c:\windows\system32\wbem\Logs
2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\users\Adde\AppData\Roaming\Malwarebytes
2010-07-21 02:57 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\programdata\Malwarebytes
2010-07-21 02:57 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 19:59 . 2010-07-20 20:03 -------- d-----w- c:\program files\a-squared Free
2010-07-11 15:30 . 2010-07-11 15:30 -------- d-----w- c:\users\Adde\AppData\Roaming\XRay Engine
2010-07-04 07:35 . 2010-07-04 07:35 -------- d-----w- c:\program files\AC3Filter
2010-06-30 13:29 . 2010-06-30 13:29 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-06-30 07:13 . 2010-06-30 09:49 -------- d-----w- c:\users\Adde\AppData\Roaming\Xfire
2010-06-30 07:12 . 2010-06-30 07:15 -------- d-----w- c:\programdata\Xfire
2010-06-30 07:12 . 2010-06-30 07:13 -------- d-----w- c:\program files\Xfire
2010-06-29 21:27 . 2010-06-29 21:34 -------- d-----w- c:\users\Adde\AppData\Roaming\dp3d
2010-06-29 15:51 . 2010-07-06 22:38 16 ----a-w- c:\windows\msocreg32.dat
2010-06-29 10:31 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-26 01:01 . 2010-06-26 01:01 -------- d-----w- c:\program files\Microsoft.NET
2010-06-25 02:28 . 2010-06-25 02:28 -------- d-----w- c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
2010-06-23 01:01 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 01:01 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 01:01 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 01:01 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 01:01 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-22 22:44 . 2010-06-22 22:44 -------- d-----w- C:\PFiles
2010-06-22 19:26 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-22 19:26 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-22 19:26 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 12:15 . 2010-03-13 20:31 -------- d-----w- c:\users\Adde\AppData\Roaming\uTorrent
2010-07-22 10:51 . 2010-03-15 01:22 -------- d-----w- c:\users\Adde\AppData\Roaming\vlc
2010-07-18 22:47 . 2010-05-10 18:41 -------- d-----w- c:\users\Adde\AppData\Roaming\Skype
2010-07-18 22:47 . 2010-05-10 18:43 -------- d-----w- c:\users\Adde\AppData\Roaming\skypePM
2010-07-07 17:28 . 2010-04-12 08:02 -------- d-----w- c:\users\Adde\AppData\Roaming\dvdcss
2010-06-28 20:57 . 2010-03-13 20:45 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-13 20:46 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-13 20:46 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-13 20:46 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-13 20:46 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-28 20:32 . 2010-03-13 20:46 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 08:40 . 2010-03-14 13:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-25 02:28 . 2010-03-13 21:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-24 22:26 . 2010-03-14 18:09 -------- d-----w- c:\program files\DivX
2010-06-20 14:24 . 2010-06-20 14:24 -------- d-----w- c:\programdata\Steam
2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSBW_01_00_00.Wdf
2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSQVGA_01_00_00.Wdf
2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\programdata\Logitech
2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\program files\Logitech
2010-06-05 00:29 . 2010-06-05 00:29 -------- d-----w- c:\users\Adde\AppData\Roaming\Octoshape
2010-06-04 18:59 . 2010-06-04 18:59 -------- d-----w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information
2010-06-04 18:58 . 2010-06-04 18:59 331776 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\setup.exe
2010-06-04 18:58 . 2010-06-04 18:59 2010726 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\ISSetup.dll
2010-06-04 06:35 . 2010-05-15 11:13 -------- d-----w- c:\program files\uTorrent2
2010-06-04 06:35 . 2010-05-09 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 06:34 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-06-04 06:34 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-06-04 06:34 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll
2010-06-01 20:43 . 2010-03-29 11:07 -------- d-----w- c:\program files\Autodesk
2010-06-01 16:54 . 2010-03-13 20:32 -------- d-----w- c:\program files\uTorrent
2010-05-29 15:29 . 2010-05-29 15:29 -------- d-----w- c:\programdata\SEGA Corporation
2010-05-28 00:04 . 2010-05-28 00:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-27 07:24 . 2010-06-08 18:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-08 18:43 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 23:00 . 2010-05-26 23:00 -------- d-----w- c:\users\Adde\AppData\Roaming\bizarre creations
2010-05-22 23:57 . 2010-03-13 20:34 57560 ----a-w- c:\users\Adde\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-21 12:14 . 2010-02-10 05:47 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-08 18:43 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-10 18:43 . 2010-05-10 18:43 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-06 00:06 . 2010-05-06 00:06 1879 ----a-w- c:\programdata\xml7DD8.tmp
2010-05-06 00:06 . 2010-05-06 00:06 13445 ----a-w- c:\programdata\xml7D1B.tmp
2010-05-06 00:06 . 2010-05-06 00:06 9521 ----a-w- c:\programdata\xml7B36.tmp
2010-05-01 14:49 . 2010-06-08 18:43 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 13:37 . 2010-04-29 13:37 230 ----a-w- c:\windows\ctrunonce.reg
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-06-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"uTorrent"="c:\program files\uTorrent2\uTorrent.exe" [2010-06-04 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
"JulaPAN.exe"="JulaPAN.exe" [2010-03-13 495648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableThumbnails"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 23:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2009-06-03 22:55 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e-kort]
2008-12-11 12:14 377856 ----a-w- c:\progra~1\ekort\ekort.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-13 20:34 135664 ----atw- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-09-21 17:40 1681408 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPAN.exe]
2010-03-13 20:39 495648 ----a-w- c:\windows\System32\JulaPAN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent2\uTorrent.exe"
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"Octoshape Streaming Services"="c:\users\Adde\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"P17RunE"=RunDll32 P17RunE.dll,RunDLLEntry
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

R1 Jula.sys;Service for Juli@ Audio Driver EWDM;c:\windows\system32\DRIVERS\Jula.sys [2010-03-13 48160]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-04-29 79360]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 171032]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]
R3 JulaWDM.sys;Service for Juli@ WDM;c:\windows\system32\DRIVERS\JulaWDM.sys [2010-03-13 35872]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 MADFUMIDISPORT2010;Service for M-Audio MIDISPORT DFU;c:\windows\system32\DRIVERS\MAudioMIDISPORT_DFU.sys [2010-02-03 23304]
R3 MAUSBMIDISPORT;Service for M-Audio MIDISPORT;c:\windows\system32\DRIVERS\MAudioMIDISPORT.sys [2010-02-03 166920]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-02 1343400]
R4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-04-15 1872320]
R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\spel\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-14 691696]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 5430272]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 157184]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Innehållet i mappen 'Schemalagda aktiviteter':

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001Core.job
- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001UA.job
- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]
.
.
------- Extra genomsökning -------
.
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Sluttid: 2010-07-22 14:18:26 - datorn startades om.
ComboFix-quarantined-files.txt 2010-07-22 12:18

Före genomsökningen: 70*421*422*080 bytes free
Efter genomsökningen: 70*369*628*160 bytes free

- - End Of File - - C04BB425ECE12E02C4B05E4AF4479611

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
c:\programdata\xml7B36.tmp
c:\programdata\xml7D1B.tmp
c:\programdata\xml7DD8.tmp
c:\windows\system32\ezsidmv.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[gubbe72]

Here we go:
(not following here. Were those infected, or viruses, or something?)


ComboFix 10-07-21.02 - Adde 2010-07-23 0:23.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.46.1033.18.2047.1374 [GMT 2:00]
Körs från: c:\users\Adde\Desktop\ComboFix.exe
Använda kommandoväxlar :: c:\users\Adde\Desktop\CFScript.txt
* Skapade en ny återställningspunkt

FILE ::
"c:\programdata\xml7B36.tmp"
"c:\programdata\xml7D1B.tmp"
"c:\programdata\xml7DD8.tmp"
"c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP"
"c:\windows\system32\ezsidmv.dat"
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\xml7B36.tmp
c:\programdata\xml7D1B.tmp
c:\programdata\xml7DD8.tmp
c:\windows\system32\ezsidmv.dat

.
(((((((((((((((((((((((( Filer Skapade från 2010-06-22 till 2010-07-22 ))))))))))))))))))))))))))))))
.

2010-07-22 22:31 . 2010-07-22 22:31 -------- d-----w- c:\users\Adde\AppData\Local\temp
2010-07-22 22:31 . 2010-07-22 22:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-22 22:31 . 2010-07-22 22:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-21 03:00 . 2010-07-21 03:00 -------- d-----w- c:\windows\system32\wbem\Logs
2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\users\Adde\AppData\Roaming\Malwarebytes
2010-07-21 02:57 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 02:57 . 2010-07-21 02:57 -------- d-----w- c:\programdata\Malwarebytes
2010-07-21 02:57 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 19:59 . 2010-07-20 20:03 -------- d-----w- c:\program files\a-squared Free
2010-07-11 15:30 . 2010-07-11 15:30 -------- d-----w- c:\users\Adde\AppData\Roaming\XRay Engine
2010-07-04 07:35 . 2010-07-04 07:35 -------- d-----w- c:\program files\AC3Filter
2010-06-30 13:29 . 2010-06-30 13:29 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-06-30 07:13 . 2010-06-30 09:49 -------- d-----w- c:\users\Adde\AppData\Roaming\Xfire
2010-06-30 07:12 . 2010-06-30 07:15 -------- d-----w- c:\programdata\Xfire
2010-06-30 07:12 . 2010-06-30 07:13 -------- d-----w- c:\program files\Xfire
2010-06-29 21:27 . 2010-06-29 21:34 -------- d-----w- c:\users\Adde\AppData\Roaming\dp3d
2010-06-29 15:51 . 2010-07-06 22:38 16 ----a-w- c:\windows\msocreg32.dat
2010-06-29 10:31 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-26 01:01 . 2010-06-26 01:01 -------- d-----w- c:\program files\Microsoft.NET
2010-06-25 02:28 . 2010-06-25 02:28 -------- d-----w- c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
2010-06-23 01:01 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 01:01 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 01:01 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 01:01 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 01:01 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-22 22:44 . 2010-06-22 22:44 -------- d-----w- C:\PFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 19:40 . 2010-03-13 20:31 -------- d-----w- c:\users\Adde\AppData\Roaming\uTorrent
2010-07-22 10:51 . 2010-03-15 01:22 -------- d-----w- c:\users\Adde\AppData\Roaming\vlc
2010-07-18 22:47 . 2010-05-10 18:41 -------- d-----w- c:\users\Adde\AppData\Roaming\Skype
2010-07-18 22:47 . 2010-05-10 18:43 -------- d-----w- c:\users\Adde\AppData\Roaming\skypePM
2010-07-07 17:28 . 2010-04-12 08:02 -------- d-----w- c:\users\Adde\AppData\Roaming\dvdcss
2010-06-28 20:57 . 2010-03-13 20:45 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-13 20:46 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-13 20:46 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-13 20:46 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-13 20:46 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-28 20:32 . 2010-03-13 20:46 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 08:40 . 2010-03-14 13:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-25 02:28 . 2010-03-13 21:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-24 22:26 . 2010-03-14 18:09 -------- d-----w- c:\program files\DivX
2010-06-20 14:24 . 2010-06-20 14:24 -------- d-----w- c:\programdata\Steam
2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSBW_01_00_00.Wdf
2010-06-14 23:45 . 2010-06-14 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSQVGA_01_00_00.Wdf
2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\programdata\Logitech
2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\program files\Logitech
2010-06-05 00:29 . 2010-06-05 00:29 -------- d-----w- c:\users\Adde\AppData\Roaming\Octoshape
2010-06-04 18:59 . 2010-06-04 18:59 -------- d-----w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information
2010-06-04 18:58 . 2010-06-04 18:59 331776 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\setup.exe
2010-06-04 18:58 . 2010-06-04 18:59 2010726 ----a-w- c:\users\Adde\AppData\Roaming\InstallShield Installation Information\{6530FDAA-5B1F-4830-95BB-650E9804D239}\ISSetup.dll
2010-06-04 06:35 . 2010-05-15 11:13 -------- d-----w- c:\program files\uTorrent2
2010-06-04 06:35 . 2010-05-09 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 06:34 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-06-04 06:34 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-06-04 06:34 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll
2010-06-01 20:43 . 2010-03-29 11:07 -------- d-----w- c:\program files\Autodesk
2010-06-01 16:54 . 2010-03-13 20:32 -------- d-----w- c:\program files\uTorrent
2010-05-29 15:29 . 2010-05-29 15:29 -------- d-----w- c:\programdata\SEGA Corporation
2010-05-28 00:04 . 2010-05-28 00:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-27 07:24 . 2010-06-08 18:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-08 18:43 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 23:00 . 2010-05-26 23:00 -------- d-----w- c:\users\Adde\AppData\Roaming\bizarre creations
2010-05-22 23:57 . 2010-03-13 20:34 57560 ----a-w- c:\users\Adde\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-21 12:14 . 2010-02-10 05:47 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-08 18:43 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14 . 2010-06-22 19:26 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-22 19:26 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-01 14:49 . 2010-06-08 18:43 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 13:37 . 2010-04-29 13:37 230 ----a-w- c:\windows\ctrunonce.reg
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-06-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"uTorrent"="c:\program files\uTorrent2\uTorrent.exe" [2010-06-04 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
"JulaPAN.exe"="JulaPAN.exe" [2010-03-13 495648]

c:\users\Adde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-22 0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableThumbnails"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 23:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2009-06-03 22:55 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e-kort]
2008-12-11 12:14 377856 ----a-w- c:\progra~1\ekort\ekort.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-13 20:34 135664 ----atw- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-09-21 17:40 1681408 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPAN.exe]
2010-03-13 20:39 495648 ----a-w- c:\windows\System32\JulaPAN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent2\uTorrent.exe"
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"Octoshape Streaming Services"="c:\users\Adde\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"P17RunE"=RunDll32 P17RunE.dll,RunDLLEntry
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

R1 Jula.sys;Service for Juli@ Audio Driver EWDM;c:\windows\system32\DRIVERS\Jula.sys [2010-03-13 48160]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-04-29 79360]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 171032]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]
R3 JulaWDM.sys;Service for Juli@ WDM;c:\windows\system32\DRIVERS\JulaWDM.sys [2010-03-13 35872]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 MADFUMIDISPORT2010;Service for M-Audio MIDISPORT DFU;c:\windows\system32\DRIVERS\MAudioMIDISPORT_DFU.sys [2010-02-03 23304]
R3 MAUSBMIDISPORT;Service for M-Audio MIDISPORT;c:\windows\system32\DRIVERS\MAudioMIDISPORT.sys [2010-02-03 166920]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-02 1343400]
R4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-04-15 1872320]
R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\spel\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-14 691696]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 5430272]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 157184]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Innehållet i mappen 'Schemalagda aktiviteter':

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001Core.job
- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2843955662-4099961252-1379313863-1001UA.job
- c:\users\Adde\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-13 20:34]
.
.
------- Extra genomsökning -------
.
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,56,32,64,90,4c,e7,42,bf,45,2c,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Sluttid: 2010-07-23 00:33:05
ComboFix-quarantined-files.txt 2010-07-22 22:33
ComboFix2.txt 2010-07-22 12:18

Före genomsökningen: 72*891*400*192 bytes free
Efter genomsökningen: 72*615*366*656 bytes free

- - End Of File - - 06D9EF0AA9BAF114F662D68BC34CF114

 

[Broni]

Good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

===================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[gubbe72]

OTL.txt was huge, and since the forum limit is 20k chars, it would take 4 posts to fit that. I zipped it instead. Hope you dont mind.

Extras.txt:

OTL Extras logfile created on: 2010-07-23 08:18:57 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Adde\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 0000041d | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 73,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 67,72 Gb Free Space | 29,08% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 149,04 Gb Total Space | 58,57 Gb Free Space | 39,30% Space Free | Partition Type: NTFS
Drive F: | 2,49 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADDE-PC
Current User Name: Adde
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Users\Adde\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{009AC76E-1A66-4682-82B7-417E77F3C648}" = Superior Drummer Installer
"{03B0D67B-36C9-C2CD-B63B-7B526138BA52}" = ccc-utility
"{04FC2E4C-0E41-9D39-4E58-1EF29D4EF09D}" = ccc-core-static
"{0949C078-58B4-CAF1-9A63-A4545145806D}" = Catalyst Control Center Graphics Previews Common
"{0E93710D-31E5-477C-8A4B-5032B484BE74}" = Windows Live inloggningsassistenten
"{109945A8-D8D5-48B8-B4A5-195D3F99B56D}" = Logitech GamePanel Software 3.04.143
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{38D9575F-6228-6A54-3A92-D902739B6541}" = Catalyst Control Center InstallProxy
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FAD68D9-1FA1-4871-9ADF-9151D969E943}" = Activision(R)
"{406FB8A4-F539-48A9-809C-F94706F9C9F6}_is1" = S.T.A.L.K.E.R. - Call of Pripyat [v1.6.02]
"{490BF87E-1F75-4453-BF55-9F540543A3CA}" = Steinberg Drum Loop Expansion 01
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}" = Steinberg Cubase 5
"{4D454CF8-12FD-464D-B57B-B46FE27B78BB}" = Steinberg LoopMash Content
"{4D87DC92-C328-46EC-A7B4-9C88129DC696}" = Dead Space™
"{532B917B-8235-4FA5-BE36-643A8BB053A5}" = Steinberg REVerence Content 01
"{54194F60-988C-4D03-B922-C2B00EFDA39A}" = NVIDIA PhysX
"{57314F10-7B0A-4D5B-BB1A-7F606498816F}" = Windows 7 Manager
"{573F1931-08F7-9222-704E-841C391794C5}" = ATI Catalyst Install Manager
"{589A63D3-89E1-4D9B-8DBC-6039BB27289E}" = Activision(R)
"{5A70922D-9365-43CC-ADA9-CB84E4A54E4E}" = Windows Live Essentials
"{5E8B45A0-072C-91F7-BC80-29374194B452}" = Catalyst Control Center Graphics Previews Vista
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6530FDAA-5B1F-4830-95BB-650E9804D239}" = UE3Redist
"{67574624-BF0F-0409-AF6D-19FBD86FF7F7}" = Autodesk 3ds Max 2011 32-bit
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B99E90E-2AC4-4D72-8D88-39030783172B}" = e-kort
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7BA01D2D-E25C-0C2C-5779-7A8E02A4BE7D}" = Catalyst Control Center Core Implementation
"{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}" = 3dsmax ancillary install
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}" = Steinberg HALionOne Studio Drum Set
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{8FF4E834-DCAD-29E7-1EE8-9D817A3FA15B}" = CCC Help English
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BBE7AA1-AFA8-4D76-8FC2-1FDFD9BD3371}" = Windows Live Mail
"{9DEABCB6-B759-4D52-92F8-51B34A2B4D40}" = Autodesk Material Library 2011
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC997F93-0757-4ED4-A701-F40C2D654D09}" = Steinberg HALionOne GM Drum Set
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7F293A4-8666-6410-36F4-E47EB2029CCB}" = AMD Drag and Drop Transcoding
"{BA9632CB-2B93-4FD6-905C-BB325CE1C4DD}" = e-kort
"{BD86F1AC-B594-46E4-85DC-1258AC9E2232}" = Steinberg Groove Agent ONE Content
"{C03A56EE-2715-5F54-69C4-A1CDB7602354}" = Catalyst Control Center Graphics Full New
"{C307DD64-1C69-8C52-D2C9-02D38995A269}" = Catalyst Control Center HydraVision Full
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2096}_is1" = SiSoftware Sandra Engineer XII
"{CF1D7323-8A0A-49C7-83B0-088DB90721E2}" = AmpegSVX
"{D0E565B0-03A0-40D9-A514-000634AA58C6}" = KORG Legacy Collection - DIGITAL EDITION
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}" = Steinberg HALionOne Studio Set
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{D37FE0E3-B1A9-4E41-AB5D-DA62E04D2C42}" = Alpha Protocol
"{D82CDA0D-C182-42C8-8FF2-5649C98D6003}" = Steinberg HALionOne Pro Set
"{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}" = Steinberg HALionOne Expression Set
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3E1398E-8FF2-0154-6D8F-7FC26299EBED}" = Catalyst Control Center Graphics Full Existing
"{E70E7159-93B1-470D-9FBD-D8E9EF34B538}" = Steinberg HALionOne
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EC928237-A3BD-4640-ABD0-E49E758F2315}" = Windows Live Messenger
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F057965A-D974-4C64-ADB1-4381CD4B8956}" = Steinberg HALionOne GM Set
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}" = Steinberg HALionOne Additional Content Set 01
"{FBEF69BB-829C-8D4D-B299-497147916039}" = Catalyst Control Center Graphics Light
"{FE3997D3-6B56-4AC4-A99C-9DDFC45359BF}" = TuneUp Utilities Language Pack (en-US)
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Alien Breed: Impact_is1" = Alien Breed: Impact
"a-squared Free_is1" = a-squared Free 4.5
"Autodesk FBX Plug-in 2011.1 - 3ds Max 2011" = Autodesk FBX Plug-in 2011.1 - 3ds Max 2011
"avast5" = avast! Free Antivirus
"Dream Pinball 3D" = Dream Pinball 3D
"FBX Plugin 2006.08 for Max 9.0" = FBX Plugin 2006.08 for Max 9.0
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Plattform för enhetshanterare
"InstallShield_{3FAD68D9-1FA1-4871-9ADF-9151D969E943}" = Singularity(TM)
"InstallShield_{589A63D3-89E1-4D9B-8DBC-6039BB27289E}" = Blur(TM)
"KeyTweak" = KeyTweak - Keyboard Remapper (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"OpenAL" = OpenAL
"Peggle Deluxe" = Peggle Deluxe
"Peggle Nights" = Peggle Nights
"ReValver Mk III_is1" = ReValver Mk III
"S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TuneUp Utilities" = TuneUp Utilities
"uTorrent" = µTorrent
"WhoCrashed_is1" = WhoCrashed 2.10
"Winamp" = Winamp
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"VLC media player" = VLC media player 1.0.5
"Xfire" = Xfire (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"Google Chrome" = Google Chrome
"InstallShield_{6530FDAA-5B1F-4830-95BB-650E9804D239}" = UE3Redist

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010-07-18 23:11:50 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x00404735 Faulting process id: 0xd80 Faulting application
start time: 0x01cb26b90389d670 Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: 5f4ffa50-92e3-11df-904e-001966cf8c12

Error - 2010-07-18 23:24:52 | Computer Name = Adde-PC | Source = Software Protection Platform Service | ID = 8193
Description = License Activation Scheduler (sppuinotify.dll) failed with the following
error code: 0x80070005

Error - 2010-07-19 00:08:07 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x00404735 Faulting process id: 0x1484 Faulting application
start time: 0x01cb26f0342672a2 Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: 3bfeaac7-92eb-11df-904e-001966cf8c12

Error - 2010-07-19 00:10:41 | Computer Name = Adde-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 2010-07-19 00:10:41 | Computer Name = Adde-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 2010-07-19 00:10:56 | Computer Name = Adde-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 2010-07-19 00:24:52 | Computer Name = Adde-PC | Source = Software Protection Platform Service | ID = 8193
Description = License Activation Scheduler (sppuinotify.dll) failed with the following
error code: 0x80070005

Error - 2010-07-19 01:23:17 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x00404735 Faulting process id: 0x14a4 Faulting application
start time: 0x01cb26f8107b6e9f Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: bc50cbfe-92f5-11df-904e-001966cf8c12

Error - 2010-07-19 01:24:52 | Computer Name = Adde-PC | Source = Software Protection Platform Service | ID = 8193
Description = License Activation Scheduler (sppuinotify.dll) failed with the following
error code: 0x80070005

Error - 2010-07-19 01:28:33 | Computer Name = Adde-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x00064735 Faulting process id: 0x15a0 Faulting application
start time: 0x01cb2702913414f3 Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: 78823029-92f6-11df-904e-001966cf8c12

[ System Events ]
Error - 2010-07-20 17:15:40 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7031
Description = The Power service terminated unexpectedly. It has done this 1 time(s).
The following corrective action will be taken in 60000 milliseconds: Reboot the
machine.

Error - 2010-07-20 17:15:41 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Reboot
the machine) after the unexpected termination of the Power service, but this action
failed with the following error: %%1190

Error - 2010-07-20 17:15:41 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Reboot
the machine) after the unexpected termination of the Plug and Play service, but
this action failed with the following error: %%1190

Error - 2010-07-20 17:26:11 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7031
Description = The a-squared Free Service service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 2010-07-20 17:26:11 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the a-squared Free Service service,
but this action failed with the following error: %%1058

Error - 2010-07-20 23:29:50 | Computer Name = Adde-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 05:23:51 on ?2010-?07-?21 was unexpected.

Error - 2010-07-20 23:30:05 | Computer Name = Adde-PC | Source = BugCheck | ID = 1001
Description =

Error - 2010-07-21 00:15:31 | Computer Name = Adde-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 06:10:40 on ?2010-?07-?21 was unexpected.

Error - 2010-07-21 06:48:30 | Computer Name = Adde-PC | Source = DCOM | ID = 10001
Description =

Error - 2010-07-21 12:49:52 | Computer Name = Adde-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Jula.sys


< End of report >

 

[Broni]

Never zip any logs.

 

[gubbe72]

Allright. Kinda new to this stuff. Not sure what to/what not to do really.

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Adde\AppData\Local\Temp\catchme.sys -- (catchme)
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
  O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab (Reg Error: Key error.)
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  [2010-07-23 08:14:02 | 000,000,000 | --SD | C] -- C:\ComboFix
  [2010-06-25 04:28:29 | 000,000,000 | ---D | C] -- C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
  [2010-05-30 07:04:27 | 000,000,000 | ---D | C] -- C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[gubbe72]

Java updated.

"run fix" log:

All processes killed
Error: Unable to interpret <Code:> in the current context!
========== OTL ==========
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\Users\Adde\AppData\Local\Temp\catchme.sys not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Starting removal of ActiveX control {F6ACF75C-C32C-447B-9BEF-46B766368D29}
C:\Windows\Downloaded Program Files\CTPID.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6ACF75C-C32C-447B-9BEF-46B766368D29}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\ComboFix folder moved successfully.
C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP folder moved successfully.
C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Adde
->Temp folder emptied: 2266141 bytes
->Temporary Internet Files folder emptied: 7691346 bytes
->Java cache emptied: 1554114 bytes
->Google Chrome cache emptied: 423299875 bytes
->Flash cache emptied: 7803 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 557056 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11596 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 415,00 mb


[EMPTYFLASH]

User: Adde
->Flash cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0,00 mb

 

[Broni]

Good

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[gubbe72]

Objects scanned: 117788

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Awesome
Thanks a bunch!

You lost me half way though, Were there lots of infected files?
Any clue what caused it, so I know what not to do again?

 

[Broni]

Great!
Your main infection was a rootkit.
Where did it come from? I have no idea and nobody will ever know for sure.
Below, you'll find some hints how to avoid infections in the future.

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[gubbe72]

Did as you instructed, so I feel safe for now. Again, thanks for all your help.

 

[Broni]

You're very welcome

Good luck and stay safe