Solved Sirefef won't go away - please help!

Please Boot to the System Recovery Options
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.

Post new aswMBR log.
 
No, no. It'll reset your MBR (master boot record) and it may help with running Combofix.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-07 23:40:45
-----------------------------
23:40:45.926 OS Version: Windows x64 6.1.7601 Service Pack 1
23:40:45.926 Number of processors: 4 586 0x2A07
23:40:45.926 ComputerName: ÄGAREN-DATOR UserName: Ägaren
23:40:47.049 Initialize success
23:41:15.318 AVAST engine defs: 12060700
23:43:17.653 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-7
23:43:17.669 Disk 0 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953868MB BusType: 3
23:43:17.669 Disk 0 MBR read successfully
23:43:17.669 Disk 0 MBR scan
23:43:17.669 Disk 0 Windows 7 default MBR code
23:43:17.669 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
23:43:17.684 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 489525 MB offset 206848
23:43:17.700 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464240 MB offset 1002754048
23:43:17.747 Disk 0 scanning C:\Windows\system32\drivers
23:43:23.316 Service scanning
23:43:35.858 Modules scanning
23:43:35.858 Disk 0 trace - called modules:
23:43:35.858 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
23:43:35.874 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007800060]
23:43:35.874 3 CLASSPNP.SYS[fffff880021c143f] -> nt!IofCallDriver -> [0xfffffa8007557580]
23:43:35.889 5 ACPI.sys[fffff88000ec17a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-7[0xfffffa8007536060]
23:43:38.463 AVAST engine scan C:\Windows
23:43:44.001 AVAST engine scan C:\Windows\system32
23:45:06.900 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
23:45:08.148 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
23:45:51.469 AVAST engine scan C:\Windows\system32\drivers
23:46:04.511 AVAST engine scan C:\Users\Ägaren
23:48:54.598 AVAST engine scan C:\ProgramData
23:50:24.173 Scan finished successfully
23:52:59.940 Disk 0 MBR has been saved successfully to "C:\Users\Ägaren\Desktop\MBR.dat"
23:52:59.940 The log file has been saved successfully to "C:\Users\Ägaren\Desktop\aswMBR.txt"


That was just quickscan, I can scan C:\ or entire pc if you want.
 
That's fine.

Let's check one more thing...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    Code: 
    :filefind
svchost.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook 30.07.11 by jpshortstuff
Log created at 00:29 on 08/06/2012 by Ägaren
Administrator - Elevation successful

========== filefind ==========

Searching for "svchost.exe"
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [17:35 02/06/2012] [13:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\Windows\System32\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\SysWOW64\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

-= EOF =-
 
That looks fine.

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

  • Click OK at the warning.
  • Click the Script tab and copy/paste the following text there:
Code: 
DeleteFile: 
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post the report created by Blitzblank.
    You can find it in the root of the drive, normally C:\

Then....

Restart computer and post new aswMBR log.
 
BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\assembly\gac_32\desktop.ini", destinationFile = "(null)", replaceWithDummy = 0
RemoveFile: ZwDeleteFile failed: status = c0000034
MoveFileOnReboot: sourceFile = "\??\c:\windows\assembly\gac_64\desktop.ini", destinationFile = "(null)", replaceWithDummy = 0
 
Hey I got Combofix running. It deleted the desktop.ini things I think cause Nod32 is 100% working again. However the viruses in Installer folder still exist, guess they are the last. You still want aswMBR log?

Combofix log:
ComboFix 12-06-06.02 - Ägaren 2012-06-08 0:48.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1053.18.8173.6431 [GMT 2:00]
Körs från: c:\users\Ägaren\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\1337181385.bdinstall.bin
c:\programdata\1338149966.bdinstall.bin
c:\users\Chrilles\AppData\Local\TempDIR
c:\windows\apppatch\AppLoc.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
(((((((((((((((((((((((( Filer skapade från 2012-05-07 till 2012-06-07 ))))))))))))))))))))))))))))))
.
.
2012-06-07 22:52 . 2012-06-07 22:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-07 22:52 . 2012-06-07 22:52 -------- d-----w- c:\users\Chrilles\AppData\Local\temp
2012-06-07 18:23 . 2012-06-07 22:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-06-07 16:16 . 2012-06-07 16:16 -------- d-----w- c:\program files\Alex Feinman
2012-06-05 23:50 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4552CAB4-0065-4371-B8ED-5513444AFBD7}\mpengine.dll
2012-06-03 18:42 . 2012-06-03 18:42 -------- d-----w- c:\program files (x86)\ESET
2012-06-03 18:29 . 2012-06-03 18:29 -------- d-----w- C:\_OTL
2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\programdata\Sophos
2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\program files (x86)\Sophos
2012-06-03 12:49 . 2012-06-03 12:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-06-03 08:12 . 2012-06-07 00:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-03 08:12 . 2012-06-03 08:13 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-06-02 20:17 . 2012-06-02 20:17 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-02 20:17 . 2012-06-02 20:17 460888 ----a-w- c:\windows\system32\drivers\39377219.sys
2012-06-02 17:35 . 2012-06-02 17:35 -------- d-----w- c:\programdata\Malwarebytes
2012-06-02 17:35 . 2012-04-04 13:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 17:35 . 2012-06-02 17:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-02 16:39 . 2012-06-02 16:39 -------- d-----w- c:\programdata\Rockstar Games
2012-06-02 11:28 . 2012-06-02 11:28 -------- d-----w-aren c:\users\GAREN~2
2012-06-02 11:14 . 2012-06-02 11:14 -------- d-----w- c:\program files (x86)\Rockstar Games
2012-05-28 15:56 . 2012-05-28 15:56 -------- d-sh--w- c:\programdata\DSS
2012-05-26 15:55 . 2012-05-26 22:38 -------- d-----w- c:\program files (x86)\MSI Afterburner
2012-05-26 13:38 . 2012-05-26 13:38 -------- d-----w- c:\program files (x86)\GIGA
2012-05-25 18:17 . 2012-05-25 18:17 -------- d-----w- c:\program files (x86)\FlashGet
2012-05-24 14:58 . 2012-05-24 14:58 -------- d-----w- C:\KISS
2012-05-24 14:20 . 2012-03-09 08:57 23816 ------w- c:\windows\system32\drivers\cpuz135_x64.sys
2012-05-24 14:20 . 2012-05-24 14:20 -------- d-----w- c:\program files\CPUID
2012-05-24 11:42 . 2012-05-24 11:42 -------- d-----w- c:\program files\Speccy
2012-05-23 11:58 . 2012-05-23 11:58 283200 ------w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-05-23 11:58 . 2012-05-23 11:58 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-05-23 11:57 . 2012-05-23 12:00 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-05-22 19:19 . 2012-05-22 19:19 -------- d-----w- c:\windows\Sun
2012-05-22 19:16 . 2012-05-22 19:16 -------- d-----w- c:\program files (x86)\Oracle
2012-05-22 19:15 . 2012-04-04 16:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-22 19:15 . 2012-04-04 16:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-22 19:12 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-05-22 15:04 . 2012-05-22 15:13 -------- d-----w- c:\program files (x86)\NeoDownloader
2012-05-21 19:30 . 2012-05-21 19:30 -------- d-----w- c:\program files (x86)\7-Zip
2012-05-21 19:27 . 2012-05-21 19:27 -------- d-----w- c:\program files (x86)\Notepad++
2012-05-20 14:41 . 2012-05-20 14:41 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2012-05-20 09:53 . 2012-06-01 10:35 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-05-18 19:54 . 2012-06-03 10:47 -------- d-----w- c:\programdata\Electronic Arts
2012-05-18 19:54 . 2012-05-18 19:55 -------- d-----w- c:\program files (x86)\Origin
2012-05-17 21:22 . 2012-05-17 21:34 -------- d-----w- c:\programdata\Blizzard Entertainment
2012-05-17 21:04 . 2012-05-17 21:04 -------- d-----w- c:\programdata\Battle.net
2012-05-17 19:47 . 2012-05-17 21:34 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
2012-05-16 15:19 . 2012-05-16 15:19 -------- d-----w- c:\programdata\BDLogging
2012-05-16 15:18 . 2012-05-27 20:35 -------- d-----w- c:\program files\Bitdefender
2012-05-16 15:16 . 2012-05-27 20:21 -------- d-----w- c:\program files\Common Files\Bitdefender
2012-05-15 20:52 . 2012-05-15 20:52 -------- d-----w- c:\program files (x86)\VideoLAN
2012-05-15 20:50 . 2011-03-02 10:43 175616 ----a-w- c:\windows\SysWow64\unrar.dll
2012-05-15 20:50 . 2012-05-15 20:50 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2012-05-15 20:08 . 2012-05-15 20:08 -------- d-----w- c:\program files (x86)\VPNCheck
2012-05-15 20:00 . 2012-05-15 20:02 -------- d-----w- c:\program files (x86)\OpenVPN
2012-05-15 19:17 . 2012-06-06 00:01 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-15 19:09 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2012-05-15 19:09 . 2009-07-14 01:15 50688 ----a-w- c:\program files (x86)\Internet Explorer\hmmapi.dll
2012-05-15 19:02 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-05-15 18:51 . 2012-06-07 20:57 -------- d-----w- c:\users\UpdatusUser
2012-05-15 18:43 . 2012-05-15 18:42 839112 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-15 18:43 . 2012-05-15 18:42 955848 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-15 18:42 . 2012-05-15 18:42 -------- d-----w- c:\program files\Java
2012-05-15 18:24 . 2003-04-09 03:28 233472 ----a-r- c:\users\Chrilles\AppData\Roaming\MafiaSetup.exe
2012-05-15 18:18 . 2012-05-15 18:18 -------- d-----w- c:\program files\SystemRequirementsLab
2012-05-15 14:56 . 2012-05-15 14:57 -------- d-----w- c:\windows\SysWow64\Adobe
2012-05-15 14:54 . 2012-05-15 20:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-15 14:54 . 2012-05-15 20:42 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\SysWow64\Macromed
2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\system32\Macromed
2012-05-15 14:49 . 2012-05-15 14:49 -------- d-----w- c:\program files (x86)\Microsoft
2012-05-15 14:47 . 2005-05-26 13:34 3767504 ----a-w- c:\windows\system32\d3dx9_26.dll
2012-05-15 14:47 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll
2012-05-15 14:09 . 2012-05-15 14:09 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-15 14:07 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-15 14:07 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\SPReview
2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\EventProviders
2012-05-15 13:42 . 2010-11-20 13:27 624128 ----a-w- c:\windows\system32\qedit.dll
2012-05-15 13:41 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-05-15 13:41 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-05-15 13:41 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\SysWow64\Wat
2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\system32\Wat
2012-05-15 12:57 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
2012-05-15 12:48 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-05-15 12:48 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-05-15 12:48 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-05-15 12:48 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-05-15 12:48 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-05-15 12:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-05-15 12:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-05-15 12:44 . 2010-12-17 11:40 715776 ----a-w- c:\windows\system32\kerberos.dll
2012-05-15 12:38 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-05-15 12:38 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2012-05-15 12:31 . 2012-05-15 12:31 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-05-15 12:31 . 2012-05-22 19:13 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-05-15 12:31 . 2012-05-22 19:12 -------- d-----w- c:\program files\NVIDIA Corporation
2012-05-15 12:30 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-05-15 12:30 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-05-15 12:30 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-05-15 12:30 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-05-15 12:30 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-15 12:30 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-05-15 12:30 . 2010-11-20 11:07 162816 ----a-w- c:\windows\system32\rdpudd.dll
2012-05-15 12:30 . 2010-11-20 11:03 20992 ------w- c:\windows\system32\drivers\rdpvideominiport.sys
2012-05-15 11:41 . 2012-06-02 21:33 -------- d-----w- c:\windows\Panther
2012-05-15 11:18 . 2012-02-23 08:18 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 11:15 . 2012-05-15 11:15 -------- d-----w- c:\program files (x86)\ASM104xUSB3
2012-05-15 11:14 . 2011-06-10 06:34 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
2012-05-15 11:14 . 2011-06-10 06:34 539240 ------w- c:\windows\system32\drivers\Rt64win7.sys
2012-05-15 11:14 . 2011-06-10 06:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2012-05-15 11:11 . 2005-11-13 21:22 757760 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2012-05-15 11:11 . 2005-11-13 21:22 69715 ------w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2012-05-15 11:11 . 2005-11-13 21:21 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2012-05-15 11:11 . 2005-11-13 21:20 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2012-05-15 11:11 . 2005-11-13 21:19 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2012-05-15 11:11 . 2005-11-13 21:19 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2012-05-15 11:11 . 2005-11-13 21:16 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2012-05-15 11:11 . 2012-05-12 21:55 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2012-05-15 11:11 . 2012-05-12 21:55 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2012-05-15 11:11 . 2012-05-15 11:11 16896 ----a-w- c:\windows\AsTaskSched.dll
2012-05-15 11:11 . 2012-05-15 11:11 -------- d-----w- c:\program files (x86)\Intel
2012-05-15 11:11 . 2011-04-15 08:00 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
2012-05-15 11:10 . 2012-05-15 11:10 -------- d-----w- C:\Intel
2012-05-15 11:10 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-15 13:55 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-05-15 13:55 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-05-15 10:48 . 2012-02-09 20:43 1738048 ----a-w- c:\windows\system32\nvdispco64.dll
2012-05-15 10:48 . 2012-02-09 20:43 1468224 ----a-w- c:\windows\system32\nvgenco64.dll
2012-05-15 10:48 . 2012-02-09 20:43 10194752 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-05-02 00:46 . 2012-05-02 00:46 4472832 ----a-w- c:\windows\SysWow64\GPhotos.scr
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
.
(((((((((((((((((((((((((((((((((( Startpunkter I registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
R1 1052426drv;1052426drv;c:\windows\system32\DRIVERS\1052426drv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 257696]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-06 113120]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 39377219;39377219;c:\windows\system32\DRIVERS\39377219.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
.
.
Innehåll I mappen 'Schemalagda aktiviteter':
.
2012-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 20:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-28 11905128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Ägaren\AppData\Roaming\Mozilla\Firefox\Profiles\r3cyqdc7.default\
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"=hex:51,66,7a,6c,4c,1d,38,12,68,40,25,
2b,77,e4,db,02,e0,8b,7a,e8,bc,10,3a,e3
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{F156768E-81EF-470C-9057-481BA8380DBA}"=hex:51,66,7a,6c,4c,1d,38,12,e0,75,45,
f5,dd,cf,62,02,ef,41,0b,5b,ad,66,49,ae
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5f,b7,7b,f1,c8,44,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Sluttid: 2012-06-08 00:57:10 - datorn startades om.
ComboFix-quarantined-files.txt 2012-06-07 22:57
.
Före genomsökningen: 374 572 933 120 byte ledigt
Efter genomsökningen: 374 161 375 232 byte ledigt
.
- - End Of File - - 40CEC8475A1ADA1629C0076C9D8CD831
 
WOW! That's a relief :)

Combofix log looks good but we need to check one last thing.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\system32\services.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
 
AntivirusResult
AhnLab-V3 -
AntiVir -
Antiy-AVL -
Avast -
AVG Patched_c.LXT
BitDefender -
ByteHero -
CAT-QuickHeal -
ClamAV -
Commtouch -
Comodo -
DrWeb -
Emsisoft -
eSafe -
F-Prot -
F-Secure -
Fortinet -
GData -
Ikarus -
Jiangmin -
K7AntiVirus -
Kaspersky -
McAfee ZeroAccess
McAfee-GW-Edition ZeroAccess
Microsoft -
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Rising -
Sophos -
SUPERAntiSpyware -
Symantec -
TheHacker -
TotalDefense -
TrendMicro -
TrendMicro-HouseCall -
VBA32 -
VIPRE Trojan.Win32.Generic!BT
ViRobot -
VirusBuster -

But how will I get rid of the viruses inside the C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U folder?
 
I don't think that folder exist anymore.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    Code: 
    :folderfind
{6ccbf812-07b7-4726-bef0-b612a153384e}
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
I can access it and Nod32 blocks it every other minute, and what about services.exe? The results say it contains ZeroAccess aka Sirefef, and its Sirefef that keeps being blocked by Nod32.

SystemLook 30.07.11 by jpshortstuff
Log created at 01:22 on 08/06/2012 by Ägaren
Administrator - Elevation successful

========== folderfind ==========

Searching for "{6ccbf812-07b7-4726-bef0-b612a153384e}"
C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d--hs-- [12:37 15/05/2012]
C:\_OTL\MovedFiles\06032012_202914\C_Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d------ [18:29 03/06/2012]

-= EOF =-
 
Let's see one more thing...

Re-run System Look with this code:

Code: 
:dir
 
C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} /s
 
SystemLook 30.07.11 by jpshortstuff
Log created at 01:28 on 08/06/2012 by Ägaren
Administrator - Elevation successful

========== dir ==========

- Unable to find folder.

C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} - Parameters: "/s"

---Files---
@ ---hs-- 2048 bytes [12:37 15/05/2012] [06:41 17/11/2011]

C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\L d--hs-- [12:37 15/05/2012]
00000004.@ --a---- 740 bytes [17:51 02/06/2012] [22:39 07/06/2012]

C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U d-ahs-- [12:37 15/05/2012]
00000004.@ --a---- 1536 bytes [17:29 02/06/2012] [20:11 06/06/2012]
000000cb.@ --a---- 1584 bytes [17:29 02/06/2012] [17:29 02/06/2012]
80000032.@ --a---- 93696 bytes [11:43 06/06/2012] [11:43 06/06/2012]

-= EOF =-
 
Very well.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
Folder::
C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-06-06.02 - Ägaren 2012-06-08 1:35.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1053.18.8173.6096 [GMT 2:00]
Körs från: c:\users\-garen\Desktop\ComboFix.exe
Kommandoväxlar som använts :: c:\users\-garen\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((( Filer skapade från 2012-05-07 till 2012-06-07 ))))))))))))))))))))))))))))))
.
.
2012-06-07 23:38 . 2012-06-07 23:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-07 23:38 . 2012-06-07 23:38 -------- d-----w- c:\users\Chrilles\AppData\Local\temp
2012-06-07 18:23 . 2012-06-07 22:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-06-07 16:16 . 2012-06-07 16:16 -------- d-----w- c:\program files\Alex Feinman
2012-06-05 23:50 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4552CAB4-0065-4371-B8ED-5513444AFBD7}\mpengine.dll
2012-06-03 18:42 . 2012-06-03 18:42 -------- d-----w- c:\program files (x86)\ESET
2012-06-03 18:29 . 2012-06-03 18:29 -------- d-----w- C:\_OTL
2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\programdata\Sophos
2012-06-03 15:50 . 2012-06-03 15:50 -------- d-----w- c:\program files (x86)\Sophos
2012-06-03 12:49 . 2012-06-03 12:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-06-03 08:12 . 2012-06-07 00:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-03 08:12 . 2012-06-03 08:13 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-06-02 20:17 . 2012-06-02 20:17 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-02 20:17 . 2012-06-02 20:17 460888 ----a-w- c:\windows\system32\drivers\39377219.sys
2012-06-02 17:35 . 2012-06-02 17:35 -------- d-----w- c:\programdata\Malwarebytes
2012-06-02 17:35 . 2012-04-04 13:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 17:35 . 2012-06-02 17:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-02 16:39 . 2012-06-02 16:39 -------- d-----w- c:\programdata\Rockstar Games
2012-06-02 11:28 . 2012-06-07 22:57 -------- d-----w-aren c:\users\GAREN~2
2012-06-02 11:14 . 2012-06-02 11:14 -------- d-----w- c:\program files (x86)\Rockstar Games
2012-05-28 15:56 . 2012-05-28 15:56 -------- d-sh--w- c:\programdata\DSS
2012-05-26 15:55 . 2012-05-26 22:38 -------- d-----w- c:\program files (x86)\MSI Afterburner
2012-05-26 13:38 . 2012-05-26 13:38 -------- d-----w- c:\program files (x86)\GIGA
2012-05-25 18:17 . 2012-05-25 18:17 -------- d-----w- c:\program files (x86)\FlashGet
2012-05-24 14:58 . 2012-05-24 14:58 -------- d-----w- C:\KISS
2012-05-24 14:20 . 2012-03-09 08:57 23816 ------w- c:\windows\system32\drivers\cpuz135_x64.sys
2012-05-24 14:20 . 2012-05-24 14:20 -------- d-----w- c:\program files\CPUID
2012-05-24 11:42 . 2012-05-24 11:42 -------- d-----w- c:\program files\Speccy
2012-05-23 11:58 . 2012-05-23 11:58 283200 ------w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-05-23 11:58 . 2012-05-23 11:58 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-05-23 11:57 . 2012-05-23 12:00 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-05-22 19:19 . 2012-05-22 19:19 -------- d-----w- c:\windows\Sun
2012-05-22 19:16 . 2012-05-22 19:16 -------- d-----w- c:\program files (x86)\Oracle
2012-05-22 19:15 . 2012-04-04 16:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-22 19:15 . 2012-04-04 16:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-22 19:12 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-05-22 15:04 . 2012-05-22 15:13 -------- d-----w- c:\program files (x86)\NeoDownloader
2012-05-21 19:30 . 2012-05-21 19:30 -------- d-----w- c:\program files (x86)\7-Zip
2012-05-21 19:27 . 2012-05-21 19:27 -------- d-----w- c:\program files (x86)\Notepad++
2012-05-20 14:41 . 2012-05-20 14:41 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2012-05-20 09:53 . 2012-06-01 10:35 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-05-18 19:54 . 2012-06-03 10:47 -------- d-----w- c:\programdata\Electronic Arts
2012-05-18 19:54 . 2012-05-18 19:55 -------- d-----w- c:\program files (x86)\Origin
2012-05-17 21:22 . 2012-05-17 21:34 -------- d-----w- c:\programdata\Blizzard Entertainment
2012-05-17 21:04 . 2012-05-17 21:04 -------- d-----w- c:\programdata\Battle.net
2012-05-17 19:47 . 2012-05-17 21:34 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
2012-05-16 15:19 . 2012-05-16 15:19 -------- d-----w- c:\programdata\BDLogging
2012-05-16 15:18 . 2012-05-27 20:35 -------- d-----w- c:\program files\Bitdefender
2012-05-16 15:16 . 2012-05-27 20:21 -------- d-----w- c:\program files\Common Files\Bitdefender
2012-05-15 20:52 . 2012-05-15 20:52 -------- d-----w- c:\program files (x86)\VideoLAN
2012-05-15 20:50 . 2011-03-02 10:43 175616 ----a-w- c:\windows\SysWow64\unrar.dll
2012-05-15 20:50 . 2012-05-15 20:50 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2012-05-15 20:08 . 2012-05-15 20:08 -------- d-----w- c:\program files (x86)\VPNCheck
2012-05-15 20:00 . 2012-05-15 20:02 -------- d-----w- c:\program files (x86)\OpenVPN
2012-05-15 19:17 . 2012-06-06 00:01 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-15 19:09 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2012-05-15 19:09 . 2009-07-14 01:15 50688 ----a-w- c:\program files (x86)\Internet Explorer\hmmapi.dll
2012-05-15 19:02 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-05-15 18:51 . 2012-06-07 20:57 -------- d-----w- c:\users\UpdatusUser
2012-05-15 18:43 . 2012-05-15 18:42 839112 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-15 18:43 . 2012-05-15 18:42 955848 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-15 18:42 . 2012-05-15 18:42 -------- d-----w- c:\program files\Java
2012-05-15 18:24 . 2003-04-09 03:28 233472 ----a-r- c:\users\Chrilles\AppData\Roaming\MafiaSetup.exe
2012-05-15 18:18 . 2012-05-15 18:18 -------- d-----w- c:\program files\SystemRequirementsLab
2012-05-15 14:56 . 2012-05-15 14:57 -------- d-----w- c:\windows\SysWow64\Adobe
2012-05-15 14:54 . 2012-05-15 20:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-15 14:54 . 2012-05-15 20:42 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\SysWow64\Macromed
2012-05-15 14:54 . 2012-05-15 14:54 -------- d-----w- c:\windows\system32\Macromed
2012-05-15 14:49 . 2012-05-15 14:49 -------- d-----w- c:\program files (x86)\Microsoft
2012-05-15 14:47 . 2005-05-26 13:34 3767504 ----a-w- c:\windows\system32\d3dx9_26.dll
2012-05-15 14:47 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll
2012-05-15 14:09 . 2012-05-15 14:09 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-15 14:07 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-15 14:07 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\SPReview
2012-05-15 13:46 . 2012-05-15 13:46 -------- d-----w- c:\windows\system32\EventProviders
2012-05-15 13:42 . 2010-11-20 13:27 624128 ----a-w- c:\windows\system32\qedit.dll
2012-05-15 13:41 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-05-15 13:41 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-05-15 13:41 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\SysWow64\Wat
2012-05-15 13:24 . 2012-05-15 13:24 -------- d-----w- c:\windows\system32\Wat
2012-05-15 12:57 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
2012-05-15 12:48 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-05-15 12:48 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-05-15 12:48 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-05-15 12:48 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-05-15 12:48 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-05-15 12:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-05-15 12:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-05-15 12:44 . 2010-12-17 11:40 715776 ----a-w- c:\windows\system32\kerberos.dll
2012-05-15 12:38 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-05-15 12:38 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2012-05-15 12:31 . 2012-05-15 12:31 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-05-15 12:31 . 2012-05-22 19:13 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-05-15 12:31 . 2012-05-22 19:12 -------- d-----w- c:\program files\NVIDIA Corporation
2012-05-15 12:30 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-05-15 12:30 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-05-15 12:30 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-05-15 12:30 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-05-15 12:30 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-15 12:30 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-05-15 12:30 . 2010-11-20 11:07 162816 ----a-w- c:\windows\system32\rdpudd.dll
2012-05-15 12:30 . 2010-11-20 11:03 20992 ------w- c:\windows\system32\drivers\rdpvideominiport.sys
2012-05-15 11:41 . 2012-06-02 21:33 -------- d-----w- c:\windows\Panther
2012-05-15 11:18 . 2012-02-23 08:18 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 11:15 . 2012-05-15 11:15 -------- d-----w- c:\program files (x86)\ASM104xUSB3
2012-05-15 11:14 . 2011-06-10 06:34 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
2012-05-15 11:14 . 2011-06-10 06:34 539240 ------w- c:\windows\system32\drivers\Rt64win7.sys
2012-05-15 11:14 . 2011-06-10 06:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2012-05-15 11:11 . 2005-11-13 21:22 757760 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2012-05-15 11:11 . 2005-11-13 21:22 69715 ------w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2012-05-15 11:11 . 2005-11-13 21:21 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2012-05-15 11:11 . 2005-11-13 21:20 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2012-05-15 11:11 . 2005-11-13 21:19 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2012-05-15 11:11 . 2005-11-13 21:19 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2012-05-15 11:11 . 2005-11-13 21:16 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2012-05-15 11:11 . 2012-05-12 21:55 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2012-05-15 11:11 . 2012-05-12 21:55 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2012-05-15 11:11 . 2012-05-15 11:11 16896 ----a-w- c:\windows\AsTaskSched.dll
2012-05-15 11:11 . 2012-05-15 11:11 -------- d-----w- c:\program files (x86)\Intel
2012-05-15 11:11 . 2011-04-15 08:00 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
2012-05-15 11:10 . 2012-05-15 11:10 -------- d-----w- C:\Intel
2012-05-15 11:10 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-15 13:55 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-05-15 13:55 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-05-15 10:48 . 2012-02-09 20:43 1738048 ----a-w- c:\windows\system32\nvdispco64.dll
2012-05-15 10:48 . 2012-02-09 20:43 1468224 ----a-w- c:\windows\system32\nvgenco64.dll
2012-05-15 10:48 . 2012-02-09 20:43 10194752 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-05-02 00:46 . 2012-05-02 00:46 4472832 ----a-w- c:\windows\SysWow64\GPhotos.scr
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-06-07_22.53.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-15 12:27 . 2012-06-07 22:55 32802 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-06-07 22:41 30196 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-07 22:55 30196 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-05-15 10:46 . 2012-06-07 22:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-05-15 10:46 . 2012-06-07 22:51 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-06-03 19:26 . 2012-06-07 22:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-06-03 19:26 . 2012-06-07 22:51 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-07 22:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-07 22:51 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-05-15 11:06 . 2012-06-07 22:55 7128 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3856055600-2435477386-2425398921-1000_UserData.bin
.
(((((((((((((((((((((((((((((((((( Startpunkter I registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
R1 1052426drv;1052426drv;c:\windows\system32\DRIVERS\1052426drv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 257696]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-06 113120]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 39377219;39377219;c:\windows\system32\DRIVERS\39377219.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
.
.
Innehåll I mappen 'Schemalagda aktiviteter':
.
2012-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 20:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-28 11905128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
TCP: DhcpNameServer = 80.67.0.2 91.213.246.2
FF - ProfilePath - c:\users\Ägaren\AppData\Roaming\Mozilla\Firefox\Profiles\r3cyqdc7.default\
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"=hex:51,66,7a,6c,4c,1d,38,12,68,40,25,
2b,77,e4,db,02,e0,8b,7a,e8,bc,10,3a,e3
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{F156768E-81EF-470C-9057-481BA8380DBA}"=hex:51,66,7a,6c,4c,1d,38,12,e0,75,45,
f5,dd,cf,62,02,ef,41,0b,5b,ad,66,49,ae
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5f,b7,7b,f1,c8,44,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Sluttid: 2012-06-08 01:39:27
ComboFix-quarantined-files.txt 2012-06-07 23:39
ComboFix2.txt 2012-06-07 22:57
.
Före genomsökningen: 372 455 260 160 byte ledigt
Efter genomsökningen: 372 376 178 688 byte ledigt
.
- - End Of File - - 8CBB2CBB244206FC6DA7272A182D9A0F
 
SystemLook 30.07.11 by jpshortstuff
Log created at 01:45 on 08/06/2012 by Ägaren
Administrator - Elevation successful

========== folderfind ==========

Searching for "{6ccbf812-07b7-4726-bef0-b612a153384e}"
C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d--hs-- [12:37 15/05/2012]
C:\_OTL\MovedFiles\06032012_202914\C_Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e} d------ [18:29 03/06/2012]

-= EOF =-
 
Are you sure you run my script in Combofix or you just ran Combofix?
If you did run my script please re-run it from Safe Mode.
 
I put the text in notepad saved as CFScript.txt, then moved it to the combofix.exe and it said like open with combofix. Will try in safe mode then.
 
Great, now Combofix wont open again. Ugh.
Is there any other program which can do the same thing as Combofix?
 
You must log in or register to reply here.

Similar threads

S
Solved "generic32.CEMU" "win64/patched.A" "generic31.ZCS" "generic29.ANPX" "generic15.CGSY" the lists go on
2
Replies
46
Views
10K
Broni
Broni
N
Inactive Infected with Sirefef and Win64/Patched.A.Gen - problem
Replies
3
Views
2K
Broni
Broni
negdcom
  • Locked
Inactive [A] Sirefef variant please help
Replies
19
Views
2K
Broni
Broni

Latest posts

Back