Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google redirect, TDSSkiller not working

  • This topic is locked This topic is locked
43 replies to this topic

#1 Matt3s


  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 06 January 2012 - 06:22 AM

Hi there.
First of all, thanks for your time and effort you're about to put into my problem.

Some days ago i (the hell knows how) got myself a win7 2012 security virus.
Had been able to "fix" it on my own for as far as my pc working again like it should goes.
All my file had been made invisible after that, also got around that by unhide and so on.

After that i eventually discovered that my firewall had been disabled, and with some registry-shenanigans even that problem seemed to be solved (at least the firewall is active and working again).

Still, for the past days my googlesearches have been redirected from time to time to other sites and I've run out of possibilities to encounter this problem and think its time someone who knows his stuff takes a look at it.

A little bit of information besides this.
- I read a little about rootkits and such and saw some mentioning of tdsskiller. I've downloaded it already, but its not starting at all.
- Same for ComboFix. I already downloaded it, but have been hesitent to use it because of all the "don't you use it unless a professionel tells you to".
- right now i have no way of reinstalling win7 due to only having it because of a student-programm while still at the university (which i am no longer)

well lets get down to it.

I've run dds and gmer.
Unfortunately gmer does not seemed to work like its supposed to, due to me being unable to check lots of the marks as suggested in the tutorial guide. (looking like this -> http://imgur.com/qu4TL )

As for the other logs:


DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
Run by Mattes at 11:37:03 on 2012-01-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.8187.5702 [GMT 1:00]
AV: Lavasoft Ad-Watch Live! Virenschutz *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\ICQ7.5\ICQ.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesApp64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files\UltraMon\UltraMonUiAcc.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~3\MICROS~3\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~3\MICROS~3\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [ICQ] "C:\Program Files (x86)\ICQ7.5\ICQ.exe" silent loginmode=4
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
StartupFolder: C:\PROGRA~4\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
StartupFolder: C:\PROGRA~4\MICROS~1\Windows\STARTM~1\Programs\Startup\UltraMon.lnk - C:\Windows\Installer\{537056B7-32A4-4408-9B54-0341963C7C9C}\IcoUltraMon.ico
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~3\MICROS~3\Office14\EXCEL.EXE/3000
IE: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: Se&nd to OneNote - C:\PROGRA~3\MICROS~3\Office14\ONBttnIE.dll/105
IE: {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files (x86)\ICQ7.5\ICQ.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\Mattes\Desktop\PartyPoker.lnk
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer =
TCP: Interfaces\{2D0134BF-F408-4639-B756-FB853706B9D2} : DhcpNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~3\MICROS~3\Office14\GROOVEEX.DLL
IFEO: AcroRd32.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO: core temp.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO: excel.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO: groove.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO: infopath.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
mRun-x64: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
IE-X64: {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files (x86)\ICQ7.5\ICQ.exe
IE-X64: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\Mattes\Desktop\PartyPoker.lnk
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
IFEO-X64: AcroRd32.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO-X64: core temp.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO-X64: excel.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO-X64: groove.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
IFEO-X64: infopath.exe - "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe"
Note: multiple IFEO entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Mattes\AppData\Roaming\Mozilla\Firefox\Profiles\0s155nvb.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - hxxp://www.teamliquid.net/
FF - component: C:\Users\Mattes\AppData\Roaming\Mozilla\Firefox\Profiles\0s155nvb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Mattes\AppData\Roaming\Mozilla\Firefox\Profiles\0s155nvb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: C:\PROGRA~3\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~3\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.96.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Spiele\TMC\npdd.dll
FF - plugin: C:\Users\Mattes\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
============= SERVICES / DRIVERS ===============
R1 kl2;kl2;C:\Windows\system32\DRIVERS\kl2.sys --> C:\Windows\system32\DRIVERS\kl2.sys [?]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe [2011-4-24 202296]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-14 381248]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe [2011-12-14 2123584]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesDriver64.sys [2011-12-12 11856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-1-7 136176]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 gupdatem;Google Update-Dienst (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-1-7 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;\??\C:\Windows\system32\drivers\hitmanpro35.sys --> C:\Windows\system32\drivers\hitmanpro35.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP1a\RpcAgentSrv.exe [2011-4-8 93848]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S4 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-3-20 129440]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
S4 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-5-20 2253120]
=============== Created Last 30 ================
2012-01-01 04:23:47 34624 ----a-w- C:\Windows\System32\TURegOpt.exe
2012-01-01 04:23:42 25920 ----a-w- C:\Windows\System32\authuitu.dll
2012-01-01 04:23:42 21312 ----a-w- C:\Windows\SysWow64\authuitu.dll
2012-01-01 04:23:23 -------- d-----w- C:\Program Files (x86)\TuneUp Utilities 2012
2012-01-01 04:22:28 -------- d-sh--w- C:\ProgramData\{32364CEA-7855-4A3C-B674-53D8E9B97936}
2012-01-01 04:02:00 -------- d-----w- C:\ProgramData\Kaspersky Lab
2012-01-01 04:02:00 -------- d-----w- C:\Program Files (x86)\Kaspersky Lab
2012-01-01 03:56:50 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-01-01 03:56:50 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-01-01 03:56:50 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-01-01 03:56:10 -------- d-----w- C:\Program Files\iTunes
2012-01-01 03:56:10 -------- d-----w- C:\Program Files\iPod
2011-12-30 16:16:51 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{90E933B1-4060-4933-8C84-1F9C1EF2D830}\mpengine.dll
2011-12-26 11:08:06 -------- d-----w- C:\ProgramData\Realtime Soft
2011-12-26 11:08:06 -------- d-----w- C:\Program Files\UltraMon
2011-12-26 11:08:06 -------- d-----w- C:\Program Files (x86)\Common Files\Realtime Soft
2011-12-15 16:03:18 -------- d-----w- C:\Users\Mattes\AppData\Local\SWTOR
==================== Find3M ====================
2012-01-02 22:39:52 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-02 20:12:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-01-01 02:35:04 25160 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-31 23:28:34 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-10-31 23:28:34 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-31 11:28:04 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-10-28 21:24:32 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-10-24 13:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 13:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-10-15 06:31:56 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:38:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-10-14 22:54:52 321856 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
============= FINISH: 11:45:01,54 ===============

Well then, thanks again for the time you're about to invest.
Hoping to hear from you in due time.

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 06 January 2012 - 10:03 AM

Hello Matt3s,

Welcome to Bleeping Computer.

  • You don't have any restore point. Is System Restore working? If yes please make a restore point. Please proceed anyway with the second step.
  • We need to dig deeper. Please download Listparts64
    Run the tool, click Scan and post the log (Result.txt) it makes.

#3 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 12:01 PM

Well, f* me. I thought the avg response time was 5 days.

Sorry for the extremely late response.

Here is the (rather short) log.


ListParts by Farbar
Ran by Mattes on 10-01-2012 at 17:59:05
Windows 7 (X64)
Running From: C:\Users\Mattes\Desktop

========================= Memory info ======================

Percentage of memory in use: 31%
Total physical RAM: 8187.49 MB
Available physical RAM: 5574.58 MB
Total Pagefile: 16373.18 MB
Available Pagefile: 13632.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

2 Drive c: (Festplatte) (Fixed) (Total:465.75 GB) (Free:120.84 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
3 Drive d: (SC2-L100-D1) (CDROM) (Total:7.05 GB) (Free:0 GB) UDF
4 Drive e: (MATTES IPOD) (Removable) (Total:27.81 GB) (Free:6.26 GB) FAT32
6 Drive i: (Elements) (Fixed) (Total:698.46 GB) (Free:28.59 GB) FAT32

Datentr„ger ### Status Gr”áe Frei Dyn GPT
--------------- ------------- ------- ------- --- ---
Datentr„ger 0 Online 465 GB 9 MB
Datentr„ger 1 Kein Medium 0 B 0 B
Datentr„ger 2 Online 27 GB 0 B
Datentr„ger 3 Online 698 GB 0 B

Datentr„gerpartitionierung wird beendet...

****** End Of Log ******

#4 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 10 January 2012 - 03:13 PM

The language looks to be a problem.

Please run GMER. GMER has only 3 options available (Service, Registry and Files) for x64 systems.

#5 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 04:03 PM

GMER - http://www.gmer.net
Rootkit scan 2012-01-10 22:01:30
Windows 6.1.7601 Service Pack 1
Running: gmer.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE5 0x75 0x1C 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE5 0x75 0x1C 0xEE ...

---- EOF - GMER 1.0.15 ----

#6 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 10 January 2012 - 04:28 PM

GMER doesn't report any suspicious activity. Only some leftovers of Daemon tool. Have you uninstalled Daemon tool? We can remove those leftovers?

  • Please run the MiniRegTool.
    • Copy and paste the following in the edit box:

    • Check the Delete Keys/Values including locked/null embedded radio button.
    • Press Go button and confirm deleting.
    • Please post the log (Result.txt) to your reply.
  • Please download Malwarebytes' Anti-Malware from one of these locations:
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

#7 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 04:39 PM


MiniRegTool by Farbar
Ran by Mattes (administrator) on 2012-01-10 22:33:16

HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg not found.
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg not found.
HKLM\SYSTEM\CurrentControlSet\services\sptd\Enum deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\sptd could not be deleted.
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg deleted successfully.
HKLM\SYSTEM\ControlSet002\services\sptd deleted successfully.


Malwarebytes Anti-Malware

Datenbank Version: v2012.01.06.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Mattes :: MATTES-PC [Administrator]

10.01.2012 22:34:34
mbam-log-2012-01-10 (22-34-34).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 192541
Laufzeit: 1 Minute(n), 41 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)



i'd like to add that still, even if it may look pretty clean, get those googe-redirects.
Not even everytime, just every 3rd or 4th time it redirects to some suspicious site and just by going back one page i mostly manage to get to whatever page i initially wanted.

edit: oh as for daemon tools, yeah, i uninstalled it some weeks ago.

Edited by Matt3s, 10 January 2012 - 04:46 PM.

#8 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 10 January 2012 - 04:52 PM

  • Download aswMBR.exe ( 511KB ) to your desktop.
    • Double click the aswMBR.exe to run it.
    • If it asks to install Avast click "No".
    • Click the "Scan" button.
    • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also the aswMBR.exe makes a file on your desktop named MBR.dat. Right click MBR.dat, select Send To =>Compressed (zipped) folder. Please attach the zipped file to your next reply.
  • Please download MBRCheck by clicking here and save it to your desktop.
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Please post the contents of that file in your next reply.

#9 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 10 January 2012 - 04:53 PM

Please before running the above tools run this one.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • If DeFogger ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

#10 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 05:00 PM

WHELP, saw your 2nd post just now, brb restarting, then trying again with aswMBR.

aswMBR.exe is not working.

Its the same as with the tdsskiller, i try to start it, it seems as if the computer tries to start it,(at least it seems to work on starting something) but then nothing happens.

as for mbrcheck:

MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows 7 Professional
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Gigabyte Technology Co., Ltd.
BIOS Manufacturer: Award Software International, Inc.
System Manufacturer: Gigabyte Technology Co., Ltd.
System Product Name: P55-UD3
Logical Drives Mask: 0x0000013d

Kernel Drivers (total 204):
0x0341F000 \SystemRoot\system32\ntoskrnl.exe
0x03A08000 \SystemRoot\system32\hal.dll
0x00BD4000 \SystemRoot\system32\kdcom.dll
0x00C1A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C69000 \SystemRoot\system32\PSHED.dll
0x00C7D000 \SystemRoot\system32\CLFS.SYS
0x00CDB000 \SystemRoot\system32\CI.dll
0x00E76000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F1A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x01077000 \SystemRoot\System32\Drivers\spwr.sys
0x0119D000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x011A6000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x01000000 \SystemRoot\system32\drivers\ACPI.sys
0x01057000 \SystemRoot\system32\drivers\msisadrv.sys
0x01061000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00F29000 \SystemRoot\system32\drivers\pci.sys
0x011D5000 \SystemRoot\System32\drivers\partmgr.sys
0x011EA000 \SystemRoot\system32\drivers\volmgr.sys
0x00F5C000 \SystemRoot\System32\drivers\volmgrx.sys
0x0106E000 \SystemRoot\system32\drivers\pciide.sys
0x00FB8000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00FC8000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E00000 \SystemRoot\system32\drivers\vmbus.sys
0x00E3C000 \SystemRoot\system32\drivers\winhv.sys
0x00E50000 \SystemRoot\system32\drivers\atapi.sys
0x00D9B000 \SystemRoot\system32\drivers\ataport.SYS
0x00E59000 \SystemRoot\system32\drivers\amdxata.sys
0x012C4000 \SystemRoot\system32\drivers\fltmgr.sys
0x01310000 \SystemRoot\system32\drivers\fileinfo.sys
0x01404000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01324000 \SystemRoot\System32\Drivers\msrpc.sys
0x015A7000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01382000 \SystemRoot\System32\Drivers\cng.sys
0x015C2000 \SystemRoot\System32\drivers\pcw.sys
0x015D3000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0165C000 \SystemRoot\system32\drivers\ndis.sys
0x0174F000 \SystemRoot\system32\drivers\NETIO.SYS
0x017AF000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x018E9000 \SystemRoot\System32\drivers\tcpip.sys
0x01AED000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01B37000 \SystemRoot\system32\drivers\vmstorfl.sys
0x01B47000 \SystemRoot\system32\drivers\volsnap.sys
0x01B93000 \SystemRoot\System32\Drivers\spldr.sys
0x01B9B000 \SystemRoot\System32\drivers\rdyboost.sys
0x01BD5000 \SystemRoot\System32\Drivers\mup.sys
0x01C61000 \SystemRoot\system32\DRIVERS\kl1.sys
0x023C0000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01C00000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01C3A000 \SystemRoot\system32\DRIVERS\disk.sys
0x023C9000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01813000 \SystemRoot\system32\drivers\cdrom.sys
0x0183D000 \SystemRoot\system32\DRIVERS\klif.sys
0x018E0000 \SystemRoot\System32\Drivers\Null.SYS
0x023F9000 \SystemRoot\System32\Drivers\Beep.SYS
0x017DA000 \SystemRoot\System32\drivers\vga.sys
0x01600000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01625000 \SystemRoot\System32\drivers\watchdog.sys
0x01635000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x0163E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01647000 \SystemRoot\system32\drivers\rdprefmp.sys
0x01650000 \SystemRoot\System32\Drivers\Msfs.SYS
0x017E8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x015DD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01200000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x017F9000 \SystemRoot\system32\DRIVERS\kl2.sys
0x0120D000 \SystemRoot\system32\drivers\afd.sys
0x03618000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0365D000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03666000 \SystemRoot\system32\DRIVERS\pacer.sys
0x0368C000 \SystemRoot\system32\DRIVERS\klim6.sys
0x03695000 \SystemRoot\system32\DRIVERS\netbios.sys
0x036A4000 \SystemRoot\system32\DRIVERS\serial.sys
0x036C1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x036DC000 \SystemRoot\system32\drivers\termdd.sys
0x036F0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03741000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0374D000 \SystemRoot\system32\drivers\mssmbios.sys
0x03758000 \SystemRoot\System32\drivers\discache.sys
0x03767000 \SystemRoot\system32\drivers\csc.sys
0x01296000 \SystemRoot\System32\Drivers\dfsc.sys
0x037EA000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x00DC5000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03600000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0FA9D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10714000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x04CC6000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04DBA000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04C00000 \SystemRoot\system32\drivers\HDAudBus.sys
0x04C24000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x04C31000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x04C87000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x10719000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x04C98000 \SystemRoot\system32\DRIVERS\fdc.sys
0x04CA5000 \SystemRoot\system32\DRIVERS\serenum.sys
0x1074B000 \SystemRoot\system32\DRIVERS\parport.sys
0x04CB1000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x10768000 \SystemRoot\system32\drivers\CompositeBus.sys
0x10778000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x1078E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x107B2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x107BE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0FA00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0FA1B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0FA3C000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0FA56000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x0FA61000 \SystemRoot\system32\drivers\kbdclass.sys
0x0FA70000 \SystemRoot\system32\drivers\mouclass.sys
0x04CBE000 \SystemRoot\system32\drivers\swenum.sys
0x04E65000 \SystemRoot\system32\drivers\ks.sys
0x04EA8000 \SystemRoot\system32\drivers\umbus.sys
0x04EBA000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04F14000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x04F1F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04F34000 \SystemRoot\system32\drivers\nvhda64v.sys
0x04F61000 \SystemRoot\system32\drivers\portcls.sys
0x04F9E000 \SystemRoot\system32\drivers\drmk.sys
0x04FC0000 \SystemRoot\system32\drivers\ksthunk.sys
0x060A5000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x000C0000 \SystemRoot\System32\win32k.sys
0x062C7000 \SystemRoot\System32\drivers\Dxapi.sys
0x062D3000 \SystemRoot\system32\DRIVERS\monitor.sys
0x062E1000 \SystemRoot\system32\DRIVERS\udfs.sys
0x00510000 \SystemRoot\System32\TSDDD.dll
0x00780000 \SystemRoot\System32\cdd.dll
0x06336000 \SystemRoot\System32\Drivers\LUsbFilt.Sys
0x06346000 \SystemRoot\system32\drivers\hidusb.sys
0x06354000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x0636D000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x06376000 \SystemRoot\system32\drivers\USBD.SYS
0x06378000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x06393000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x063A6000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x063B3000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0x063C7000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x063D1000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06000000 \SystemRoot\system32\drivers\kbdhid.sys
0x00810000 \SystemRoot\System32\ATMFD.DLL
0x0600E000 \SystemRoot\system32\drivers\luafv.sys
0x06031000 \SystemRoot\system32\drivers\WudfPf.sys
0x06052000 \SystemRoot\System32\Drivers\crashdmp.sys
0x06060000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x0606C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x06075000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x06088000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x04FC6000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x078DE000 \SystemRoot\system32\drivers\HTTP.sys
0x079A7000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x079D8000 \SystemRoot\system32\DRIVERS\bowser.sys
0x07800000 \SystemRoot\System32\drivers\mpsdrv.sys
0x07818000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07845000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07893000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07C85000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07CEE000 \SystemRoot\System32\DRIVERS\srv.sys
0x07D86000 \SystemRoot\system32\DRIVERS\atksgt.sys
0x07DD5000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0x08A26000 \SystemRoot\system32\drivers\peauth.sys
0x08ACC000 \SystemRoot\System32\Drivers\secdrv.SYS
0x08AD7000 \SystemRoot\System32\drivers\tcpipreg.sys
0x08AE9000 \??\C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys
0x08AF2000 \??\C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesDriver64.sys
0x08B00000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x08B31000 \SystemRoot\System32\Drivers\fastfat.SYS
0x08BD8000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x779E0000 \Windows\System32\ntdll.dll
0x47AA0000 \Windows\System32\smss.exe
0xFFD00000 \Windows\System32\apisetschema.dll
0xFF860000 \Windows\System32\autochk.exe
0x77BB0000 \Windows\System32\normaliz.dll
0xFFC70000 \Windows\System32\shlwapi.dll
0xFFB90000 \Windows\System32\advapi32.dll
0xFFAB0000 \Windows\System32\oleaut32.dll
0xFFA10000 \Windows\System32\comdlg32.dll
0xFF9A0000 \Windows\System32\gdi32.dll
0xFF890000 \Windows\System32\msctf.dll
0xFF880000 \Windows\System32\lpk.dll
0x77BA0000 \Windows\System32\psapi.dll
0x778C0000 \Windows\System32\kernel32.dll
0xFF7E0000 \Windows\System32\msvcrt.dll
0xFF780000 \Windows\System32\Wldap32.dll
0xFF730000 \Windows\System32\ws2_32.dll
0xFF690000 \Windows\System32\clbcatq.dll
0xFF680000 \Windows\System32\nsi.dll
0xFE8F0000 \Windows\System32\shell32.dll
0xFE8C0000 \Windows\System32\imm32.dll
0xFE840000 \Windows\System32\difxapi.dll
0xFE6C0000 \Windows\System32\urlmon.dll
0xFE590000 \Windows\System32\rpcrt4.dll
0x777C0000 \Windows\System32\user32.dll
0xFE330000 \Windows\System32\iertutil.dll
0xFE200000 \Windows\System32\wininet.dll
0xFE1E0000 \Windows\System32\imagehlp.dll
0xFE000000 \Windows\System32\setupapi.dll
0xFDFE0000 \Windows\System32\sechost.dll
0xFDF10000 \Windows\System32\usp10.dll
0xFDD00000 \Windows\System32\ole32.dll
0xFDB90000 \Windows\System32\crypt32.dll
0xFDB70000 \Windows\System32\devobj.dll
0xFDAD0000 \Windows\System32\comctl32.dll
0xFDA60000 \Windows\System32\KernelBase.dll
0xFDA20000 \Windows\System32\wintrust.dll
0xFD9E0000 \Windows\System32\cfgmgr32.dll
0xFD9D0000 \Windows\System32\msasn1.dll
0x757D0000 \Windows\SysWOW64\normaliz.dll

Processes (total 65):
0 System Idle Process
4 System
400 C:\Windows\System32\smss.exe
552 csrss.exe
612 C:\Windows\System32\wininit.exe
636 csrss.exe
712 C:\Windows\System32\winlogon.exe
740 C:\Windows\System32\services.exe
748 C:\Windows\System32\lsass.exe
756 C:\Windows\System32\lsm.exe
860 C:\Windows\System32\svchost.exe
924 C:\Windows\System32\nvvsvc.exe
948 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
996 C:\Windows\System32\svchost.exe
448 C:\Windows\System32\atiesrxx.exe
572 C:\Windows\System32\svchost.exe
624 C:\Windows\System32\svchost.exe
244 C:\Windows\System32\svchost.exe
1144 C:\Windows\System32\svchost.exe
1268 C:\Windows\System32\svchost.exe
1392 C:\Windows\System32\atieclxx.exe
1420 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1432 C:\Windows\System32\nvvsvc.exe
1528 C:\Windows\System32\spoolsv.exe
1568 C:\Windows\System32\svchost.exe
1852 C:\Windows\System32\taskhost.exe
1720 C:\Windows\System32\dwm.exe
1744 C:\Windows\explorer.exe
2168 C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
2240 C:\Windows\SysWOW64\PnkBstrA.exe
2268 C:\Windows\System32\svchost.exe
2288 C:\Windows\System32\svchost.exe
2492 C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe
2520 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2660 C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesApp64.exe
2768 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
2912 WUDFHost.exe
3008 C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
2220 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
2072 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2756 C:\Windows\System32\svchost.exe
1800 C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
3200 C:\Program Files (x86)\ICQ7.5\ICQ.exe
3412 C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
3520 C:\Program Files\Windows Sidebar\sidebar.exe
3532 C:\Program Files (x86)\uTorrent\uTorrent.exe
3588 C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
3756 C:\Program Files\Rainmeter\Rainmeter.exe
3120 C:\Windows\System32\svchost.exe
1704 C:\Program Files\Windows Media Player\wmpnetwk.exe
3384 C:\Program Files\UltraMon\UltraMon.exe
3584 C:\Program Files\UltraMon\UltraMonTaskbar.exe
4236 C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
5352 dllhost.exe
5964 C:\Program Files\UltraMon\UltraMonUiAcc.exe
4564 C:\Windows\System32\audiodg.exe
5740 C:\Windows\System32\svchost.exe
1608 C:\Program Files\Nightly\firefox.exe
788 C:\Program Files\Nightly\plugin-container.exe
5096 C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
4692 C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
4100 C:\Windows\System32\svchost.exe
3972 C:\Users\Mattes\Desktop\MBRCheck.exe
5648 C:\Windows\System32\conhost.exe
5856 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\I: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGHD502HJ, Rev: 1AJ100E4
PhysicalDrive3 Model Number: WD7500AAV External, Rev: 1.05

Size Device Name MBR Status
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
698 GB \\.\PhysicalDrive3 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Edited by Matt3s, 10 January 2012 - 05:01 PM.

#11 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 05:09 PM

ran Defogger, restarted pc, aswMBR still not working, MBRCheck log above is still what were working with.

#12 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 10 January 2012 - 05:11 PM

Is the Operating System language German?

Please download Attached File  script.txt   99bytes   6 downloads
And Attached File  look.bat   48bytes   4 downloads
Keep both of them in the same directory.
Right-click look.bat and select "Run as administrator".
A log.txt file opens up. Please copy and paste the content to your reply.

#13 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 05:17 PM

Yes, the OS language is german.

Microsoft DiskPart-Version 6.1.7601
Copyright © 1999-2008 Microsoft Corporation.
Auf Computer: MATTES-PC

Die Skriptdatei konnte nicht ge”ffnet oder gelesen werden.
Vergewissern Sie sich, dass die Datei vorhanden ist.


translates to somewhat of: the scriptfile could not be opened or read. Please make sure the file exists.

I have both of them in the same directory.

#14 Farbar


    Just Curious

  • Security Developer
  • 21,696 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 10 January 2012 - 05:33 PM

If they are in the same directory it should run.

Please delete the look.bat.

Download Attached File  look.bat   51bytes   2 downloads
This time save both on the on the root of the C drive. (Start=> Computer => C:).
Right-click look.bat and select "Run as administrator".
Please post the log it makes.

#15 Matt3s

  • Topic Starter

  • Members
  • 22 posts
  • Local time:11:05 PM

Posted 10 January 2012 - 05:36 PM

Microsoft DiskPart-Version 6.1.7601
Copyright © 1999-2008 Microsoft Corporation.
Auf Computer: MATTES-PC

Datentr„ger 0 ist jetzt der gew„hlte Datentr„ger.

Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 465 GB 31 KB
Partition 2 Prim„r 10 MB 465 GB

Datentr„ger 2 ist jetzt der gew„hlte Datentr„ger.

Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 698 GB 31 KB

Datentr„ger 3 ist jetzt der gew„hlte Datentr„ger.

Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 27 GB 78 MB

Datentr„gerpartitionierung wird beendet...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users