Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

consrv.dll removal


  • This topic is locked This topic is locked
19 replies to this topic

#1 batmanlala

batmanlala

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 March 2012 - 09:33 PM

My computer got infected with consrv.dll while I have been putting off installing avast! .. not sure it would have stopped it though, because it CAN find it and quarantine/delete it, but it does not seem to stop it. It keeps coming back, every 15-20 minutes (after avast! quarantines it).
I have also tried "Malwarebytes Anti-Malware" which does not do the trick and I was recommended kaspersky which supposedly could get rid of it. It could not - same result as with avast! It keeps coming back.
I have been googling and stuff, but afraid to just pick a solution as there are many different ones and I've read that you should never use a similar solution to a similar problem :) So I post my problem here!
I would have thought there would be some kind of quick-fix for this thing by now though... hope you can help me!

So, as far as I understand I copy-paste the DDS.txt here and attach the Attach.txt ... here goes

-------------------


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Gunni at 3:09:54 on 2012-03-05
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.45.1033.18.8170.5894 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hotkey\PowerBiosServer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Hotkey\Hotkey.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Gunni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gunni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce: [GrpConv] grpconv -o
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Hotkey.lnk - C:\Program Files (x86)\Hotkey\Hotkey.exe
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\Microsoft Office\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\Microsoft Office\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4198045C-FC86-48FE-B5A1-23E11D254CBB} : NameServer = 8.8.8.8,193.162.153.164,194.239.134.83
TCP: Interfaces\{5EACF2A8-DEFE-4BAD-AC40-2440F3781E47} : DhcpNameServer = 7.254.254.254
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0} : NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\25F6265627473702E65647121212 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\25F6265627473702E65647121212 : DhcpNameServer = 192.168.43.1
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\359353E6B437A426 : NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\359353E6B437A426 : DhcpNameServer = 193.162.153.164 194.239.134.83
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\454434 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\454434 : DhcpNameServer = 172.24.148.1
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\4554C49414D2237333233313 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\45F554C45465 : NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\45F554C45465 : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\943656C616E646 : NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\943656C616E646 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\E4544574541425 : NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\E4544574541425 : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: wemneka - C:\Windows\system32\config\systemprofile\AppData\Local\wemneka.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB-X64: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" /r
mRun-x64: [UpdReg] C:\Windows\UpdReg.EXE
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRunOnce-x64: [GrpConv] grpconv -o
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 67.215.245.19 www.google-analytics.com.
Hosts: 67.215.245.19 ad-emea.doubleclick.net.
Hosts: 67.215.245.19 www.statcounter.com.
Hosts: 108.163.215.51 www.google-analytics.com.
Hosts: 108.163.215.51 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 02528860;02528860;C:\Windows\system32\DRIVERS\02528860.sys --> C:\Windows\system32\DRIVERS\02528860.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-3-5 44768]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-2-28 2343816]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-4 652360]
R2 PowerBiosServer;PowerBiosServer;C:\Program Files (x86)\Hotkey\PowerBiosServer.exe [2011-1-17 33280]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-8 2656280]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 danewFltr;NewDeathAdder Mouse;C:\Windows\system32\drivers\danew.sys --> C:\Windows\system32\drivers\danew.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);C:\Windows\system32\DRIVERS\JME.sys --> C:\Windows\system32\DRIVERS\JME.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);C:\Windows\system32\DRIVERS\tap0901t.sys --> C:\Windows\system32\DRIVERS\tap0901t.sys [?]
R3 USBPNPA;USB PnP Sound Device Interface;C:\Windows\system32\drivers\CM10864.sys --> C:\Windows\system32\drivers\CM10864.sys [?]
R3 VKbms;Virtual HID Minidriver;C:\Windows\system32\DRIVERS\VKbms.sys --> C:\Windows\system32\DRIVERS\VKbms.sys [?]
RUnknown 7471959drv;7471959drv; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-15 158856]
S3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\system32\DRIVERS\BthAvrcp.sys --> C:\Windows\system32\DRIVERS\BthAvrcp.sys [?]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudbus.sys --> C:\Windows\system32\DRIVERS\ssudbus.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudmdm.sys --> C:\Windows\system32\DRIVERS\ssudmdm.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TunngleService;TunngleService;C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2011-12-5 736104]
.
=============== Created Last 30 ================
.
2012-03-05 01:27:35 -------- d-----w- C:\ProgramData\Kaspersky Lab
2012-03-05 01:26:58 460888 ----a-w- C:\Windows\System32\drivers\02528860.sys
2012-03-04 23:00:26 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-03-04 23:00:21 817496 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-03-04 23:00:17 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-03-04 23:00:01 41184 ----a-w- C:\Windows\avastSS.scr
2012-03-04 22:54:04 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{608671B2-6DDD-4AF0-81DF-EE1EA3F0FA4C}\mpengine.dll
2012-03-04 22:43:35 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-04 16:37:43 -------- d-----w- C:\ProgramData\AVAST Software
2012-03-04 16:37:43 -------- d-----w- C:\Program Files\AVAST Software
2012-03-04 14:48:58 -------- d-----w- C:\ProgramData\Birdstep Technology
2012-03-04 14:05:47 -------- d-----w- C:\Users\Gunni\AppData\Roaming\Malwarebytes
2012-03-04 14:05:43 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-04 14:05:42 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-04 14:05:42 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-03 14:14:48 -------- d-----w- C:\Program Files (x86)\Black Isle
2012-03-03 14:14:36 221184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-03-03 14:14:35 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-03-03 14:14:35 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-03-03 14:14:35 221184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-03-03 14:14:35 212992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
2012-03-01 13:38:32 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2012-03-01 13:28:40 98816 ----a-w- C:\Windows\sed.exe
2012-03-01 13:28:40 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-01 13:28:40 256000 ----a-w- C:\Windows\PEV.exe
2012-03-01 13:28:40 208896 ----a-w- C:\Windows\MBR.exe
2012-03-01 01:03:55 -------- d-----w- C:\Users\Gunni\AppData\Local\BigHugeEngine
2012-03-01 00:40:50 -------- d-----w- C:\Program Files (x86)\EA Games
2012-02-27 22:55:38 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-02-27 22:55:01 -------- d-----w- C:\Program Files (x86)\BCA1F
2012-02-27 22:54:30 -------- d-----w- C:\Users\Gunni\AppData\Roaming\C85BC
2012-02-27 22:49:24 -------- d-----w- C:\Program Files (x86)\Kalypso
2012-02-27 18:16:58 -------- d-----w- C:\Users\Gunni\AppData\Roaming\RotMG.Production
2012-02-21 12:19:07 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-02-21 12:12:15 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2012-02-15 00:50:55 -------- d-----w- C:\Users\Gunni\AppData\Roaming\ProgSense
2012-02-15 00:03:33 -------- d-----w- C:\Program Files (x86)\Conduit
2012-02-15 00:03:22 -------- d-----w- C:\Users\Gunni\AppData\Local\FLVService
2012-02-08 23:12:14 -------- d-----w- C:\Users\Gunni\.m2
2012-02-08 22:46:22 -------- d-----w- C:\Users\Gunni\.android
2012-02-08 22:41:49 -------- d-----w- C:\Users\Gunni\AppData\Local\Eclipse
2012-02-08 22:41:45 -------- d-----w- C:\Users\Gunni\workspace
2012-02-08 22:41:20 -------- d-----w- C:\eclipse
2012-02-08 22:34:49 -------- d-----w- C:\android-sdk-windows
2012-02-08 18:22:15 -------- d-----w- C:\Users\Gunni\riotsGamesLogs
2012-02-08 18:21:54 -------- d-----w- C:\Users\Gunni\AppData\Roaming\LolClient
2012-02-08 16:44:32 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
2012-02-08 16:44:32 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
2012-02-08 16:44:27 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
2012-02-08 16:42:56 -------- d-----w- C:\Riot Games
2012-02-08 15:48:55 -------- d-----w- C:\Program Files (x86)\Pando Networks
2012-02-07 13:51:09 33856 ---ha-w- C:\Windows\System32\hamachi.sys
2012-02-04 19:36:49 -------- d-----w- C:\Program Files (x86)\MyFree Codec
2012-02-04 19:36:10 -------- d-----w- C:\Users\Gunni\AppData\Roaming\Temp
2012-02-04 19:35:54 -------- d-----w- C:\Temp
.
==================== Find3M ====================
.
2012-03-03 14:04:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-23 11:58:38 164352 ----a-w- C:\Windows\SysWow64\SpoonUninstall.exe
2011-12-14 19:23:12 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-08 04:22:38 98616 ----a-w- C:\Windows\System32\drivers\ssudbus.sys
2011-12-08 04:22:38 708168 ----a-w- C:\Windows\System32\WinUSBCoInstaller.dll
2011-12-08 04:22:38 203320 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys
2011-12-08 04:22:38 1490656 ----a-w- C:\Windows\System32\WdfCoInstaller01007.dll
.
============= FINISH: 3:10:09,89 ===============

Thanks in advance!

- Gunni

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 04 March 2012 - 10:36 PM

Hello batmanlala,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either avast! Antivirus or Microsoft Security Essentials .



2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 05 March 2012 - 08:22 PM

Thank you for your help!

1. Removed Microsoft Security Essentials.

2. Scan found no threats. Attached "TDSSKiller.2.7.19.0_06.03.2012_01.31.14_log".

3. Combofix ran and restarted my pc.

I am also being redirected to weird sites when I click on legit links... thought this problem had been caught by avast! and was fixed, but maybe it has some connection to consrv.dll? I don't know, but thought it
might be important/worth mentioning. Just now when I clicked "add reply" I was redirected to some weird site...

I have checked my system32 folder and consrv.dll seems to be gone.

ComboFix.txt:

ComboFix 12-03-04.02 - Gunni 06-03-2012 1:43.4.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.45.1033.18.8170.6345 [GMT 1:00]
Kører fra: c:\users\Gunni\Desktop\123.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Gunni\AppData\Local\Temp\08f56ff6-864d-4a92-944a-57b870198cb2\CliSecureRT.dll
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
.
.
((((((((((((((((((((((((((((( Filer skabt fra 2012-02-06 til 2012-03-06 )))))))))))))))))))))))))))))))))))
.
.
2012-03-06 00:48 . 2012-03-06 00:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-05 01:27 . 2012-03-05 01:27 -------- d-----w- c:\programdata\Kaspersky Lab
2012-03-04 23:00 . 2012-02-23 16:12 335704 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-04 23:00 . 2012-02-23 16:10 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-04 23:00 . 2012-02-23 16:11 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-04 23:00 . 2012-02-23 16:10 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-04 23:00 . 2012-02-23 16:12 817496 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-04 23:00 . 2012-02-23 16:23 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-04 23:00 . 2012-02-23 16:10 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-04 23:00 . 2012-02-23 16:23 41184 ----a-w- c:\windows\avastSS.scr
2012-03-04 23:00 . 2012-02-23 16:23 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-04 16:37 . 2012-03-04 22:59 -------- d-----w- c:\programdata\AVAST Software
2012-03-04 16:37 . 2012-03-04 22:59 -------- d-----w- c:\program files\AVAST Software
2012-03-04 14:48 . 2012-03-05 06:58 -------- d-----w- c:\programdata\Birdstep Technology
2012-03-04 14:05 . 2012-03-04 14:05 -------- d-----w- c:\users\Gunni\AppData\Roaming\Malwarebytes
2012-03-04 14:05 . 2012-03-04 14:05 -------- d-----w- c:\programdata\Malwarebytes
2012-03-04 14:05 . 2012-03-04 14:05 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-04 14:05 . 2011-12-10 14:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-03 14:14 . 2012-03-03 14:14 -------- d-----w- c:\program files (x86)\Black Isle
2012-03-03 14:14 . 2000-10-05 14:55 221184 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-03-03 14:14 . 2000-10-05 14:55 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-03-03 14:14 . 2000-10-05 14:50 221184 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-03-03 14:14 . 2000-10-05 14:49 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-03-03 14:14 . 2000-01-04 05:39 212992 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
2012-03-03 14:05 . 2012-03-03 14:05 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-02 12:34 . 2012-03-02 12:34 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-03-01 22:01 . 2012-03-01 22:01 -------- d-----w- c:\users\Gunni\AppData\Roaming\Leadertech
2012-03-01 13:38 . 2012-03-01 13:38 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2012-03-01 01:03 . 2012-03-01 01:03 -------- d-----w- c:\users\Gunni\AppData\Local\BigHugeEngine
2012-03-01 00:40 . 2012-03-01 00:40 -------- d-----w- c:\program files (x86)\EA Games
2012-02-27 22:55 . 2012-03-06 00:50 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-27 22:55 . 2012-02-27 22:55 -------- d-----w- c:\program files (x86)\BCA1F
2012-02-27 22:54 . 2012-03-05 00:05 -------- d-----w- c:\users\Gunni\AppData\Roaming\C85BC
2012-02-27 22:49 . 2012-02-27 22:49 -------- d-----w- c:\program files (x86)\Kalypso
2012-02-27 18:16 . 2012-02-27 18:16 -------- d-----w- c:\users\Gunni\AppData\Roaming\RotMG.Production
2012-02-21 12:19 . 2012-02-21 12:20 -------- d-----w- c:\users\Gunni\AppData\Roaming\.minecraft
2012-02-21 12:19 . 2012-02-21 12:19 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-02-21 12:12 . 2012-02-21 12:19 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 12:12 . 2012-02-21 12:19 -------- d-----w- c:\program files\Java
2012-02-15 00:50 . 2012-02-15 00:50 -------- d-----w- c:\users\Gunni\AppData\Roaming\ProgSense
2012-02-15 00:50 . 2012-02-15 01:01 -------- d-----w- c:\users\Gunni\AppData\Roaming\Orbit
2012-02-15 00:07 . 2012-02-15 00:07 -------- d-----w- c:\users\Gunni\AppData\Roaming\Youtube Downloader HD
2012-02-15 00:03 . 2012-02-15 00:03 -------- d-----w- c:\program files (x86)\Conduit
2012-02-15 00:03 . 2012-02-15 00:09 -------- d-----w- c:\users\Gunni\AppData\Local\FLVService
2012-02-08 23:12 . 2012-02-08 23:12 -------- d-----w- c:\users\Gunni\.m2
2012-02-08 22:46 . 2012-02-09 14:59 -------- d-----w- c:\users\Gunni\.android
2012-02-08 22:41 . 2012-02-15 03:36 -------- d-----w- c:\users\Gunni\AppData\Local\Eclipse
2012-02-08 22:41 . 2012-02-09 22:45 -------- d-----w- c:\users\Gunni\workspace
2012-02-08 22:41 . 2012-02-15 03:36 -------- d-----w- C:\eclipse
2012-02-08 22:34 . 2012-02-08 22:57 -------- d-----w- C:\android-sdk-windows
2012-02-08 18:22 . 2012-02-09 12:30 -------- d-----w- c:\users\Gunni\riotsGamesLogs
2012-02-08 18:21 . 2012-02-08 18:21 -------- d-----w- c:\users\Gunni\AppData\Roaming\LolClient
2012-02-08 16:44 . 2008-07-12 07:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
2012-02-08 16:44 . 2008-07-12 07:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
2012-02-08 16:44 . 2008-07-12 07:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
2012-02-08 16:42 . 2012-02-08 16:42 -------- d-----w- C:\Riot Games
2012-02-08 15:48 . 2012-02-08 15:48 -------- d-----w- c:\program files (x86)\Pando Networks
2012-02-07 13:51 . 2009-03-18 15:35 33856 ---ha-w- c:\windows\system32\hamachi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-03 14:04 . 2011-07-10 11:36 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-31 12:44 . 2011-07-08 10:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-23 11:58 . 2012-01-23 11:58 164352 ----a-w- c:\windows\SysWow64\SpoonUninstall.exe
2011-12-23 19:58 . 2012-02-03 19:53 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll
2011-12-23 19:58 . 2011-12-23 19:58 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-12-23 19:58 . 2011-12-23 19:58 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-12-23 19:58 . 2011-12-23 19:58 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-12-23 19:58 . 2011-12-23 19:58 974848 ----a-w- c:\windows\SysWow64\cis-2.4.dll
2011-12-23 19:58 . 2011-12-23 19:58 81920 ----a-w- c:\windows\SysWow64\issacapi_bs-2.3.dll
2011-12-23 19:58 . 2011-12-23 19:58 65536 ----a-w- c:\windows\SysWow64\issacapi_pe-2.3.dll
2011-12-23 19:58 . 2011-12-23 19:58 57344 ----a-w- c:\windows\SysWow64\MTXSYNCICON.dll
2011-12-23 19:58 . 2011-12-23 19:58 57344 ----a-w- c:\windows\SysWow64\MK_Lyric.dll
2011-12-23 19:58 . 2011-12-23 19:58 57344 ----a-w- c:\windows\SysWow64\issacapi_se-2.3.dll
2011-12-23 19:58 . 2011-12-23 19:58 569344 ----a-w- c:\windows\SysWow64\muzdecode.ax
2011-12-23 19:58 . 2011-12-23 19:58 491520 ----a-w- c:\windows\SysWow64\muzapp.dll
2011-12-23 19:58 . 2011-12-23 19:58 49152 ----a-w- c:\windows\SysWow64\MaJGUILib.dll
2011-12-23 19:58 . 2011-12-23 19:58 45056 ----a-w- c:\windows\SysWow64\MaXMLProto.dll
2011-12-23 19:58 . 2011-12-23 19:58 45056 ----a-w- c:\windows\SysWow64\MACXMLProto.dll
2011-12-23 19:58 . 2011-12-23 19:58 40960 ----a-w- c:\windows\SysWow64\MTTELECHIP.dll
2011-12-23 19:58 . 2011-12-23 19:58 40960 ----a-w- c:\windows\SysWow64\MAMACExtract.dll
2011-12-23 19:58 . 2011-12-23 19:58 352256 ----a-w- c:\windows\SysWow64\MSLUR71.dll
2011-12-23 19:58 . 2011-12-23 19:58 258048 ----a-w- c:\windows\SysWow64\muzoggsp.ax
2011-12-23 19:58 . 2011-12-23 19:58 245760 ----a-w- c:\windows\SysWow64\MSCLib.dll
2011-12-23 19:58 . 2011-12-23 19:58 24576 ----a-w- c:\windows\SysWow64\MASetupCleaner.exe
2011-12-23 19:58 . 2011-12-23 19:58 200704 ----a-w- c:\windows\SysWow64\muzwmts.dll
2011-12-23 19:58 . 2011-12-23 19:58 155648 ----a-w- c:\windows\SysWow64\MSFLib.dll
2011-12-23 19:58 . 2011-12-23 19:58 143360 ----a-w- c:\windows\SysWow64\3DAudio.ax
2011-12-23 19:58 . 2011-12-23 19:58 135168 ----a-w- c:\windows\SysWow64\muzaf1.dll
2011-12-23 19:58 . 2011-12-23 19:58 131072 ----a-w- c:\windows\SysWow64\muzmpgsp.ax
2011-12-23 19:58 . 2011-12-23 19:58 122880 ----a-w- c:\windows\SysWow64\muzeffect.ax
2011-12-23 19:58 . 2011-12-23 19:58 118784 ----a-w- c:\windows\SysWow64\MaDRM.dll
2011-12-23 19:58 . 2011-12-23 19:58 110592 ----a-w- c:\windows\SysWow64\muzmp4sp.ax
2011-12-23 19:58 . 2012-02-03 19:53 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
2011-12-14 19:23 . 2011-07-09 13:48 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-08 04:22 . 2012-02-03 19:54 708168 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2011-12-08 04:22 . 2012-02-03 19:54 1490656 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2011-12-08 04:22 . 2012-02-03 19:54 98616 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2011-12-08 04:22 . 2012-02-03 19:54 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-04_15.54.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-03-04 14:07 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-06 00:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-08 10:11 . 2012-03-05 00:51 35088 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-04 22:45 27454 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-07-08 10:06 . 2012-03-04 22:45 12144 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-478074252-754671664-2906948526-1000_UserData.bin
+ 2011-07-08 11:19 . 2012-03-06 00:29 98586 c:\windows\system32\perfc006.dat
- 2012-02-21 20:50 . 2012-02-21 11:40 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-02-21 20:50 . 2012-03-04 21:54 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-07-08 10:02 . 2012-03-04 14:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-08 10:02 . 2012-03-04 22:43 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-08 10:02 . 2012-03-04 22:43 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-08 10:02 . 2012-03-04 14:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-04 22:43 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-04 14:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-04 15:54 . 2012-03-04 15:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-06 00:50 . 2012-03-06 00:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-04 15:54 . 2012-03-04 15:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-06 00:50 . 2012-03-06 00:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-03-06 00:50 802816 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-04 14:07 802816 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-06 00:50 475136 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-04 14:07 475136 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-10 11:13 . 2012-03-05 17:53 354768 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-07-14 02:36 . 2012-03-06 00:29 655302 c:\windows\system32\perfh009.dat
+ 2011-07-08 11:19 . 2012-03-06 00:29 510422 c:\windows\system32\perfh006.dat
+ 2009-07-14 02:36 . 2012-03-06 00:29 122174 c:\windows\system32\perfc009.dat
- 2009-07-14 05:38 . 2012-02-21 20:50 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2009-07-14 05:38 . 2012-03-05 07:40 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 05:01 . 2012-03-04 15:53 395948 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-06 00:49 395948 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-28 00:10 . 2012-03-04 22:48 223744 c:\windows\assembly\temp\twl.dll
- 2012-02-28 00:10 . 2012-03-04 15:51 223744 c:\windows\assembly\temp\twl.dll
+ 2011-07-08 10:23 . 2012-03-06 00:49 3728928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-07-08 10:23 . 2012-02-28 22:49 3728928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-07-08 13:01 . 2012-03-06 00:49 10820384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-478074252-754671664-2906948526-1000-12288.dat
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-03 1242448]
"KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2012-02-03 943504]
"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-02-03 21392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-08 336384]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" [2010-11-01 1374720]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-02-03 3508624]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hotkey.lnk - c:\program files (x86)\Hotkey\Hotkey.exe [2011-1-17 2946560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-15 158856]
R3 ATP;Comodo Unite Miniport Driver;c:\windows\system32\DRIVERS\cmdatp.sys [x]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2012-02-14 736104]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-28 2343816]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 PowerBiosServer;PowerBiosServer;c:\program files (x86)\Hotkey\PowerBiosServer.exe [2011-01-17 33280]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-28 2656280]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM10864.sys [x]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
.
.
--- Andre Services/Drivers i Hukommelsen ---
.
*Deregistered* - 02528860
.
Indhold af mappen 'Planlagte Opgaver'
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-478074252-754671664-2906948526-1000Core.job
- c:\users\Gunni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-08 10:40]
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-478074252-754671664-2906948526-1000UA.job
- c:\users\Gunni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-08 10:40]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-08 11663464]
"THXCfg64"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"Cm108Sound"="c:\windows\Syswow64\cm108.dll" [2009-12-22 8146944]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PAR1284
.
------- Yderligere scanning -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\Microsoft Office\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: Interfaces\{4198045C-FC86-48FE-B5A1-23E11D254CBB}: NameServer = 8.8.8.8,193.162.153.164,194.239.134.83
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}: NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\25F6265627473702E65647121212: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\359353E6B437A426: NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\454434: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\45F554C45465: NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\943656C616E646: NameServer = 8.8.4.4,8.8.8.8
TCP: Interfaces\{A7138585-4176-489B-A612-A17A1344CFE0}\E4544574541425: NameServer = 8.8.4.4,8.8.8.8
.
- - - - TOMME GENVEJE FJERNET - - - -
.
Notify-wemneka - c:\windows\system32\config\systemprofile\AppData\Local\wemneka.dll
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
.
.
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------
.
[HKEY_USERS\S-1-5-21-478074252-754671664-2906948526-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
"Currency"=dword:00000017
"GameDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2011\\games"
"ShortlistDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
"FMPath"="c:\\program files (x86)\\steam\\steamapps\\common\\football manager 2011\\"
"ScreenshotsDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2011"
"SaveDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2011\\"
"HistoryDir"="c:\\FM Genie Scout 11\\History Points"
"LangDB"="c:\\program files (x86)\\steam\\steamapps\\common\\football manager 2011\\data\\updates\\update-1130\\db\\1130\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="PSV Eindhoven"
"LastUpdateCheck"=dword:00009f5e
"VersionOf"=dword:0000007b
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000081
"UniqueID"="06-E2B0-ED8F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:0000000b
"StaffSearchFeatureNum"=dword:00000006
"ClubSearchFeatureNum"=dword:00000005
"FilterByClubFeatureNum"=dword:00000006
"CompareFeatureNum"=dword:00000004
"ShortlistFeatureNum"=dword:00000000
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:0000000c
"HintsFeatureNum"=dword:00000005
"GenieReportFeatureNum"=dword:00000001
"TopFormationFeatureNum"=dword:00000005
"ScreenshotFeatureNum"=dword:00000000
.
[HKEY_USERS\S-1-5-21-478074252-754671664-2906948526-1000\Software\G*e*n*i*e*"!\FM Genie Scout 12]
"Currency"=dword:00000017
"GameDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2012\\games"
"ShortlistDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2012\\shortlists"
"FMPath"="c:\\program files (x86)\\steam\\steamapps\\common\\football manager 2012\\"
"ScreenshotsDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2012"
"SaveDir"="c:\\Users\\Gunni\\Documents\\Sports Interactive\\Football Manager 2012\\"
"HistoryDir"="c:\\FM Genie Scout 12\\History Points"
"LangDB"="c:\\program files (x86)\\steam\\steamapps\\common\\football manager 2012\\data\\db\\1200\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:0000a007
"VersionOf201"=dword:0000007b
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"ShowGuidNotification"=dword:00000000
"ShowDonateNotification"=dword:00000000
"Version"=dword:000000cc
"UniqueID"="06-E2B0-ED8F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:0000001a
"StaffSearchFeatureNum"=dword:00000004
"ClubSearchFeatureNum"=dword:00000007
"FilterByClubFeatureNum"=dword:0000000c
"CompareFeatureNum"=dword:00000001
"ShortlistFeatureNum"=dword:00000000
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:0000001b
"HintsFeatureNum"=dword:00000007
"GenieReportFeatureNum"=dword:00000006
"TopFormationFeatureNum"=dword:00000006
"ScreenshotFeatureNum"=dword:00000000
"AdClicksNum"=dword:0000000b
"AdImpressionsNum"=dword:0000025a
"GameLoadedCounter"=dword:00000025
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andre kørende processer ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\PnkBstrB.exe
c:\programdata\TVersity\Media Server\MediaServer.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Gennemført tid: 2012-03-06 01:54:58 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2012-03-06 00:54
.
Pre-Kørsel: 77.562.519.552 bytes free
Post-Kørsel: 77.220.093.952 bytes free
.
- - End Of File - - E33F1B2CF090749572BD7C84B95A2F0F

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 05 March 2012 - 10:58 PM

Hello,




1.
Are you connected to the internet through a router? If so we need to reset that router.
How to reset you router.



2.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

3.
Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.


4.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


Things to include in your next reply::
Results.txt
Roguekiller log
aswMBR log
Still Redirecting?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2012 - 10:08 AM

1. Reset router.

2. aswMBR ran and found 4 infected files.


---
aswMBR.txt:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-06 15:51:29
-----------------------------
15:51:29.212 OS Version: Windows x64 6.1.7601 Service Pack 1
15:51:29.212 Number of processors: 4 586 0x2A07
15:51:29.213 ComputerName: GUNNI-PC UserName: Gunni
15:51:31.716 Initialize success
15:51:31.747 AVAST engine defs: 12030600
15:51:33.169 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:51:33.170 Disk 0 Vendor: ST9500420AS 0002SDM1 Size: 476940MB BusType: 11
15:51:33.220 Disk 0 MBR read successfully
15:51:33.222 Disk 0 MBR scan
15:51:33.223 Disk 0 Windows 7 default MBR code
15:51:33.227 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:51:33.229 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
15:51:33.259 Disk 0 scanning C:\Windows\system32\drivers
15:51:46.615 Service scanning
15:51:59.595 Modules scanning
15:51:59.598 Disk 0 trace - called modules:
15:51:59.612 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:51:59.614 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b03060]
15:51:59.617 3 CLASSPNP.SYS[fffff88001e1743f] -> nt!IofCallDriver -> [0xfffffa800775de40]
15:51:59.619 5 ACPI.sys[fffff880017a77a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007759060]
15:52:00.842 AVAST engine scan C:\Windows
15:52:05.525 AVAST engine scan C:\Windows\system32
15:53:16.768 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
15:53:18.195 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
15:53:51.426 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
15:53:51.447 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
15:53:52.778 AVAST engine scan C:\Windows\system32\drivers
15:54:05.285 AVAST engine scan C:\Users\Gunni
15:59:04.669 AVAST engine scan C:\ProgramData
15:59:38.640 Scan finished successfully
15:59:47.839 Disk 0 MBR has been saved successfully to "C:\Users\Gunni\Desktop\MBR.dat"
15:59:47.841 The log file has been saved successfully to "C:\Users\Gunni\Desktop\aswMBR.txt"
15:59:58.111 Disk 0 MBR has been saved successfully to "C:\Users\Gunni\Desktop\MBR.dat"
15:59:58.114 The log file has been saved successfully to "C:\Users\Gunni\Desktop\aswMBR.txt"

---

3. Ran listparts64:

Results:

ListParts by Farbar Version: 06-03-2012
Ran by Gunni (administrator) on 06-03-2012 at 16:01:38
Windows 7 (X64)
Running From: C:\Users\Gunni\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 30%
Total physical RAM: 8169.68 MB
Available physical RAM: 5687.35 MB
Total Pagefile: 16337.56 MB
Available Pagefile: 13643.71 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:80.81 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 465 GB Healthy Boot

======================================================================================================

****** End Of Log ******

---

4. Ran RogueKiller

RKreport[1].txt:


RogueKiller V7.2.1 [02/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Gunni [Admin rights]
Mode: Scan -- Date: 03/06/2012 16:03:23

¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] MediaServer.exe -- C:\ProgramData\TVersity\Media Server\MediaServer.exe -> KILLED [TermProc]
[RESIDUE] MediaServer.exe -- C:\ProgramData\TVersity\Media Server\MediaServer.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{4198045C-FC86-48FE-B5A1-23E11D254CBB} : NameServer (8.8.8.8,193.162.153.164,194.239.134.83) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{4198045C-FC86-48FE-B5A1-23E11D254CBB} : NameServer (8.8.8.8,193.162.153.164,194.239.134.83) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
67.215.245.19 www.google-analytics.com.
67.215.245.19 ad-emea.doubleclick.net.
67.215.245.19 www.statcounter.com.
108.163.215.51 www.google-analytics.com.
108.163.215.51 ad-emea.doubleclick.net.
108.163.215.51 www.statcounter.com.


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] b21031a442bb36b49ed4bb379e6aec45
[BSP] 5652a53a6bf21f51150d705a7a7068a5 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt




---



EDIT: edited reply, because I pressed save 3 times on save log after aswMBR was done, and therefore it saved a .txt file with 3 times the same log-text... edited and removed 2 of them...

EDIT2: Been surfing and clicking a lot of links and the redirecting has stopped!

Edited by batmanlala, 06 March 2012 - 10:17 AM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 06 March 2012 - 07:24 PM

Hello,

1.
Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button not the FixMBR button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.



2.
  • Re-Run RogueKiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Delete
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

3.
  • Re-Run RogueKiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click HostFix
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

Things to include in your next reply::
aswMBR log
Roguekiller logs
How is the machine running now?

Edited by fireman4it, 06 March 2012 - 07:25 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 07 March 2012 - 05:44 PM

Turns out I'm still being redirected! Also, my pc rebooted (on it's own!) and went into a bootloop, so I had to do a restore... I tried to go on with your first step (aswMBR), but after the scan I am unable to select "Fix", it is simply greyed out...

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 07 March 2012 - 06:18 PM

Hello,

Please run aswMBR again and posts its log. Then proceed with Roguekiller.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 07 March 2012 - 06:31 PM

Also I have PING.EXE.....

#10 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 07 March 2012 - 06:55 PM

Ran aswMBR, but about halfway through (I think), I got a blue screen, had to reboot, went into bootloop and had to restore.

Please advise...

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 07 March 2012 - 07:14 PM

Hello,
Please run Combofix again and posts its log. Please refrain from using this machine online until we get it clean

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 07 March 2012 - 08:59 PM

Ran Combofix and I noticed that it deleted some of the files aswMBR also found

15:53:16.768 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
15:53:18.195 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]

When completed it restarted and got stuck in a bootloop again, so I restored (is there another way? I lose all progress every time, right?)
I'm guessing the log is gone, I can't find it...

Please advise...

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 08 March 2012 - 11:48 AM

Hello,


How are you restoring if your stuck in a bootloop?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 batmanlala

batmanlala
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 08 March 2012 - 12:13 PM

I press F8 and choose "Repair-mode"... If I try to boot in safe-mode or any other mode it just reboots. Only repair-mode seems to work and the only "repair-option" that works for me is to do a system-restore.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 08 March 2012 - 01:47 PM

Is there a Startup Repair option? If so have you tried it?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users