Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef incetion. Not able to enable windows security center ++. Antivirus software can't clean up


  • This topic is locked This topic is locked
15 replies to this topic

#1 NOR_Chrass

NOR_Chrass

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 01 October 2012 - 03:25 PM

Some time ago I got some security pop-ups/redirects in IE. I don't remember the exact content, but the message was about a security risk and that I should press OK to scan the system.

I did not press OK, but googled this on another computer I have. Found a reference to a Sirefef virus.
found a manual removal process to remove the redirects/pop-ups in IE (have some experience in removing malware and virus).
Then tried to scan computer using Ad-Aware Antivirus. It found the virus, but couldn't remove it.
Tried running Spyhunter. It also found the same virus, but couldn't remove it.

After scanning, trying to repair, deleting, scanning, repairing etc numerous times, I thought the virus was gone.

Then realized that windows security center, windows firewall, windows update, windows defender was disabled. When trying to enable it again, error messages appear that the system is preventing it from re-enableing (messages are in Norwegian, so not much use posting here?)

Installed and ran microsoft security essentials. Found <Trojan:win32/Sirefef!cfg>
Ran Ad-Aware antivirus again now, and it came up with four infections:
<Trojan:Win32.Sirefef.r (v)> Traces: c:\windows\system32\dbbk\8737764F4FD36D6808EE80578409C843
<Trojan:Win32.Generic!BT> Traces: c:\windows\installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\u\00000001.@
<Trojan:Win32.Sirefef.ag (v)> Traces: c:\windows\installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\u\80000000.@
<Trojan:Win32.Sirefef.aga (v)> Traces: c:\windows\installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\u\800000cb.@

Followed the steps as instructed by bleepingcomputer.com as to prepare a post to this forum. Now I'm lost and have no idea on how to approach this problem...

The DDS log is here: (the ark.log and attach.txt is attached as instructed)
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Asserson at 21:31:11 on 2012-10-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.47.1044.18.3069.1787 [GMT 2:00]
.
AV: Lavasoft Ad-Aware *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Lavasoft Ad-Aware *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
FW: Lavasoft Ad-Aware *Disabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\MyTomTom 3\MyTomTomSA.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.no/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [MyTomTomSA.exe] "c:\program files\mytomtom 3\MyTomTomSA.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Send bilde til &Bluetooth-enhet... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send side til &Bluetooth-enhet... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{D5F0921D-1061-48D4-B3CD-BAD79EDC37AA} : DhcpNameServer = 192.168.10.1
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 MpKsl8f445927;MpKsl8f445927;c:\programdata\microsoft\microsoft antimalware\definition updates\{ead0ccb8-4fae-4587-a5d7-d86ba20ecfd5}\MpKsl8f445927.sys [2012-10-1 29904]
R1 MpKslfcaf9c14;MpKslfcaf9c14;c:\programdata\microsoft\microsoft antimalware\definition updates\{ead0ccb8-4fae-4587-a5d7-d86ba20ecfd5}\MpKslfcaf9c14.sys [2012-9-30 29904]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-4-27 223864]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-10-26 101112]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\hp\quickplay\000.fcl [2008-5-22 39408]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-7-12 1239952]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 FontCache;Windows skriftbuffertjeneste;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-4-27 21504]
R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2011-12-19 3289032]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-11-29 77816]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-4-27 94584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-28 250568]
S3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-4-27 94584]
S3 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-4-27 93816]
S3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2011-12-19 72312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-01 19:20:05 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ead0ccb8-4fae-4587-a5d7-d86ba20ecfd5}\MpKsl8f445927.sys
2012-09-30 20:36:18 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ead0ccb8-4fae-4587-a5d7-d86ba20ecfd5}\MpKslfcaf9c14.sys
2012-09-30 20:36:09 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ead0ccb8-4fae-4587-a5d7-d86ba20ecfd5}\offreg.dll
2012-09-30 20:28:48 6980552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ead0ccb8-4fae-4587-a5d7-d86ba20ecfd5}\mpengine.dll
2012-09-30 20:27:45 -------- d-----w- c:\program files\Microsoft Security Client
.
==================== Find3M ====================
.
2012-08-30 20:03:50 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 20:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-22 19:28:16 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-22 19:28:16 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 21:32:04,91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 01 October 2012 - 05:14 PM

Please do the following:

For 32bit systems, download Farbar Recovery Scan Tool 32-Bitand save it to your desktop.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 02 October 2012 - 12:34 PM

frst.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-09-2012 01
Ran by SYSTEM at 02-10-2012 19:19:27
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-09-15] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [174616 2007-07-24] (Intel Corporation)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [181544 2007-09-30] (CyberLink Corp.)
HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [202032 2007-09-19] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554320 2007-09-04] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-09-13] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [311296 2007-01-08] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [201112 2012-05-09] (Lavasoft)
HKLM\...\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart [86016 2007-09-19] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [8497696 2007-09-19] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2007-09-19] (NVIDIA Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM\...\Run: [] [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
HKU\Asserson\...\Run: [MyTomTomSA.exe] "C:\Program Files\MyTomTom 3\MyTomTomSA.exe" [434168 2012-05-18] (TomTom)
Tcpip\Parameters: [DhcpNameServer] 192.168.10.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

==================== Services (Whitelisted) ===================

2 Ad-Aware Service; "C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe" [1239952 2012-07-12] (Lavasoft Limited)
3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
2 QPCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [271760 2007-09-30] ()
2 QPSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [112016 2007-09-30] ()
2 SBAMSvc; "C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)
2 Secunia PSI Agent; "C:\Program Files\Secunia\PSI\PSIA.exe" --start-service [994360 2011-10-13] (Secunia)
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [146560 2007-08-28] (AuthenTec, Inc.)
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13904 2011-05-06] ()
3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [77816 2011-11-28] (GFI Software)
1 SbFw; C:\Windows\System32\drivers\SbFw.sys [223864 2011-12-19] (GFI Software)
3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [94584 2011-09-29] (GFI Software)
3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [94584 2011-09-29] (GFI Software)
3 SbHips; C:\Windows\System32\drivers\sbhips.sys [93816 2011-12-19] (GFI Software)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [101112 2011-10-26] (GFI Software)
3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [72312 2011-12-19] (GFI Software)
2 {22D78859-9CE9-4B77-BF18-AC83E81A9263}; \??\C:\Program Files\HP\QuickPlay\000.fcl [39408 2007-09-30] (Cyberlink Corp.)
4 blbdrive; [x]
1 eabfiltr; [x]
3 IpInIp; [x]
3 NwlnkFlt; [x]
3 NwlnkFwd; [x]
3 SymIM; [x]
3 SymIMMP; [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-10-01 12:00 - 2012-10-01 12:00 - 00022465 ____A C:\Users\Asserson\Desktop\ark.log
2012-10-01 11:36 - 2012-10-01 11:36 - 00302592 ____A C:\Users\Asserson\Downloads\8mrf0qqp.exe
2012-10-01 11:35 - 2012-10-01 11:35 - 00006359 ____A C:\Users\Asserson\Desktop\Attach.txt
2012-10-01 11:34 - 2012-10-01 11:34 - 00011468 ____A C:\Users\Asserson\Desktop\DDS.txt
2012-10-01 11:30 - 2012-10-01 11:31 - 00607260 ____R (Swearware) C:\Users\Asserson\Downloads\dds.com
2012-10-01 11:30 - 2012-10-01 11:30 - 00000478 ____A C:\Users\Asserson\Desktop\defogger_disable.log
2012-10-01 11:30 - 2012-10-01 11:30 - 00000000 ____A C:\Users\Asserson\defogger_reenable
2012-09-30 12:28 - 2012-09-30 12:28 - 00001912 ____A C:\Windows\epplauncher.mif
2012-09-30 12:27 - 2012-09-30 12:28 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-30 11:25 - 2012-09-30 11:26 - 220066248 ____A (Norman ASA) C:\Users\Asserson\Downloads\Norman_Malware_Cleaner.exe
2012-09-30 07:43 - 2012-09-30 10:54 - 00019524 ____A C:\Users\Asserson\Desktop\Nmc_2012-09-30_17-43-32.log
2012-09-09 10:48 - 2012-09-12 11:05 - 00201304 ____A C:\Users\Asserson\Desktop\Huset vårt_NY.skb
2012-09-09 10:07 - 2012-09-12 11:12 - 00203912 ____A C:\Users\Asserson\Desktop\Huset vårt_NY.skp
2012-09-09 09:20 - 2012-09-09 09:20 - 00001904 ____A C:\Users\Public\Desktop\SketchUp 8.lnk
2012-09-09 09:20 - 2012-09-09 09:20 - 00001904 ____A C:\Users\All Users\Desktop\SketchUp 8.lnk


==================== 3 Months Modified Files ==================

2012-10-02 09:14 - 2008-05-22 06:52 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-10-02 09:14 - 2006-11-02 05:01 - 00026940 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-02 09:14 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-02 09:14 - 2006-11-02 04:47 - 00003168 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-02 09:14 - 2006-11-02 04:47 - 00003168 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-02 09:13 - 2012-05-13 09:30 - 00002431 ____A C:\Windows\setupact.log
2012-10-02 09:11 - 2012-04-28 03:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-01 12:00 - 2012-10-01 12:00 - 00022465 ____A C:\Users\Asserson\Desktop\ark.log
2012-10-01 11:36 - 2012-10-01 11:36 - 00302592 ____A C:\Users\Asserson\Downloads\8mrf0qqp.exe
2012-10-01 11:35 - 2012-10-01 11:35 - 00006359 ____A C:\Users\Asserson\Desktop\Attach.txt
2012-10-01 11:34 - 2012-10-01 11:34 - 00011468 ____A C:\Users\Asserson\Desktop\DDS.txt
2012-10-01 11:31 - 2012-10-01 11:30 - 00607260 ____R (Swearware) C:\Users\Asserson\Downloads\dds.com
2012-10-01 11:30 - 2012-10-01 11:30 - 00000478 ____A C:\Users\Asserson\Desktop\defogger_disable.log
2012-10-01 11:30 - 2012-10-01 11:30 - 00000000 ____A C:\Users\Asserson\defogger_reenable
2012-10-01 11:25 - 2007-11-27 11:21 - 00485022 ____A C:\Windows\System32\perfh014.dat
2012-10-01 11:25 - 2007-11-27 11:21 - 00082340 ____A C:\Windows\System32\perfc014.dat
2012-10-01 11:25 - 2006-11-02 02:33 - 01283322 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-01 11:21 - 2012-04-27 06:06 - 00027620 ____A C:\Users\Asserson\AppData\Roaming\nvModes.001
2012-10-01 11:21 - 2012-04-26 12:49 - 00000163 ____A C:\Users\Public\Documents\hpqp.ini
2012-10-01 11:21 - 2012-04-26 12:49 - 00000163 ____A C:\Users\All Users\Documents\hpqp.ini
2012-10-01 10:50 - 2008-05-22 06:52 - 01527772 ____A C:\Windows\WindowsUpdate.log
2012-09-30 12:28 - 2012-09-30 12:28 - 00001912 ____A C:\Windows\epplauncher.mif
2012-09-30 11:28 - 2012-04-28 10:50 - 00001356 ____A C:\Users\Asserson\AppData\Local\d3d9caps.dat
2012-09-30 11:26 - 2012-09-30 11:25 - 220066248 ____A (Norman ASA) C:\Users\Asserson\Downloads\Norman_Malware_Cleaner.exe
2012-09-30 10:54 - 2012-09-30 07:43 - 00019524 ____A C:\Users\Asserson\Desktop\Nmc_2012-09-30_17-43-32.log
2012-09-30 07:08 - 2012-04-27 05:27 - 00027620 ____A C:\Users\Asserson\AppData\Roaming\nvModes.dat
2012-09-18 12:47 - 2012-06-16 22:26 - 00016757 ____A C:\Users\Asserson\Desktop\Austrått Øst Velforening.xlsx
2012-09-12 11:12 - 2012-09-09 10:07 - 00203912 ____A C:\Users\Asserson\Desktop\Huset vårt_NY.skp
2012-09-12 11:05 - 2012-09-09 10:48 - 00201304 ____A C:\Users\Asserson\Desktop\Huset vårt_NY.skb
2012-09-09 09:20 - 2012-09-09 09:20 - 00001904 ____A C:\Users\Public\Desktop\SketchUp 8.lnk
2012-09-09 09:20 - 2012-09-09 09:20 - 00001904 ____A C:\Users\All Users\Desktop\SketchUp 8.lnk
2012-08-30 12:03 - 2012-08-30 12:03 - 00193552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 12:03 - 2012-08-30 12:03 - 00099272 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-22 11:28 - 2012-04-28 03:15 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-22 11:28 - 2012-04-28 03:15 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-21 12:22 - 2012-08-21 12:22 - 00004096 ___AH C:\Users\Asserson\AppData\Local\keyfile3.drm
2012-08-21 12:20 - 2012-08-21 12:20 - 00016556 ____A C:\Users\Asserson\Desktop\Hva gjør vi nå.zip
2012-08-08 11:46 - 2012-08-08 11:46 - 00138176 ____A C:\Windows\Minidump\Mini080812-01.dmp
2012-08-08 11:46 - 2012-08-02 03:47 - 308562675 ____A C:\Windows\MEMORY.DMP
2012-08-08 03:02 - 2012-04-28 03:20 - 00126464 ____A C:\Users\Asserson\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-02 08:09 - 2012-08-02 08:09 - 00000848 ____A C:\Users\Asserson\Desktop\Brother's Keeper 6.lnk
2012-08-02 08:09 - 2012-08-02 08:09 - 00000000 ____A C:\Windows\MKDEMSG.LOG
2012-08-02 07:42 - 2012-08-02 07:42 - 00000521 ____A C:\Users\Public\Desktop\Legacy Charting 7.lnk
2012-08-02 07:42 - 2012-08-02 07:42 - 00000521 ____A C:\Users\All Users\Desktop\Legacy Charting 7.lnk
2012-08-02 07:42 - 2012-08-02 07:42 - 00000347 ____A C:\Users\Public\Desktop\Legacy 7.5.lnk
2012-08-02 07:42 - 2012-08-02 07:42 - 00000347 ____A C:\Users\All Users\Desktop\Legacy 7.5.lnk
2012-08-02 03:48 - 2012-08-02 03:48 - 00138176 ____A C:\Windows\Minidump\Mini080212-01.dmp
2012-08-01 12:51 - 2012-08-01 12:51 - 00000438 ____A C:\Windows\System32\WSCConfig.xml
2012-08-01 12:51 - 2012-08-01 12:47 - 00000568 ____A C:\Windows\System32\PHOOKSmf.txt
2012-08-01 12:20 - 2012-08-01 12:20 - 00001812 ____A C:\Users\Asserson\Desktop\readme.txt
2012-08-01 11:34 - 2007-11-27 12:57 - 00161428 ____A C:\Windows\PFRO.log
2012-08-01 11:33 - 2012-08-01 11:33 - 00000824 ____A C:\Users\Asserson\Desktop\lavasoft.txt
2012-08-01 11:31 - 2012-08-01 11:31 - 00001939 ____A C:\Users\Public\Desktop\Lavasoft Registry Tuner.lnk
2012-08-01 11:31 - 2012-08-01 11:31 - 00001939 ____A C:\Users\All Users\Desktop\Lavasoft Registry Tuner.lnk
2012-08-01 10:50 - 2012-08-01 10:50 - 00000079 ____A C:\Users\Asserson\AppData\Local\RTFViewer.ini
2012-07-31 11:01 - 2012-07-31 11:01 - 00002085 ____A C:\Users\Asserson\Desktop\SpyHunter.lnk
2012-07-31 09:21 - 2012-07-31 09:21 - 00000903 ____A C:\Users\Public\Desktop\The Master Genealogist v8.lnk
2012-07-31 09:21 - 2012-07-31 09:21 - 00000903 ____A C:\Users\All Users\Desktop\The Master Genealogist v8.lnk
2012-07-29 10:37 - 2012-07-29 08:49 - 00055555 ____A C:\Users\Asserson\Desktop\Ny Kjeller.skp
2012-07-29 08:49 - 2012-07-29 10:37 - 00055175 ____A C:\Users\Asserson\Desktop\Ny Kjeller.skb
2012-07-22 17:22 - 2006-11-02 04:47 - 00340024 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-22 17:04 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-22 17:02 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

ZeroAccess:
C:\Windows\Installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}
C:\Windows\Installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\L
C:\Windows\Installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\U

ZeroAccess:
C:\Users\Asserson\AppData\Local\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}
C:\Users\Asserson\AppData\Local\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\L
C:\Users\Asserson\AppData\Local\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4093.63 MB
Available physical RAM: 3540.01 MB
Total Pagefile: 3777.97 MB
Available Pagefile: 3598.32 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.51 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:222.84 GB) (Free:165.53 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:232.88 GB) (Free:64.81 GB) NTFS
3 Drive e: (HP_RECOVERY) (Fixed) (Total:10.04 GB) (Free:2.92 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:3.91 GB) (Free:3.91 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1528 KB
Disk 1 Online 233 GB 1528 KB
Disk 2 Online 4017 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 223 GB 32 KB
Partition 2 Primary 10 GB 223 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C OS NTFS Partition 223 GB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E HP_RECOVERY NTFS Partition 10 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 233 GB 32 KB

=========================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D DATA NTFS Partition 233 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 4016 MB 1176 KB

=========================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 G FAT32 Removable 4016 MB Healthy

=========================================================

Last Boot: 2012-10-01 11:26

==================== End Of Log ============================

search.txt:
Farbar Recovery Scan Tool (x86) Version: 30-09-2012 01
Ran by SYSTEM at 2012-10-02 19:20:42
Running from G:\

================== Search: "services.exe" ===================

C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2012-04-28 02:14] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2012-04-27 11:01] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\WINDOWS\System32\services.exe
[2012-04-28 02:14] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 02 October 2012 - 05:55 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
C:\Windows\Installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}
C:\Users\Asserson\AppData\Local\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 03 October 2012 - 01:01 AM

fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-09-2012 01
Ran by SYSTEM at 2012-10-03 06:57:26 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53} moved successfully.
C:\Users\Asserson\AppData\Local\{b771c3fd-2f87-d804-8ea7-f7c5c6911d53} moved successfully.

==== End of Fixlog ====

ComboFix:
ComboFix 12-10-02.02 - Asserson 03.10.2012 7:33.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.47.1044.18.3069.1976 [GMT 2:00]
Kjører fra: c:\users\Asserson\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
FW: Lavasoft Ad-Aware *Disabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
SP: Lavasoft Ad-Aware *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
* Opprettet nytt gjenopprettingspunkt
.
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\KBL.LOG
.
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2012-09-03 til 2012-10-03 )))))))))))))))))))))))))))))))))
.
.
2012-10-03 05:39 . 2012-10-03 05:39 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8BAB8E50-6A4D-4F63-A6C5-7E9BAA21A683}\offreg.dll
2012-10-03 05:38 . 2012-10-03 05:41 -------- d-----w- c:\users\Asserson\AppData\Local\temp
2012-10-03 03:19 . 2012-10-03 03:19 -------- d-----w- C:\FRST
2012-10-02 17:36 . 2012-09-18 22:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8BAB8E50-6A4D-4F63-A6C5-7E9BAA21A683}\mpengine.dll
2012-09-30 20:28 . 2012-09-18 22:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-30 20:27 . 2012-09-30 20:28 -------- d-----w- c:\program files\Microsoft Security Client
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-30 20:03 . 2012-08-30 20:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 20:03 . 2012-08-30 20:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-22 19:28 . 2012-04-28 11:15 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-22 19:28 . 2012-04-28 11:15 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-31 19:01 . 2012-07-31 19:01 110080 ----a-r- c:\users\Asserson\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconF7A21AF7.exe
2012-07-31 19:01 . 2012-07-31 19:01 110080 ----a-r- c:\users\Asserson\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconD7F16134.exe
2012-07-31 19:01 . 2012-07-31 19:01 110080 ----a-r- c:\users\Asserson\AppData\Roaming\Microsoft\Installer\{CC1F6DA0-21D2-425A-B1B6-5B164A598450}\IconCF33A0CE.exe
.
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-04-11 20:08 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-04-11 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyTomTomSA.exe"="c:\program files\MyTomTom 3\MyTomTomSA.exe" [2012-05-18 434168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-05-09 201112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Andre tjenester/drivere lastet i minnet ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2012-10-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 19:28]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.google.no/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.10.1
.
.
**************************************************************************
skanner skjulte prosesser ...
.
skanner skjulte autostart-oppføringer ...
.
skanner skjulte filer ...
.
skanning vellykket
skjulte filer:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------
.
- - - - - - - > 'Explorer.exe'(2932)
c:\programdata\Ad-Aware Browsing Protection\adawarebp.dll
c:\windows\system32\btncopy.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\Secunia\PSI\PSIA.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Ad-Aware Antivirus\SBAMSvc.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2012-10-03 07:45:55 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2012-10-03 05:45
.
Pre-Run: 188 808 499 200 byte ledig
Post-Run: 189 808 041 984 byte ledig
.
- - End Of File - - 9EA3CF81002AF0C8E17BE155AAE9DC7A

#6 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 03 October 2012 - 01:09 AM

by the way:
windows update and windows security center seems to have been enabled again =)

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 03 October 2012 - 05:30 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT
Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 04 October 2012 - 11:01 AM

adw-cleaner:
# AdwCleaner v2.003 - Logfile created 10/04/2012 at 07:26:29
# Updated 23/09/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Asserson - ASSERSON-PC
# Boot Mode : Normal
# Running from : C:\Users\Asserson\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\blekko toolbars

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Headlight
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Deleted : HKLM\Software\Headlight

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

*************************

AdwCleaner[S1].txt - [1653 octets] - [04/10/2012 07:26:29]

########## EOF - C:\AdwCleaner[S1].txt - [1713 octets] ##########


mbam log:
Malwarebytes Anti-Malware (Prøveversjon) 1.65.0.1400
www.malwarebytes.org

Databaseversjon: v2012.10.04.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Asserson :: ASSERSON-PC [administrator]

Beskyttelse: Aktivert

04.10.2012 07:34:23
mbam-log-2012-10-04 (07-34-23).txt

Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 194659
Tid tilbakelagt: 4 minutt(er), 55 sekund(er)

Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)

Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)

Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)

Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)

Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)

Mapper oppdaget: 0
(Ingen skadelige objekter funnet)

Filer oppdaget 0
(Ingen skadelige objekter funnet)

(klar)


esetscan:
C:\Users\Asserson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1XP93GY8\Adaware_Installer.exe Win32/OpenCandy application
C:\WINDOWS\System32\DBBK\8737764F4FD36D6808EE80578409C843 Win32/Sirefef.FB.Gen trojan

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 04 October 2012 - 09:09 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Asserson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1XP93GY8\Adaware_Installer.exe 
C:\WINDOWS\System32\DBBK\8737764F4FD36D6808EE80578409C843 
ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 05 October 2012 - 08:42 AM

combofix log:
ComboFix 12-10-04.02 - Asserson 05.10.2012 15:21:10.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.47.1044.18.3069.1476 [GMT 2:00]
Kjører fra: c:\users\Asserson\Desktop\ComboFix.exe
Command switches brukt :: c:\users\Asserson\Desktop\CFScript.txt
AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Opprettet nytt gjenopprettingspunkt
.
FILE ::
"c:\users\Asserson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1XP93GY8\Adaware_Installer.exe"
"c:\windows\System32\DBBK\8737764F4FD36D6808EE80578409C843"
.
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Asserson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1XP93GY8\Adaware_Installer.exe
c:\windows\System32\DBBK\8737764F4FD36D6808EE80578409C843
.
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2012-09-05 til 2012-10-05 )))))))))))))))))))))))))))))))))
.
.
2012-10-05 13:27 . 2012-10-05 13:27 -------- d-----w- c:\users\Asserson\AppData\Local\temp
2012-10-05 13:27 . 2012-10-05 13:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-04 21:26 . 2012-10-04 21:26 -------- d-----w- c:\users\Asserson\Bluetooth Software
2012-10-04 05:42 . 2012-10-04 05:42 -------- d-----w- c:\program files\ESET
2012-10-04 05:33 . 2012-10-04 05:33 -------- d-----w- c:\users\Asserson\AppData\Roaming\Malwarebytes
2012-10-04 05:33 . 2012-10-04 05:33 -------- d-----w- c:\programdata\Malwarebytes
2012-10-03 16:01 . 2012-10-03 16:01 -------- d-----w- c:\program files\Canon
2012-10-03 16:01 . 2012-10-03 16:01 -------- d-----w- c:\program files\Common Files\Canon
2012-10-03 15:36 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-10-03 15:02 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll
2012-10-03 06:09 . 2012-10-03 06:09 -------- d-----w- c:\users\Asserson\AppData\Roaming\LavasoftStatistics
2012-10-03 06:08 . 2012-10-03 15:18 -------- d-----w- c:\users\Asserson\AppData\Local\adawarebp
2012-10-03 06:07 . 2012-10-03 06:07 -------- d-----w- c:\windows\system32\drivers\VDD
2012-10-03 06:05 . 2012-10-03 06:10 -------- d-----w- c:\program files\adawaretb
2012-10-03 03:19 . 2012-10-03 03:19 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-22 19:28 . 2012-04-28 11:15 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-22 19:28 . 2012-04-28 11:15 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-09-20 20:06 87448 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-09-20 87448]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyTomTomSA.exe"="c:\program files\MyTomTom 3\MyTomTomSA.exe" [2012-05-18 434168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2012-10-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 19:28]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.google.no/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-05 15:27
Windows 6.0.6002 Service Pack 2 NTFS
.
skanner skjulte prosesser ...
.
skanner skjulte autostart-oppføringer ...
.
skanner skjulte filer ...
.
skanning vellykket
skjulte filer: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Tidspunkt ferdig: 2012-10-05 15:29:22
ComboFix-quarantined-files.txt 2012-10-05 13:29
ComboFix2.txt 2012-10-03 05:45
.
Pre-Run: 189 396 074 496 byte ledig
Post-Run: 189 594 144 768 byte ledig
.
- - End Of File - - 455D7C7E28C42D60FD39AA4519DEBCED


minitoolbox result:
MiniToolBox by Farbar Version: 23-07-2012
Ran by Asserson (administrator) on 05-10-2012 at 15:33:15
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP-konfigurasjon

DNS Resolver-bufferen ble t›mt.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Ad-Aware Antivirus (Version: 10.3.45.3935)
Ad-Aware Security Add-on (Version: 2.2.0.11)
Adobe Flash Player 11 ActiveX (Version: 11.4.402.265)
Adobe Reader X (10.1.4) - Norsk (Version: 10.1.4)
Adobe Shockwave Player (Version: 10.2.0.023)
Adobe Shockwave Player 11.6 (Version: 11.6.5.635)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
AuthenTec Fingerprint Sensor Minimum Install (Version: 7.9)
Bonjour (Version: 3.0.0.10)
Brother's Keeper 6.5
Canon RAW Codec (Version: 1.8.0.68)
ESET Online Scanner v3
ESU for Microsoft Vista (Version: 2.0.11.1)
Free Video to iPhone Converter version 5.0.14.627 (Version: 5.0.14.627)
GetRight
Hauppauge MCE XP/Vista Software Encoder (2.0.25149) (Version: 2.0.25149)
Hewlett-Packard Active Check (Version: 1.1.11.0)
Hewlett-Packard Asset Agent for Health Check (Version: 2.0.62.5)
HP Active Support Library (Version: 2.3.0.2)
HP Doc Viewer (Version: 1.02.0001)
HP Integrated Module with Bluetooth wireless technology 6.0.1.5500 (Version: 6.0.1.5500)
HP QuickTouch 1.00 C4 (Version: 1.0.7)
HP Update (Version: 5.003.001.001)
HP User Guides 0088 (Version: 1.02.0000)
HP Wireless Assistant (Version: 3.00 H2)
Intel® Matrix Storage Manager
iTunes (Version: 10.6.1.7)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
Lavasoft Registry Tuner (Version: 1.0.35)
Legacy 7.5 (Version: 7.5 )
Microsoft .NET Framework 3.5 Language Pack SP1 - nor (Version: 3.5.30729)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile NOR Language Pack (Version: 4.0.30319)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (German) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Norwegian (Nynorsk)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (Norwegian (Bokmål)) 2007 (Version: 12.0.4518.1022)
Microsoft Office Publisher MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (Norwegian (Bokmål)) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSCU for Microsoft Vista (Version: 1.0.1.9)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MyTomTom 3.2.0.700 (Version: 3.2.0.700)
NVIDIA Drivers
QuickPlay SlingPlayer 0.4.4 (Version: 0.4.4)
Realtek High Definition Audio Driver (Version: 6.0.1.5470)
Secunia PSI (2.0.0.4003) (Version: 2.0.0.4003)
SketchUp 8 (Version: 3.0.15158)
Språkpakke for Microsoft .NET Framework 3.5 SP1 - NOR
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 10.0.13.2)
The Master Genealogist v8 (Version: 8.04.0000)
TomTom HOME Visual Studio Merge Modules (Version: 1.0.2)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687407) 32-Bit Edition
Visual Studio C++ 10.0 Runtime (Version: 10.0.0)
VLC media player 2.0.1 (Version: 2.0.1)

**** End of log ****


fss log:
Farbar Service Scanner Version: 19-09-2012
Ran by Asserson (administrator) on 05-10-2012 at 15:34:16
Running from "C:\Users\Asserson\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 05 October 2012 - 09:22 AM

everything looks good,
Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version
  • Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.

Java™ 6 Update 31 (Version: 6.0.310)



How is the computer running now? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 05 October 2012 - 11:01 AM

Updated java also now =)

Thank you very much!!

Computer seems to be running fine, but adaware antivirus pro found the sirefef virus again. But this time in the file c:\qoobox\quarantine\c\windows\system32\dbbk\8737764F4FD36D6808EE80578409C843.vir. I believe this is the quarantine files of ComboFix. Can I delete the folder to get rid of the "infection"?

And the operation done over the last couple of days has created some folders on my c drive:
-> $$DeleteMe.$$DeleteMe.$$DeleteMe..01cd23edb2bb1c75.0000.01cd23edd16fb4e8.0000.01cd247d77752be0.0000
-> 56ea2b7d4c36153d6e42be7c8650be
-> boot
-> ComboFix
-> FRST
-> Qoobox (as mentioned above)

Can these folders be deleted or should I just let them be?

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 05 October 2012 - 11:58 AM

the combofix folders will be deleted once we perform the uninstall routine, which we will do now, any logs or programs left over can be deleted via right click > delete

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS,GMER and all the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 NOR_Chrass

NOR_Chrass
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 05 October 2012 - 01:33 PM

PERFECT!

It's running like a dream and nothing is found when i scan with antivirus.

Thank you very much - good thing there's good guys like you around=)

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:36 PM

Posted 05 October 2012 - 02:04 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users