Safer-Networking Forums

Manual Removal Guide for Win32.Yakes.adkv

Friday — Wed, 16 May 2012 10:37:56 GMT

The following instructions have been created to help you to get rid of "Win32.Yakes.adkv" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

trojan

Description:

Win32.Yakes.adkv copies malicious files into the program directory, starts itself in autorun and connects to the Internet in background without giving the user a possibility to cancel that process.

Removal Instructions:

Autorun:

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$APPDATA>\<$ENV(Win32Yakes_Dir)>".

Make sure you set your file manager to display hidden and system files. If Win32.Yakes.adkv uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "Yqyt" at "HKEY_CURRENT_USER\Software\Microsoft\".
Delete the registry value "12033:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "12033:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "12033:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "26693:UDP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "26693:UDP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "26693:UDP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".

If Win32.Yakes.adkv uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.

Manual Removal Guide for Win32.OnLineGames.gen

Friday — Wed, 16 May 2012 10:37:55 GMT

The following instructions have been created to help you to get rid of "Win32.OnLineGames.gen" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

trojan
passwordstealer

Description:

Win32.OnLineGames.gen tries to steal passwords for online games. The library files get injected into running processes in order to avoid detection and to be executed by system files.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry value "<$ENV(OLG1)>.dll" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Delete the registry value "<$ENV(OLG1)>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
Remove "<$ENV(OLG1)>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\".

If Win32.OnLineGames.gen uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for Win32.Mabezat

Friday — Wed, 16 May 2012 10:37:54 GMT

The following instructions have been created to help you to get rid of "Win32.Mabezat" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

trojan
worm

Description:

Win32.Mabezat is a Worm with file infecting ability. It cloaks itself as a 3rd party installer or uses a document icon to mislead the user. Once installed it copies itself to all removable drives or network shares and creates an autorun entry for these files.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

A file with an unknown location named "InstallMSN11En.exe".
A file with an unknown location named "KasperSky6.0 Key.doc.exe".
A file with an unknown location named "Make Windows Original.exe".
A file with an unknown location named "Office2007 Serial.txt.exe".
A file with an unknown location named "WinrRarSerialInstall.exe".
The file at "<$APPDATA>\Tazebama\tazebama.log".
The file at "<$FIXEDDRIVES>\InstallMSN11En.exe".
The file at "<$FIXEDDRIVES>\KasperSky6.0 Key.doc.exe".
The file at "<$FIXEDDRIVES>\Make Windows Original.exe".
The file at "<$FIXEDDRIVES>\Office2007 Serial.txt.exe".
The file at "<$FIXEDDRIVES>\WinrRarSerialInstall.exe".
The file at "<$PROFILES>\hook.dl_".
The file at "<$PROFILES>\tazebama.dl_".

Make sure you set your file manager to display hidden and system files. If Win32.Mabezat uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$APPDATA>\tazebama".

Make sure you set your file manager to display hidden and system files. If Win32.Mabezat uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for Win32.IRCBot

Friday — Wed, 16 May 2012 10:37:52 GMT

The following instructions have been created to help you to get rid of "Win32.IRCBot" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

trojan

Description:

Win32.IRCBot installs a file into the local temp directory. Variants create a subfolder within recycler and drop the copy into it. This malware is run via autorun and establishes a connection with a remote IRC Server. Win32.IRCbot installer pretends to be a cracking or other keygen tool.

Removal Instructions:

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "c:\Windows\temp\mama".

Make sure you set your file manager to display hidden and system files. If Win32.IRCBot uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for Win32.Graftor.6078

Friday — Wed, 16 May 2012 10:37:51 GMT

The following instructions have been created to help you to get rid of "Win32.Graftor.6078" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

trojan

Description:

Win32.Graftor.6078 installs malicious files into the Program files and root directories and makes DoS-attack on 58.221.41.56-address.

Removal Instructions:

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$PROGRAMFILES>\<$ENV(Win32Graftor6078_Dir)>".

Make sure you set your file manager to display hidden and system files. If Win32.Graftor.6078 uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".
Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\RouterManagers\Ip\".
Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\RouterManagers\Ip\".
Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RemoteAccess\RouterManagers\Ip\".
Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\".

If Win32.Graftor.6078 uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for Win32.Downloader.bdld

Friday — Wed, 16 May 2012 10:37:50 GMT

The following instructions have been created to help you to get rid of "Win32.Downloader.bdld" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

malware

Description:

Win32.Downloader.bdld copies malicious files into the Windows directory and itself via an userinit entry.

Remove "<$ENV(Win32DownloaderBdld_Dir)>" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

If Win32.Downloader.bdld uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for Win32.Autorun.ie

Friday — Wed, 16 May 2012 10:37:49 GMT

The following instructions have been created to help you to get rid of "Win32.Autorun.ie" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

malware

Description:

Win32.Autorun.ie tries to start itself in autorun as "iexplorer" to get started without raising suspicion.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

Entries named "iexplorer" and pointing to "<$SYSDIR>\iexplorer32.exe".
Entries named "msnmsggr" and pointing to "<$SYSDIR>\msnmsggr2.exe".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for Conficker.rtk

Friday — Wed, 16 May 2012 10:37:48 GMT

The following instructions have been created to help you to get rid of "Conficker.rtk" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

trojan
rootkit

Description:

Conficker.rtk is a Trojan horse that gets installed in background and can spread to the local network. It compromises the system security and uses rootkit functions to hide itself and stay persistent.

Removal Instructions:

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$PROGRAMFILES>\Internet Explorer\mzeky.dll".
The file at "<$SYSDIR>\mzeky.dll".

Make sure you set your file manager to display hidden and system files. If Conficker.rtk uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry value "6628:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "6628:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "6628:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\".
Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\".
Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wuauserv\".
Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\".

If Conficker.rtk uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Manual Removal Guide for ClaroMultimedia

Friday — Wed, 16 May 2012 10:37:46 GMT

The following instructions have been created to help you to get rid of "ClaroMultimedia" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:

malware

Description:

ClaroMultimedia tries to start a malicious executable file from the system directory via Autorun as "Windows Defender" or "Winlogon" without giving the user a possibility to cancel that process.

Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.

Entries named "Winlogon" and pointing to "<$WINDIR>\scssrr.exe".

Please read these instructions before requesting assistance,
Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

Updates: 2012-05-16

PepiMK — Wed, 16 May 2012 09:50:05 GMT

2012-05-16
Malware
+ ClaroMultimedia+ Win32.Autorun.ie++ Win32.Downloader.bdld+ Win32.FraudLoad.edt+ Win32.Renos
Trojans
++ Conficker.rtk++ Win32.Graftor.6078+ Win32.IRCBot+ Win32.Mabezat+ Win32.OnLineGames.down+ Win32.OnLineGames.gen+ Win32.SpyEye++ Win32.Yakes.adkv+ Win32.ZBot
Total: 2541129 fingerprints in 792248 rules for 6655 products.

More...

Hoping this works :)

spamman — Wed, 16 May 2012 02:04:01 GMT

Hi guys,

I know its busy and I am not trying to be pushy, but it says to post here if your post has gone by the way side so here I am!! :)

http://forums.spybot.info/showthread.php?t=65886

That is my orginal thread.

Thank you

Spamman

Need help - bad image error

johnp30 — Wed, 16 May 2012 00:38:13 GMT

Hi,
My laptop is currently having an issue whenever I try to access the internet (from either Google Chrome or Internet Explorer). I receive an error such as "chrome.exe - bad image" "C:\windows\system32\WRusr.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support."

I believe this is some type of malware but I ran Malwarebytes Anti-Malware and CCleaner with nothing found. I am posting from another PC since I cannot get onto the internet from my laptop. Because of this I'm not able to download and post the DDS log. I would appreciate any help with this situation, as I hope it can be resolved fairly quickly

Thanks,
John

Help please..

effe2012 — Tue, 15 May 2012 21:35:52 GMT

Hi,
I think I am at my wits end...so I would really appreciate help.
I think my laptop (as well as every other computer in the house is infected by the recycler virus...but it does not appear to get picked up by much. And after numerous reformats and Ubuntu installations i still return to the virus. It creates another recycle.bin folder within the recycle bin which then contains a folder names s-1-15- and the rest filled with SID- however having all the hhidden files enabled this folder contains temp files- which are $name.zip files... and numerous others. The temp folders contain hidden files as well as numerous other palces appear to be affected initially- the virus does not like you trying to fight it and appears to get anstier and slow down and affect more the more you fight it. I think I have tried most applications- but maybe I just need some proper expertise to help this one out... really appreciate your help in advance...

Below are scan results from DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Administrator at 7:21:58 on 2012-05-16
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1069 [GMT 10:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\Desktop\aswclnr.exe
C:\Users\Administrator\Desktop\aswclnr.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
TCP: DhcpNameServer = 211.31.138.11 211.29.132.12
TCP: Interfaces\{3D72DF1A-BFFD-4967-876E-FA70843E5A51} : DhcpNameServer = 211.31.138.11 211.29.132.12
TCP: Interfaces\{92D38CD7-718A-489E-808C-1F2B07643433} : DhcpNameServer = 211.31.138.11 211.29.132.12
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
.
=============== Created Last 30 ================
.
2012-05-16 09:56:57 -------- d-----w- c:\windows\Panther
2012-05-16 03:58:34 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-15 16:59:03 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7e42ef2b-76a9-412a-a091-5f1d78e0c5e0}\mpengine.dll
2012-05-15 16:59:02 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 16:11:41 -------- d-----w- c:\windows\system32\wbem\Performance
2012-05-15 16:04:58 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
.
============= FINISH: 7:22:22.71 ===============

This scan was run by Avast cleaner- which appears to not be able to scan the affected files- yet does nto detect anything:

5/16/2012, 7:15:38 AM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (4.7s).
----------
Files scanning started...
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb... file could not be scanned!
C:\System Volume Information\Syscache.hve... file could not be scanned!
C:\System Volume Information\Syscache.hve.LOG1... file could not be scanned!
C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}... file could not be scanned!
C:\System Volume Information\{b3189e81-9eac-11e1-be4d-001eec4d38c8}{3808876b-c176-4e48-b7ae-04046e6cc752}... file could not be scanned!
C:\Users\Administrator\ntuser.dat.LOG1... file could not be scanned!
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F9E58EB7-9ED2-11E1-8777-001EEC4D38C8}.dat... file could not be scanned!
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F9E58EB8-9ED2-11E1-8777-001EEC4D38C8}.dat... file could not be scanned!
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FFF58FEE-9ED2-11E1-8777-001EEC4D38C8}.dat... file could not be scanned!
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DF16D1F91CBFE1775D.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DF293E448F155F5AC5.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DF2FDBDCB019E06B78.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DF377C24F81A7B4FA8.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DF9475B4386A730BD2.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DFA886D8E71384127F.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DFAA2A475524D38DEF.TMP... file could not be scanned!
C:\Users\Administrator\AppData\Local\Temp\~DFE752C5EC14C0576A.TMP... file could not be scanned!
C:\Users\Iw\ntuser.dat.LOG1... file could not be scanned!
C:\Users\Iw\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FACA7D59-9ED0-11E1-8777-001EEC4D38C8}.dat... file could not be scanned!
C:\Users\Iw\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9106B47A-9ED2-11E1-8777-001EEC4D38C8}.dat... file could not be scanned!
C:\Users\Iw\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FACA7D5A-9ED0-11E1-8777-001EEC4D38C8}.dat... file could not be scanned!
C:\Users\Iw\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1... file could not be scanned!
C:\Users\Iw\AppData\Local\Temp\~DF0665EEB7AD2F3AA2.TMP... file could not be scanned!
C:\Users\Iw\AppData\Local\Temp\~DF41D5B22DDAD5B358.TMP... file could not be scanned!
C:\Users\Iw\AppData\Local\Temp\~DF86AB446AFC8E7BBD.TMP... file could not be scanned!
C:\Users\Iw\AppData\Local\Temp\~DFBE34C682CC01B195.TMP... file could not be scanned!
C:\Users\Iw\AppData\Local\Temp\~DFEB687E87222F158E.TMP... file could not be scanned!
C:\Users\Iw\AppData\Local\Temp\~DFFC3DD41038B55227.TMP... file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1... file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat... file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat... file could not be scanned!
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1... file could not be scanned!
C:\Windows\System32\catroot2\edb.log... file could not be scanned!
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb... file could not be scanned!
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb... file could not be scanned!
C:\Windows\System32\config\DEFAULT.LOG1... file could not be scanned!
C:\Windows\System32\config\SAM.LOG1... file could not be scanned!
C:\Windows\System32\config\SECURITY.LOG1... file could not be scanned!
C:\Windows\System32\config\SOFTWARE.LOG1... file could not be scanned!
C:\Windows\System32\config\SYSTEM.LOG1... file could not be scanned!
No virus body found.
Files scanning finished (52060 files, 0 infected, 267.8s).
Drives scanned: C:
----------

Sirefef 's

dEgzi — Tue, 15 May 2012 20:25:35 GMT

Hi.
Today my computer started freezing when i was tryin to play with my friends, and i noticed that my virus detection programs were shut down.
I'm currently using Spybot SD and Microsoft Security Essentials.
MSE just keeps on tellin that the computer has Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P and i cannot remove them.
I Noticed another post about the similiar case, and saw that u guys gave him excellent help, thought u could help me out aswell.

Heres the DDS log and the other file
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Mikke at 23:01:39 on 2012-05-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.358.1033.18.8169.5317 [GMT 3:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Samsung\USB Drivers\26_VIA_driver2\amd64\VIAService.exe
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\PROGRA~2\AD-AWA~1\AdAware.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIGEE.EXE
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
C:\Users\Mikke\AppData\Roaming\googleoez.exe
C:\Users\Mikke\AppData\Local\Apps\2.0\5JXPDZ2O.O2J\Y67VH46T.DBJ\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\CurseClient.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 210.107.100.251:8080
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo2.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo2.dll
mWinlogon: Userinit=userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo2.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [EPSON S22 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGEE.EXE /FU "C:\Windows\TEMP\E_S42DB.tmp" /EF "HKCU"
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [Spotify Web Helper] "C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe"
uRun: [Google] C:\Users\Mikke\AppData\Roaming\googleoez.exe
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
StartupFolder: C:\Users\Mikke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\Users\Mikke\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Mikke\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.100.1
TCP: Interfaces\{D328A896-B3CA-4B83-B490-3D57EC7574BB} : DhcpNameServer = 192.168.100.1
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo2.dll
BHO-X64: uTorrentBar - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTo2.dll
mRun-x64: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Mikke\AppData\Roaming\Mozilla\Firefox\Profiles\iixr6ws3.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.110.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\ProgramData\id Software\QuakeLive\npquakezero.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]
R1 SbFw;SbFw;C:\Windows\system32\drivers\SbFw.sys --> C:\Windows\system32\drivers\SbFw.sys [?]
R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112]
R2 Dokan;Dokan;\??\C:\Windows\system32\drivers\dokan.sys --> C:\Windows\system32\drivers\dokan.sys [?]
R2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]
R3 danewFltr;NewDeathAdder Mouse;C:\Windows\system32\drivers\danew.sys --> C:\Windows\system32\drivers\danew.sys [?]
R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 Lycosa;Lycosa Keyboard;C:\Windows\system32\drivers\Lycosa.sys --> C:\Windows\system32\drivers\Lycosa.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;C:\Windows\system32\DRIVERS\SBFWIM.sys --> C:\Windows\system32\DRIVERS\SBFWIM.sys [?]
R3 sbhips;sbhips;C:\Windows\system32\drivers\sbhips.sys --> C:\Windows\system32\drivers\sbhips.sys [?]
R3 VKbms;Virtual HID Minidriver;C:\Windows\system32\DRIVERS\VKbms.sys --> C:\Windows\system32\DRIVERS\VKbms.sys [?]
S1 acsfzwys;acsfzwys;\??\C:\Windows\system32\drivers\acsfzwys.sys --> C:\Windows\system32\drivers\acsfzwys.sys [?]
S1 bmrptbji;bmrptbji;\??\C:\Windows\system32\drivers\bmrptbji.sys --> C:\Windows\system32\drivers\bmrptbji.sys [?]
S1 brwsynan;brwsynan;\??\C:\Windows\system32\drivers\brwsynan.sys --> C:\Windows\system32\drivers\brwsynan.sys [?]
S1 bzzxpcce;bzzxpcce;\??\C:\Windows\system32\drivers\bzzxpcce.sys --> C:\Windows\system32\drivers\bzzxpcce.sys [?]
S1 dlmgqunb;dlmgqunb;\??\C:\Windows\system32\drivers\dlmgqunb.sys --> C:\Windows\system32\drivers\dlmgqunb.sys [?]
S1 fzkqogiu;fzkqogiu;\??\C:\Windows\system32\drivers\fzkqogiu.sys --> C:\Windows\system32\drivers\fzkqogiu.sys [?]
S1 gnjwejcv;gnjwejcv;\??\C:\Windows\system32\drivers\gnjwejcv.sys --> C:\Windows\system32\drivers\gnjwejcv.sys [?]
S1 gpozhnjo;gpozhnjo;\??\C:\Windows\system32\drivers\gpozhnjo.sys --> C:\Windows\system32\drivers\gpozhnjo.sys [?]
S1 ivvnfbjz;ivvnfbjz;\??\C:\Windows\system32\drivers\ivvnfbjz.sys --> C:\Windows\system32\drivers\ivvnfbjz.sys [?]
S1 jcmbymue;jcmbymue;\??\C:\Windows\system32\drivers\jcmbymue.sys --> C:\Windows\system32\drivers\jcmbymue.sys [?]
S1 jhrdxeqa;jhrdxeqa;\??\C:\Windows\system32\drivers\jhrdxeqa.sys --> C:\Windows\system32\drivers\jhrdxeqa.sys [?]
S1 kfuugwzq;kfuugwzq;\??\C:\Windows\system32\drivers\kfuugwzq.sys --> C:\Windows\system32\drivers\kfuugwzq.sys [?]
S1 kgjoxunp;kgjoxunp;\??\C:\Windows\system32\drivers\kgjoxunp.sys --> C:\Windows\system32\drivers\kgjoxunp.sys [?]
S1 knhfhpok;knhfhpok;\??\C:\Windows\system32\drivers\knhfhpok.sys --> C:\Windows\system32\drivers\knhfhpok.sys [?]
S1 lddhrghn;lddhrghn;\??\C:\Windows\system32\drivers\lddhrghn.sys --> C:\Windows\system32\drivers\lddhrghn.sys [?]
S1 lisllgpv;lisllgpv;\??\C:\Windows\system32\drivers\lisllgpv.sys --> C:\Windows\system32\drivers\lisllgpv.sys [?]
S1 mifpixnm;mifpixnm;\??\C:\Windows\system32\drivers\mifpixnm.sys --> C:\Windows\system32\drivers\mifpixnm.sys [?]
S1 owaqcfnb;owaqcfnb;\??\C:\Windows\system32\drivers\owaqcfnb.sys --> C:\Windows\system32\drivers\owaqcfnb.sys [?]
S1 ovifneok;ovifneok;\??\C:\Windows\system32\drivers\ovifneok.sys --> C:\Windows\system32\drivers\ovifneok.sys [?]
S1 qrerckbl;qrerckbl;\??\C:\Windows\system32\drivers\qrerckbl.sys --> C:\Windows\system32\drivers\qrerckbl.sys [?]
S1 updtfadc;updtfadc;\??\C:\Windows\system32\drivers\updtfadc.sys --> C:\Windows\system32\drivers\updtfadc.sys [?]
S1 utphuhhd;utphuhhd;\??\C:\Windows\system32\drivers\utphuhhd.sys --> C:\Windows\system32\drivers\utphuhhd.sys [?]
S1 wbwoewcm;wbwoewcm;\??\C:\Windows\system32\drivers\wbwoewcm.sys --> C:\Windows\system32\drivers\wbwoewcm.sys [?]
S1 wkxqvxqr;wkxqvxqr;\??\C:\Windows\system32\drivers\wkxqvxqr.sys --> C:\Windows\system32\drivers\wkxqvxqr.sys [?]
S1 wvdaqubb;wvdaqubb;\??\C:\Windows\system32\drivers\wvdaqubb.sys --> C:\Windows\system32\drivers\wvdaqubb.sys [?]
S1 wzaqtwxl;wzaqtwxl;\??\C:\Windows\system32\drivers\wzaqtwxl.sys --> C:\Windows\system32\drivers\wzaqtwxl.sys [?]
S1 xgcrftet;xgcrftet;\??\C:\Windows\system32\drivers\xgcrftet.sys --> C:\Windows\system32\drivers\xgcrftet.sys [?]
S1 yaupckzz;yaupckzz;\??\C:\Windows\system32\drivers\yaupckzz.sys --> C:\Windows\system32\drivers\yaupckzz.sys [?]
S3 CYUSB;Cypress Generic USB Driver;C:\Windows\system32\Drivers\CYUSB.sys --> C:\Windows\system32\Drivers\CYUSB.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;C:\Windows\system32\DRIVERS\sbfwim.sys --> C:\Windows\system32\DRIVERS\sbfwim.sys [?]
S3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
SUnknown jhbcafgk;jhbcafgk; [x]
SUnknown kqedmhwk;kqedmhwk; [x]
SUnknown olpjpgvt;olpjpgvt; [x]
SUnknown uqidycgt;uqidycgt; [x]
.
=============== Created Last 30 ================
.
2012-05-15 18:55:32 50000 ----a-w- C:\Windows\System32\drivers\knhfhpok.sys
2012-05-15 18:29:30 50000 ----a-w- C:\Windows\System32\drivers\mifpixnm.sys
2012-05-15 18:29:08 50000 ----a-w- C:\Windows\System32\drivers\qrerckbl.sys
2012-05-15 18:28:38 50000 ----a-w- C:\Windows\System32\drivers\kfuugwzq.sys
2012-05-15 18:28:15 50000 ----a-w- C:\Windows\System32\drivers\bzzxpcce.sys
2012-05-15 18:27:43 50000 ----a-w- C:\Windows\System32\drivers\brwsynan.sys
2012-05-15 18:27:17 50000 ----a-w- C:\Windows\System32\drivers\lisllgpv.sys
2012-05-15 18:25:40 50000 ----a-w- C:\Windows\System32\drivers\ovifneok.sys
2012-05-15 18:25:19 50000 ----a-w- C:\Windows\System32\drivers\yaupckzz.sys
2012-05-15 18:24:46 50000 ----a-w- C:\Windows\System32\drivers\gnjwejcv.sys
2012-05-15 18:24:25 50000 ----a-w- C:\Windows\System32\drivers\utphuhhd.sys
2012-05-15 18:23:55 50000 ----a-w- C:\Windows\System32\drivers\updtfadc.sys
2012-05-15 18:23:33 50000 ----a-w- C:\Windows\System32\drivers\wkxqvxqr.sys
2012-05-15 18:19:34 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-05-15 18:19:34 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-05-15 18:18:54 50000 ----a-w- C:\Windows\System32\drivers\jcmbymue.sys
2012-05-15 18:18:27 50000 ----a-w- C:\Windows\System32\drivers\xgcrftet.sys
2012-05-15 18:06:00 50000 ----a-w- C:\Windows\System32\drivers\wzaqtwxl.sys
2012-05-15 18:05:34 50000 ----a-w- C:\Windows\System32\drivers\kgjoxunp.sys
2012-05-15 18:02:35 50000 ----a-w- C:\Windows\System32\drivers\gpozhnjo.sys
2012-05-15 18:01:52 50000 ----a-w- C:\Windows\System32\drivers\lddhrghn.sys
2012-05-15 17:57:55 50000 ----a-w- C:\Windows\System32\drivers\fzkqogiu.sys
2012-05-15 17:57:50 50000 ----a-w- C:\Windows\System32\drivers\acsfzwys.sys
2012-05-15 17:57:17 50000 ----a-w- C:\Windows\System32\drivers\bmrptbji.sys
2012-05-15 17:56:32 50000 ----a-w- C:\Windows\System32\drivers\wbwoewcm.sys
2012-05-15 17:56:05 50000 ----a-w- C:\Windows\System32\drivers\dlmgqunb.sys
2012-05-15 17:52:53 50000 ----a-w- C:\Windows\System32\drivers\jhrdxeqa.sys
2012-05-15 17:52:26 50000 ----a-w- C:\Windows\System32\drivers\ivvnfbjz.sys
2012-05-15 17:44:36 50000 ----a-w- C:\Windows\System32\drivers\wvdaqubb.sys
2012-05-15 17:44:14 50000 ----a-w- C:\Windows\System32\drivers\owaqcfnb.sys
2012-05-15 17:43:57 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5CE86D19-96E5-47DC-8D5F-D512B9BA6B08}\offreg.dll
2012-05-15 16:45:09 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6436F758-9839-4EA0-999D-982F3085CC18}\gapaengine.dll
2012-05-15 16:45:06 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5CE86D19-96E5-47DC-8D5F-D512B9BA6B08}\mpengine.dll
2012-05-15 16:42:59 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-05-15 16:42:56 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-05-15 16:33:50 -------- d-----w- C:\Users\Mikke\AppData\Local\adaware
2012-05-15 16:33:48 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection
2012-05-15 16:33:30 60536 ----a-w- C:\Windows\System32\drivers\sbhips.sys
2012-05-15 16:33:13 119416 ----a-w- C:\Windows\System32\drivers\SbFwIm.sys
2012-05-15 16:33:11 57976 ----a-w- C:\Windows\System32\drivers\sbredrv.sys
2012-05-15 16:33:11 45936 ----a-w- C:\Windows\System32\sbbd.exe
2012-05-15 16:33:11 256632 ----a-w- C:\Windows\System32\drivers\SbFw.sys
2012-05-15 16:33:10 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus
2012-05-15 16:32:09 -------- d-----w- C:\Users\Mikke\AppData\Roaming\Ad-Aware Antivirus
2012-05-09 03:32:30 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-09 03:32:29 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-09 03:32:24 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-09 03:32:23 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-09 03:32:22 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-09 03:32:22 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-09 03:32:02 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-09 03:31:53 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-09 03:31:50 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 03:31:50 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-09 03:31:50 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-09 03:31:50 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-09 03:31:50 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-06 05:04:23 -------- d-----w- C:\Users\Mikke\AppData\Local\SniperV2
2012-05-06 04:36:08 102400 ------w- C:\Users\Mikke\AppData\Roaming\googleoez.exe
2012-05-02 17:01:48 -------- d-----w- C:\ProgramData\id Software
2012-04-26 08:19:34 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2012-04-26 08:19:30 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-26 08:19:30 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-04-24 22:43:33 715038 ----a-w- C:\Windows\unins000.exe
2012-04-19 20:04:20 90112 ----a-w- C:\Windows\unvise32.exe
2012-04-19 20:04:17 -------- d-----w- C:\Program Files (x86)\LooksBuilder
2012-04-19 12:47:47 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-04-19 12:47:47 32768 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-04-19 12:47:47 221184 ------w- C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
2012-04-19 12:47:47 221184 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-04-19 12:47:47 212992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
.
==================== Find3M ====================
.
2012-05-15 18:25:40 50000 ----a-w- C:\Windows\System32\drivers\ovifneok.sys
2012-05-13 21:43:22 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-05-13 21:43:22 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-05-13 21:42:55 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-05-09 04:26:50 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-09 04:26:49 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 10:28:11 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-03-20 17:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-03-20 17:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-03-07 13:49:40 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-01 06:46:16 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-03-01 06:38:27 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-03-01 06:33:50 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-03-01 06:28:47 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-03-01 05:37:41 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-02-29 21:00:22 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-02-29 21:00:09 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-02-29 20:59:47 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-02-29 20:59:47 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-02-29 20:59:47 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-02-29 20:59:29 2515790 ----a-w- C:\Windows\System32\nvcoproc.bin
2012-02-29 10:26:56 416064 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-02-28 06:39:37 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 05:38:52 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 04:31:38 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 03:52:27 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-19 05:26:00 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
.
============= FINISH: 23:03:11,07 ===============

Attached Files

Attach.txt (7.7 KB)

Hi, just a heads up! =)

Leprkon — Mon, 14 May 2012 22:53:22 GMT

No rush or anything, I am pretty sure the volunteers are busy/swamped.
So to avoid being archived, I just wanted to make a post here! ^_^

http://forums.spybot.info/showthread.php?t=65885