ZVdP

Almost forgot to leave a reply, as promised. Windows has been reinstalled and everything runs smoothly again. There was 1 corrupted backup file I made, but I was able to retrieve the contents of this file by using the trial version of a file recovery tool. I want to thank you for your assistance and time you have dedicated.

Thanks, for the offer and help you have offered in the past days. I have used Hiren's BootCD to access my PC and I am currently zipping and transferring files from the infected PC to an ftp server I have set up on my NAS. I'll keep you posted on how the formatting and windows install progress.

It's a dv7 4060 eb, with a horribly designed cooling sysem. There is indeed a repair partition. I just accessed it by tapping F11. It offers a system restore, computer check and personal data back-up. I'll have a closer look tomorrow morning.

I don't know how to do it by heart, but I'm sure there are many tutorials available. I suppose I would have to burn a Windows Live CD on another Pc, since my HP laptop didn't come with a separate Windows CD. If they are cutting costs, I would have preferred they included the CD, but left out the fingerprint scanner

The problem seems to spread. Windows doesn't boot anymore. All safe modes get past the loading of all services, but then get stuck at a black screen with responding mouse cursor. Nothig happens on ctrl-alt-del, enter or windows key. Normal mode gets past the windows logo, but also gets stuckat the black screen before showing the blue welcome screen. At this point I wouldn't really mind to reinstall windows. I suppose I could backup some documents first (my backup drive broke down last week and I haven't fixed it yet) with a bootable CD and then a complete format C. Or do you still know an alternative?

Deleted those and ran a quick full scan with Bullguard after updating. The full scan only found a cookie, as usual: Cookie.DoubleClick C;\Users\Zjef\AppData\Roaming\Microsoft\Windows\Cookies\VUWNOYDC.txt Still slow and illegitimate windows.

Neither one reported anything: MBAM: Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.09.07.08 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 9.0.8112.16421 Zjef :: LAPTOP_ZJEF [administrator] 7/09/2012 14:30:56 mbam-log-2012-09-07 (14-30-56).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 209453 Time elapsed: 3 minute(s), 19 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) ____________________________ ____________________________ RogueKiller: RogueKiller V8.0.2 [08/31/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Safe mode with network support User : Zjef [Admin rights] Mode : Scan -- Date : 09/07/2012 14:39:00 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤ [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{989FEAD6-0D55-46FB-AEAA-0B43097D76EC} : NameServer (134.184.250.7,134.184.15.13) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{989FEAD6-0D55-46FB-AEAA-0B43097D76EC} : NameServer (134.184.250.7,134.184.15.13) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: TOSHIBA MK5056GSY +++++ --- User --- [MBR] 10d6b8771f16d5909fa35a34e1239444 [bSP] 6062bcbde48092622187a57b25860852 : Windows Vista/7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 451675 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 925440000 | Size: 24961 Mo 3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[5].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

Almost forgot to give an update: In normal mode, windows now says it is not legitimate and asks for a code. When I select to enter the code later, the system proceeds, but the desktop is never shown, only an entirely black screen (safe for the notice that Windows is not legitimate). Another note: I stopped all Bullguard processes and services in the task manager before starting combofix, but ComboFix still said Bullguard was running.

The first time I ran ComboFix, it rebooted after finishing step 50. The system rebooted in normal mode. Combofix automatically started, but after around half an hour it still said it was preparing the log file. In the meantime the desktop kept refreshing every few minutes. I then decided to restart in safe mode and do a second scan. Durign this scan, the system didn't reboot and produced this log: ComboFix 12-09-06.04 - Zjef 07/09/2012 11:17:08.3.4 - x64 NETWORK Microsoft Windows 7 Home Premium 6.1.7601.1.1252.32.1043.18.3894.3069 [GMT 2:00] Gestart vanuit: c:\users\Zjef\Desktop\ComboFix.exe AV: BullGuard Antivirus *Enabled/Updated* {504FFF66-3028-EB7E-2E60-62B19ADD791C} FW: BullGuard Firewall *Enabled* {68747E43-7A47-EA26-053F-CB84640E3E67} SP: BullGuard Antispyware *Enabled/Updated* {EB2E1E82-1612-E4F0-14D0-59C3E15A33A1} * Nieuw herstelpunt werd aangemaakt . . (((((((((((((((((((( Bestanden Gemaakt van 2012-08-07 to 2012-09-07 )))))))))))))))))))))))))))))) . . 2012-09-07 09:22 . 2012-09-07 09:22 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-09-07 09:22 . 2012-09-07 09:22 -------- d-----w- c:\users\Administrator\AppData\Local\temp 2012-09-06 19:26 . 2012-09-06 19:26 -------- d-----w- C:\_OTL 2012-09-06 17:58 . 2012-09-06 17:58 280 ----a-w- C:\reg2.reg 2012-09-05 07:44 . 2012-09-05 07:44 -------- d-----w- c:\programdata\Kaspersky Lab 2012-09-04 08:05 . 2012-09-04 08:05 -------- d-----w- c:\users\Zjef\AppData\Local\Programs 2012-09-04 08:02 . 2012-09-06 05:54 -------- d-----w- c:\program files\DIFX 2012-08-24 12:48 . 2012-08-24 12:48 111064 ----a-w- c:\windows\system32\BgGamingMonitor.dll 2012-08-24 12:48 . 2012-08-24 12:48 100216 ----a-w- c:\windows\SysWow64\BgGamingMonitor.dll 2012-08-23 09:04 . 2012-09-05 20:53 -------- d-----w- C:\Roguekiller 2012-08-17 14:24 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll 2012-08-17 14:24 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll 2012-08-17 14:24 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll 2012-08-17 14:24 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe 2012-08-17 14:24 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe 2012-08-17 14:24 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll 2012-08-16 13:45 . 2012-08-16 13:45 -------- d-----w- C:\MGADiagToolOutput 2012-08-16 13:45 . 2012-08-16 13:45 -------- d-----w- c:\programdata\Office Genuine Advantage 2012-08-16 13:05 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll 2012-08-16 13:05 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll 2012-08-16 13:05 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll 2012-08-16 13:05 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll 2012-08-16 13:04 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll 2012-08-16 12:37 . 2012-09-06 05:40 -------- d-----w- c:\programdata\Recovery 2012-08-16 12:30 . 2012-08-16 12:30 -------- d-----w- c:\users\Zjef\AppData\Local\AVG Secure Search 2012-08-16 12:30 . 2012-08-16 12:52 -------- d-----w- c:\program files (x86)\Magical Jelly Bean 2012-08-16 12:30 . 2012-08-16 12:30 -------- d-----w- c:\programdata\AVG Secure Search 2012-08-16 12:30 . 2012-08-16 12:52 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search 2012-08-16 12:30 . 2012-08-16 12:52 -------- d-----w- c:\program files (x86)\AVG Secure Search 2012-08-16 12:30 . 2012-08-16 12:30 -------- d-----w- c:\programdata\Common Files 2012-08-16 11:46 . 2012-08-16 11:46 -------- d-----w- c:\programdata\ATI 2012-08-15 08:44 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-08-08 21:29 . 2012-08-08 21:29 63840 ----a-w- c:\windows\system32\BGLsp.dll 2012-08-08 21:29 . 2012-08-08 21:29 54624 ----a-w- c:\windows\SysWow64\BGLsp.dll . . . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-16 21:56 . 2010-07-06 14:18 62134624 ----a-w- c:\windows\system32\MRT.exe 2012-08-15 19:11 . 2012-03-30 08:17 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-08-15 19:11 . 2011-05-15 09:29 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-03 11:46 . 2011-04-10 07:26 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-20 08:54 . 2009-12-04 10:00 38528 ----a-r- c:\windows\system32\drivers\Afw.sys 2012-06-20 08:54 . 2009-12-04 10:00 445568 ----a-r- c:\windows\system32\drivers\AfwCore.sys . . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-01-22 98304] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "HideFastUserSwitching"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "EnableShellExecuteHooks"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\BgGamingMonitor.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ DPPassFilter scecli Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner] @="Service" . R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-06 834544] R1 BdSpy;BdSpy;c:\windows\system32\DRIVERS\BdSpy.sys [2011-04-09 66272] R1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [2010-01-29 20056] R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\DRIVERS\NSKernel.sys [2012-02-28 256072] R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\DRIVERS\NSNetmon.sys [2012-02-28 25160] R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960] R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-01-22 202752] R2 BsBackup;BullGuard backup service;c:\windows\System32\SvcHost.exe [2009-07-14 27136] R2 BsBhvScan;BullGuard Behavioural Detection;c:\program files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe [2012-08-24 368480] R2 BsFileScan;BullGuard on-access service;c:\windows\System32\SvcHost.exe [2009-07-14 27136] R2 BsFire;BullGuard firewall service;c:\windows\System32\SvcHost.exe [2009-07-14 27136] R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\System32\SvcHost.exe [2009-07-14 27136] R2 BsMain;BullGuard main service;c:\windows\System32\SvcHost.exe [2009-07-14 27136] R2 BsScanner;BullGuard scanning service;c:\program files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [2012-08-24 201056] R2 BsUpdate;BullGuard update service;c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2012-08-24 379744] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-02-08 338168] R2 gupdate;Google Updateservice (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-02 136176] R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968] R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 30520] R2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480] R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-11-21 11576] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056] R3 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\AESTSr64.exe [2009-03-03 89600] R3 afwcore;afwcore;c:\windows\system32\DRIVERS\afwcore.sys [2012-06-20 445568] R3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [2011-03-18 74376] R3 AltiumJtagUSB;AltiumJtagUSB;c:\windows\system32\Drivers\AltiumUSBJtag_x64.sys [2007-04-11 48128] R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-01-22 6233088] R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-01-22 161280] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-07-04 1431888] R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072] R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2012-03-09 13352] R3 gupdatem;Google Update-service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-02 136176] R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936] R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2010-01-22 8034368] R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-11 232992] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-11-28 295424] R3 Sony PC Companion;Sony PC Companion;c:\program files (x86)\Sony\Sony PC Companion\PCCService.exe [2012-01-18 155320] R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864] R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312] R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-18 2320920] R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-06 1255736] R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\realtemp\WinRing0x64.sys [2012-05-19 14544] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120] R4 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x] R4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-28 2343816] R4 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-04 92216] R4 mitsijm2011;Autodesk Moldflow Inventor Tool Suite Integration 2011 Job Manager;c:\program files\Autodesk\Inventor 2011\Moldflow\bin\mitsijm.exe [2010-01-22 673792] R4 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-01-05 2184496] S1 AFW;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys [2012-06-20 38528] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2010-01-22 09:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . Inhoud van de 'Gedeelde Taken' map . 2012-09-07 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 19:11] . 2012-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-02 00:17] . 2012-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-02 00:17] . 2012-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2238075391-4083319975-1177796488-1001Core.job - c:\users\Zjef\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-30 19:39] . 2012-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2238075391-4083319975-1177796488-1001UA.job - c:\users\Zjef\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-30 19:39] . 2012-08-08 c:\windows\Tasks\HPCeeScheduleForZjef.job - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 02:53] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 07:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU] "HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072] "HPToneControl"="c:\program files\Hewlett-Packard\HPToneControl\HPTonectl.exe" [2009-08-19 107832] "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2009-12-16 8192] "BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2012-08-24 1863008] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\BgGamingMonitor.dll . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.wetenschapsforum.nl/index.php?app=forums uLocal Page = c:\windows\system32\blank.htm mStart Page = about:blank mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xporteren naar Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 IE: SmarThru4 Capture Selection - c:\program files (x86)\SmarThru 4\WebCapture.dll2.htm IE: SmarThru4 Save as HTML - c:\program files (x86)\SmarThru 4\WebCapture.dll1.htm IE: SmarThru4 Save Selected Text - c:\program files (x86)\SmarThru 4\WebCapture.dll.htm IE: SmarThru4 Web Capture - c:\program files (x86)\SmarThru 4\WebCapture.dll LSP: c:\windows\system32\BGLsp.dll TCP: Interfaces\{989FEAD6-0D55-46FB-AEAA-0B43097D76EC}: NameServer = 134.184.250.7,134.184.15.13 . . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Voltooingstijd: 2012-09-07 11:26:17 ComboFix-quarantined-files.txt 2012-09-07 09:26 ComboFix2.txt 2012-09-07 09:12 . Pre-Run: 137.842.675.712 bytes beschikbaar Post-Run: 137.774.338.048 bytes beschikbaar . - - End Of File - - C8292A4EBB70AC858AB509A1550F4D67

I have access to a wireless network. I currently only activate it for downloading the anti-malware and uploading the logs.

I ran it twice without effect.

Sorry, forgot to include that in the post. It is still slow and unresponsive. A new thing occurred as well, that was before the OTL fix. Windows explorer is having difficulties, even in safe mode. It crashes when trying to view the C:/ drive, or other flders directly under C:/. It seems to perform a search (The loading bar at the top slowly fills) and then crashes. It then appears to restart explorer.exe, since the desktop flashes for a second and the safe mode help file is reloaded. I can view other folders by expanding the +sign next to the drive and selecting other folders)

I had to reboot. When rebooting an error occured that a file ("seemingly random string of characters".exe) could not be found (I think a rundll error, but I closed it too fast). Then a small OTL window said "Error creating log file". Soon after that however a notepad file opened automatically: All processes killed ========== COMMANDS ========== [EMPTYTEMP] User: Administrator User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 56475 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Public User: Zjef ->Temp folder emptied: 46641539 bytes ->Temporary Internet Files folder emptied: 25924244 bytes ->Java cache emptied: 225108678 bytes ->Google Chrome cache emptied: 0 bytes ->Flash cache emptied: 57145 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 131807 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67820 bytes %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes RecycleBin emptied: 66118477 bytes Total Files Cleaned = 347,00 mb [EMPTYJAVA] User: Administrator User: All Users User: Default User: Default User User: Public User: Zjef ->Java cache emptied: 0 bytes Total Java Files Cleaned = 0,00 mb [EMPTYFLASH] User: Administrator User: All Users User: Default ->Flash cache emptied: 0 bytes User: Default User ->Flash cache emptied: 0 bytes User: Public User: Zjef ->Flash cache emptied: 0 bytes Total Flash Files Cleaned = 0,00 mb OTL by OldTimer - Version 3.2.61.0 log created on 09062012_212646

I have no idea what bullguard writes to that file. Looking at the rar size, it's a lot of characters containing little information... I have copy pasted all entries of the log below: c:\users\zjef\appdata\local\temp\v.class Details Kwaadaardige software: Trojan.Downloader.Java.OpenConnection.BC ______________________________ c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\24\37060898-651b3245-temp c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\32\2d570ee0-3ad59152 c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\35\3b5e5c23-104c3f5f c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\41\55618269-2613de5a c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\46\32bb12ae-57a1a8d9 c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\46\32bb12ae-75a28774 c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\49\eb139b1-2b2984bb c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\49\eb139b1-42a3ed9f-temp c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\55\7480ae37-5f56e751 c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\61\123883bd-37056f20 c:\users\zjef\appdata\locallow\sun\java\deployment\cache\6.0\62\6d53c93e-734a29be _______________________ c:\windows\temp\tmp000051cb\tmp00009f9a Gen:Variant.Kazy.66100 c:\windows\temp\tmp000051cb\tmp00009f9a Gen:Variant.Kazy.66100 HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{283C8576-0726-4DBC-9609-3F855162009A} Gen:Variant.Kazy.66100 HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{283C8576-0726-4DBC-9609-3F855162009A} Gen:Variant.Kazy.66100 HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{7C5A40AE-C944-45D0-AE56-9168519D4048} Gen:Variant.Kazy.66100 HKCU\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser\{283C8576-0726-4DBC-9609-3F855162009A} Gen:Variant.Kazy.66100 HKCU\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser\{283C8576-0726-4DBC-9609-3F855162009A} Gen:Variant.Kazy.66100 HKCU\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser\{7C5A40AE-C944-45D0-AE56-9168519D4048} Gen:Variant.Kazy.66100 HKLM\Software\Microsoft\Internet Explorer\Main Gen:Variant.Kazy.66100 HKLM\Software\Microsoft\Internet Explorer\Main Gen:Variant.Kazy.66100 HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{283C8576-0726-4DBC-9609-3F855162009A} Gen:Variant.Kazy.66100 HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{283C8576-0726-4DBC-9609-3F855162009A} Gen:Variant.Kazy.66100 HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7C5A40AE-C944-45D0-AE56-9168519D4048} _____________________ c:\windows\temp\tmp000051cb\tmp00009fe3 Gen:Variant.Kazy.66100 c:\windows\temp\tmp000051cb\tmp00009fe3 Gen:Variant.Kazy.66100 HKLM\Software\Microsoft\Internet Explorer\Main\Default_Page_URL Gen:Variant.Kazy.66100 HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL ____________________ c:\windows\temp\tmp000051cb\tmp0000a02e Trojan.Sirefef.IW c:\windows\temp\tmp000051cb\tmp0000a02e Trojan.Sirefef.IW c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll __________________________ _________________________ This is what TDSS found (Unsigned files): TDSS.txt Note: I don't know if it's of any importance, but I had to run the TDSS scan in safe mode. In normal mode, after the reboot, TDSS automatically starts, but the timer just ticks away (I waited untill the timer said 10 minutes), without any files listed as being scanned.

I coudn't find a way to convert the log to a textfile. Can you open the Bullguard logfile, or shall I copy paste all entries here? My Computer#2012090515190400000000f.rar