Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hosts File Hijack


  • This topic is locked This topic is locked
18 replies to this topic

#1 Merinar56

Merinar56

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 27 January 2012 - 05:28 AM

Hello

Yesterday I caught something that seemingly hijacked my hosts file. Normally I have the option to protect the hosts file on in Avira Free Antivirus, but I switched Real-time-protection off for gaming and for some reason the tray icon didn't show the off-state. Then after finishing gaming I forgot to switch Avira on again for surfing and therefore caught some malware(?).
Now when using Firefox 9.0.1 I get redirected(thought I know exactly I shouldn't be redirected with the link I used) rarely, to a site with black background and red text in a white field that says Java script is disabled, but it's not a message from NoScript.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Meronier at 11:01:47 on 2012-01-27
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.8191.6497 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\msdtc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k PeerDist
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.facemoods.com/?a=ddrnw
mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [Malware Protection Center] /s /d
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{5F051BC7-782B-4446-BB20-9367EE88B72C} : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{CF5231CC-D000-4CC3-8641-7EA66A275433} : DhcpNameServer = 192.168.178.1
IFEO: image file execution options - svchost.exe
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
IFEO-X64: image file execution options - svchost.exe
Hosts: 188.119.151.113 www.google-analytics.com.
Hosts: 188.119.151.113 ad-emea.doubleclick.net.
Hosts: 188.119.151.113 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Meronier\AppData\Roaming\Mozilla\Firefox\Profiles\ra6c0z1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/firefox
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npWebLaunch.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-14 86224]
R2 AntiVirService;Avira Echtzeit Scanner;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-10-14 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys --> C:\Windows\system32\drivers\ha20x22k.sys [?]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2010-8-31 14648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-4 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-4 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2012-01-27 09:29:10 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A860EECD-B4BC-4CE7-8874-A742462C9A21}\offreg.dll
2012-01-27 09:25:53 6219088 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-01-27 09:25:51 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A860EECD-B4BC-4CE7-8874-A742462C9A21}\mpengine.dll
2012-01-25 10:34:04 -------- d-----w- C:\Users\Meronier\AppData\Roaming\Braid
2012-01-22 19:26:50 -------- d-sh--w- C:\Users\Meronier\AppData\Roaming\Malware Protection Center
2012-01-22 19:26:49 -------- d-sh--w- C:\ProgramData\MPZERXFC
2012-01-22 19:26:38 -------- d-sh--w- C:\ProgramData\986b88
2012-01-21 13:59:15 -------- d-----w- C:\Windows\Uninstall
2012-01-21 12:59:59 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-21 12:59:59 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-01-07 08:37:41 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-01-07 08:37:41 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-01-04 15:17:45 328704 ----a-w- C:\Windows\IsUn0407.exe
2012-01-04 14:47:16 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-01-04 14:47:16 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-01-04 14:47:16 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-01-04 14:47:16 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2011-12-29 14:27:03 -------- d-----w- C:\Program Files\Core Temp
.
==================== Find3M ====================
.
2012-01-23 21:58:13 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-20 21:14:35 1486688 ----a-w- C:\Windows\System32\WdfCoInstaller01007.dll
2011-12-20 21:14:35 1486688 ----a-w- C:\Windows\System32\drivers\WdfCoInstaller01007.dll
2011-12-12 21:19:59 0 ----a-w- C:\Windows\ativpsrm.bin
2011-12-10 14:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-07 09:39:10 279096 ------w- C:\Windows\System32\MpSigStub.exe
2011-12-06 14:55:48 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2011-11-30 17:44:02 10497024 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-11-30 17:19:56 24887808 ----a-w- C:\Windows\System32\atio6axx.dll
2011-11-30 17:03:50 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-11-30 17:03:36 749568 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-11-30 17:01:54 893440 ----a-w- C:\Windows\System32\aticfx64.dll
2011-11-30 16:58:56 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-11-30 16:58:40 517120 ----a-w- C:\Windows\System32\atieclxx.exe
2011-11-30 16:58:02 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-11-30 16:58:00 18829312 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-11-30 16:56:46 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-11-30 16:56:26 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-11-30 16:56:20 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-11-30 16:56:08 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-11-30 16:56:02 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-11-30 16:55:58 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-11-30 16:55:52 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-11-30 16:51:20 4327936 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-11-30 16:40:50 5079552 ----a-w- C:\Windows\System32\atidxx64.dll
2011-11-30 16:33:46 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-11-30 16:33:14 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-11-30 16:33:02 4044288 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-11-30 16:31:18 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-11-30 16:31:16 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-11-30 16:31:06 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-11-30 16:31:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-11-30 16:30:52 9978880 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-11-30 16:28:56 4356096 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-11-30 16:27:02 8449024 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-11-30 16:24:58 4189184 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-11-30 16:22:08 5512704 ----a-w- C:\Windows\System32\atiumd64.dll
2011-11-30 16:20:04 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-11-30 16:14:14 486912 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-11-30 16:14:06 339968 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-11-30 16:13:52 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-11-30 16:13:48 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-11-30 16:13:48 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-11-30 16:13:44 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-11-30 16:13:36 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-11-30 16:13:28 326656 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-11-30 16:12:38 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-11-30 16:12:30 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-11-30 16:12:24 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-11-30 16:12:16 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-11-30 16:11:38 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-11-30 16:11:14 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-11-30 16:11:14 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-11-30 16:11:08 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-11-30 16:11:08 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-21 17:51:32 86016 ----a-w- C:\Windows\System32\ff_vfw.dll
2011-11-17 06:49:14 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2011-11-17 06:41:18 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2011-11-17 06:35:28 395776 ----a-w- C:\Windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:38:39 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 11:02:03,31 ===============



Attach.txt posted because the dds file says: Note: multiple HOSTS entries found. Please refer to Attach.txt

Attached File  Attach.zip   3.47KB   5 downloads

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 PM

Posted 30 January 2012 - 05:07 AM

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 31 January 2012 - 03:56 AM

ComboFix 12-01-30.02 - Meronier 31.01.2012 9:23.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.8191.6880 [GMT 1:00]
ausgeführt von:: f:\setupdateien3\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\986b88
c:\programdata\986b88\8885.mof
c:\programdata\986b88\BackUp\AutorunsDisabled\HP Digital Imaging Monitor.lnk
c:\programdata\986b88\MPC.ico
c:\programdata\986b88\MPCSys\VDAI.ntf
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.tmp
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\delfile.tmp
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\energy.drv
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\gid.tmp
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\grid.tmp
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\hymt.sys
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
c:\users\Meronier\AppData\Roaming\Microsoft\Windows\Recent\sld.dll
c:\windows\IsUn0407.exe
c:\windows\system32\java.exe
c:\windows\SysWow64\tmp306E.tmp
c:\windows\SysWow64\tmp308E.tmp
c:\windows\SysWow64\tmp4F5B.tmp
c:\windows\SysWow64\tmp4F6B.tmp
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-12-28 bis 2012-01-31 ))))))))))))))))))))))))))))))
.
.
2012-01-31 08:26 . 2012-01-31 08:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-29 05:40 . 2012-01-29 05:40 -------- d-----w- c:\users\Meronier\AppData\Roaming\Ubisoft
2012-01-28 20:32 . 2012-01-28 20:32 1 ----a-w- c:\windows\SysWow64\SI.bin
2012-01-27 09:25 . 2012-01-17 03:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A860EECD-B4BC-4CE7-8874-A742462C9A21}\mpengine.dll
2012-01-25 10:34 . 2012-01-25 10:34 -------- d-----w- c:\users\Meronier\AppData\Roaming\Braid
2012-01-23 21:58 . 2012-01-23 21:58 -------- d-----w- c:\windows\system32\Macromed
2012-01-22 19:26 . 2012-01-22 19:27 -------- d-sh--w- c:\users\Meronier\AppData\Roaming\Malware Protection Center
2012-01-22 19:26 . 2012-01-22 19:26 -------- d-sh--w- c:\programdata\MPZERXFC
2012-01-21 14:01 . 2012-01-21 13:59 556880 ----a-w- c:\windows\uninstall\FAKEFACTORY CM11\IRZip.lmd
2012-01-21 14:00 . 2012-01-21 14:00 325960 ----a-w- c:\windows\uninstall\FAKEFACTORY CM11\lua5.1.dll
2012-01-21 14:00 . 2012-01-21 14:00 1360896 ----a-w- c:\windows\uninstall\FAKEFACTORY CM11\uninstall.exe
2012-01-21 13:59 . 2012-01-21 14:00 -------- d-----w- c:\windows\Uninstall
2012-01-21 12:59 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-21 12:59 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-07 08:37 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2012-01-07 08:37 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-01-04 14:47 . 2001-04-11 17:25 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-01-04 14:47 . 2001-04-11 17:25 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-01-04 14:47 . 2001-04-11 17:21 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-01-04 14:47 . 2001-04-11 17:20 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 13:34 . 2011-06-12 21:57 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-24 12:17 . 2012-01-30 08:46 448 ----a-w- c:\windows\Fonts\HFF Xmas Hoedown.pfm
2011-12-20 21:14 . 2011-12-20 21:14 1486688 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2011-12-20 21:14 . 2011-12-20 21:14 1486688 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll
2011-12-10 14:24 . 2010-09-08 11:56 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 10:00 . 2011-10-14 13:15 130760 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-07 09:39 . 2010-02-10 06:18 279096 ------w- c:\windows\system32\MpSigStub.exe
2011-12-06 14:55 . 2010-09-08 11:48 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2011-11-30 17:44 . 2011-11-30 17:44 10497024 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-11-30 17:19 . 2011-11-30 17:19 24887808 ----a-w- c:\windows\system32\atio6axx.dll
2011-11-30 17:03 . 2011-11-30 17:03 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-11-30 17:03 . 2011-11-30 17:03 749568 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-11-30 17:01 . 2011-11-30 17:01 893440 ----a-w- c:\windows\system32\aticfx64.dll
2011-11-30 16:58 . 2011-11-30 16:58 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-11-30 16:58 . 2011-11-30 16:58 517120 ----a-w- c:\windows\system32\atieclxx.exe
2011-11-30 16:58 . 2011-11-30 16:58 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-11-30 16:58 . 2011-11-30 16:58 18829312 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-11-30 16:56 . 2011-11-30 16:56 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-11-30 16:56 . 2011-11-30 16:56 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-11-30 16:56 . 2011-11-30 16:56 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-11-30 16:56 . 2011-11-30 16:56 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-11-30 16:56 . 2011-11-30 16:56 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-11-30 16:55 . 2011-11-30 16:55 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-11-30 16:55 . 2011-11-30 16:55 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-11-30 16:51 . 2011-11-30 16:51 4327936 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-11-30 16:40 . 2011-11-30 16:40 5079552 ----a-w- c:\windows\system32\atidxx64.dll
2011-11-30 16:33 . 2011-11-30 16:33 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-11-30 16:33 . 2011-11-30 16:33 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-11-30 16:33 . 2011-11-30 16:33 4044288 ----a-w- c:\windows\system32\atiumd6a.dll
2011-11-30 16:31 . 2011-11-30 16:31 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-11-30 16:31 . 2011-11-30 16:31 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-11-30 16:31 . 2011-11-30 16:31 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-11-30 16:31 . 2011-11-30 16:31 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-11-30 16:30 . 2011-11-30 16:30 9978880 ----a-w- c:\windows\system32\aticaldd64.dll
2011-11-30 16:28 . 2011-11-30 16:28 4356096 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-11-30 16:27 . 2011-11-30 16:27 8449024 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-11-30 16:24 . 2011-11-30 16:24 4189184 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-11-30 16:22 . 2011-11-30 16:22 5512704 ----a-w- c:\windows\system32\atiumd64.dll
2011-11-30 16:20 . 2011-11-30 16:20 58880 ----a-w- c:\windows\system32\coinst.dll
2011-11-30 16:14 . 2011-11-30 16:14 486912 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-30 16:14 . 2011-09-08 16:53 339968 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-11-30 16:13 . 2011-11-30 16:13 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-11-30 16:13 . 2011-11-30 16:13 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 326656 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-11-30 16:12 . 2011-11-30 16:12 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-11-30 16:12 . 2011-11-30 16:12 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-11-30 16:12 . 2011-11-30 16:12 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-11-30 16:12 . 2011-11-30 16:12 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-11-30 16:11 . 2011-11-30 16:11 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-11-30 16:11 . 2011-11-30 16:11 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-11-30 16:11 . 2011-11-30 16:11 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-11-30 16:11 . 2011-11-30 16:11 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-11-30 16:11 . 2011-11-30 16:11 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-11-21 17:51 . 2011-11-21 17:51 86016 ----a-w- c:\windows\system32\ff_vfw.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Protection Center"="/d" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-07-07 24576]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-30 343168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoStartMenuMyGames"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-01-04 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-01-04 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [x]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
S3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys [2010-08-31 14648]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.facemoods.com/?a=ddrnw
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Meronier\AppData\Roaming\Mozilla\Firefox\Profiles\ra6c0z1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/firefox
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-GTL- Alfa GTA -New Sounds v1.0 - f:\gtl-dateien\Alfa GTA Sounds v1_0 by DucFreak\AlfaGTA New Sounds v1.0 -Uninstaller.exe
AddRemove-{7353BAE6-5E49-46C4-A9B5-8A269A313789} - c:\programdata\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\setup.exe
AddRemove-{C1080852-065E-4991-9260-F3756E3CC182} - c:\programdata\{E568B6A0-8E02-46C8-8954-00ECD7CD3554}\CursorFX_setup.exe
AddRemove-{ECFE31F5-E526-44C8-BE6A-0D6E9E128B60}_is1 - f:\fallout new vegas\GuideLines\unins000.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1864920306-1801672675-3418825883-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*a*àYqe**€$*02%20snowflake%202%20%2B%20remake%20%28basic%20res.mp3\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1864920306-1801672675-3418825883-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*p*g*¡ °yi**‹file:///F:/MyMusic/Batman%5B1989-2008%5DSoundtracks%20%26%20Scores%20From%20The%20Live-Action%20Films%5BVA%5D-FlynnFlan/The%20Dark%20Knight%5B2008%5DSoundtrack%5BHans%20Zimmer%20%26%20James%20Newton%20Howard%5D-FlynnFlan/01%20-%20Why%20So%20Serious.mp3\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\MSI Afterburner\MSIAfterburner.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-01-31 09:31:17 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-01-31 08:31
.
Vor Suchlauf: 597.461.811.200 bytes free
Nach Suchlauf: 597.165.481.984 bytes free
.
- - End Of File - - 5A19A2281633DA8EF1C49B0FDE3BDDE4







.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Meronier at 9:36:26 on 2012-01-31
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.8191.6686 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\msdtc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k PeerDist
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.facemoods.com/?a=ddrnw
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [Malware Protection Center] /s /d
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{5F051BC7-782B-4446-BB20-9367EE88B72C} : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{CF5231CC-D000-4CC3-8641-7EA66A275433} : DhcpNameServer = 192.168.178.1
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Meronier\AppData\Roaming\Mozilla\Firefox\Profiles\ra6c0z1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/firefox
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npWebLaunch.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-14 86224]
R2 AntiVirService;Avira Echtzeit Scanner;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-10-14 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys --> C:\Windows\system32\drivers\ha20x22k.sys [?]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2010-8-31 14648]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-4 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-4 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2012-01-31 08:28:36 -------- d-----w- C:\$RECYCLE.BIN
2012-01-31 08:22:39 98816 ----a-w- C:\Windows\sed.exe
2012-01-31 08:22:39 518144 ----a-w- C:\Windows\SWREG.exe
2012-01-31 08:22:39 256000 ----a-w- C:\Windows\PEV.exe
2012-01-31 08:22:39 208896 ----a-w- C:\Windows\MBR.exe
2012-01-31 08:22:36 -------- d-----w- C:\ComboFix
2012-01-29 05:40:58 -------- d-----w- C:\Users\Meronier\AppData\Roaming\Ubisoft
2012-01-28 20:32:11 1 ----a-w- C:\Windows\SysWow64\SI.bin
2012-01-27 09:25:53 6219088 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-01-27 09:25:51 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A860EECD-B4BC-4CE7-8874-A742462C9A21}\mpengine.dll
2012-01-25 10:34:04 -------- d-----w- C:\Users\Meronier\AppData\Roaming\Braid
2012-01-22 19:26:50 -------- d-sh--w- C:\Users\Meronier\AppData\Roaming\Malware Protection Center
2012-01-22 19:26:49 -------- d-sh--w- C:\ProgramData\MPZERXFC
2012-01-21 13:59:15 -------- d-----w- C:\Windows\Uninstall
2012-01-21 12:59:59 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-21 12:59:59 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-01-07 08:37:41 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-01-07 08:37:41 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-01-04 14:47:16 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-01-04 14:47:16 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-01-04 14:47:16 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-01-04 14:47:16 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
.
==================== Find3M ====================
.
2012-01-30 13:34:36 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-20 21:14:35 1486688 ----a-w- C:\Windows\System32\WdfCoInstaller01007.dll
2011-12-20 21:14:35 1486688 ----a-w- C:\Windows\System32\drivers\WdfCoInstaller01007.dll
2011-12-12 21:19:59 0 ----a-w- C:\Windows\ativpsrm.bin
2011-12-10 14:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-07 09:39:10 279096 ------w- C:\Windows\System32\MpSigStub.exe
2011-12-06 14:55:48 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2011-11-30 17:44:02 10497024 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-11-30 17:19:56 24887808 ----a-w- C:\Windows\System32\atio6axx.dll
2011-11-30 17:03:50 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-11-30 17:03:36 749568 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-11-30 17:01:54 893440 ----a-w- C:\Windows\System32\aticfx64.dll
2011-11-30 16:58:56 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-11-30 16:58:40 517120 ----a-w- C:\Windows\System32\atieclxx.exe
2011-11-30 16:58:02 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-11-30 16:58:00 18829312 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-11-30 16:56:46 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-11-30 16:56:26 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-11-30 16:56:20 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-11-30 16:56:08 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-11-30 16:56:02 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-11-30 16:55:58 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-11-30 16:55:52 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-11-30 16:51:20 4327936 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-11-30 16:40:50 5079552 ----a-w- C:\Windows\System32\atidxx64.dll
2011-11-30 16:33:46 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-11-30 16:33:14 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-11-30 16:33:02 4044288 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-11-30 16:31:18 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-11-30 16:31:16 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-11-30 16:31:06 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-11-30 16:31:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-11-30 16:30:52 9978880 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-11-30 16:28:56 4356096 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-11-30 16:27:02 8449024 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-11-30 16:24:58 4189184 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-11-30 16:22:08 5512704 ----a-w- C:\Windows\System32\atiumd64.dll
2011-11-30 16:20:04 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-11-30 16:14:14 486912 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-11-30 16:14:06 339968 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-11-30 16:13:52 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-11-30 16:13:48 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-11-30 16:13:48 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-11-30 16:13:44 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-11-30 16:13:36 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-11-30 16:13:28 326656 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-11-30 16:12:38 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-11-30 16:12:30 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-11-30 16:12:24 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-11-30 16:12:16 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-11-30 16:11:38 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-11-30 16:11:14 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-11-30 16:11:14 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-11-30 16:11:08 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-11-30 16:11:08 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-21 17:51:32 86016 ----a-w- C:\Windows\System32\ff_vfw.dll
2011-11-17 06:49:14 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2011-11-17 06:41:18 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2011-11-17 06:35:28 395776 ----a-w- C:\Windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:38:39 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 9:36:35,55 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 PM

Posted 31 January 2012 - 04:13 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\Meronier\AppData\Roaming\Malware Protection Center
c:\programdata\MPZERXFC
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Protection Center"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.



Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7 Update 2.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u2-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 31 January 2012 - 06:06 AM

ComboFix 12-01-30.02 - Meronier 31.01.2012 11:10:27.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.8191.6445 [GMT 1:00]
ausgeführt von:: f:\setupdateien3\ComboFix.exe
Benutzte Befehlsschalter :: f:\setupdateien3\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\MPZERXFC
c:\programdata\MPZERXFC\MPMDMSC.cfg
c:\users\Meronier\AppData\Roaming\Malware Protection Center
c:\users\Meronier\AppData\Roaming\Malware Protection Center\cookies.sqlite
c:\users\Meronier\AppData\Roaming\Malware Protection Center\Instructions.ini
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-12-28 bis 2012-01-31 ))))))))))))))))))))))))))))))
.
.
2012-01-31 10:13 . 2012-01-31 10:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-31 09:56 . 2012-01-31 09:56 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-29 05:40 . 2012-01-29 05:40 -------- d-----w- c:\users\Meronier\AppData\Roaming\Ubisoft
2012-01-28 20:32 . 2012-01-28 20:32 1 ----a-w- c:\windows\SysWow64\SI.bin
2012-01-27 09:25 . 2012-01-17 03:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A860EECD-B4BC-4CE7-8874-A742462C9A21}\mpengine.dll
2012-01-25 10:34 . 2012-01-25 10:34 -------- d-----w- c:\users\Meronier\AppData\Roaming\Braid
2012-01-23 21:58 . 2012-01-23 21:58 -------- d-----w- c:\windows\system32\Macromed
2012-01-21 14:01 . 2012-01-21 13:59 556880 ----a-w- c:\windows\uninstall\FAKEFACTORY CM11\IRZip.lmd
2012-01-21 14:00 . 2012-01-21 14:00 325960 ----a-w- c:\windows\uninstall\FAKEFACTORY CM11\lua5.1.dll
2012-01-21 14:00 . 2012-01-21 14:00 1360896 ----a-w- c:\windows\uninstall\FAKEFACTORY CM11\uninstall.exe
2012-01-21 13:59 . 2012-01-21 14:00 -------- d-----w- c:\windows\Uninstall
2012-01-21 12:59 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-21 12:59 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-07 08:37 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2012-01-07 08:37 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-01-04 14:47 . 2001-04-11 17:25 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-01-04 14:47 . 2001-04-11 17:25 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-01-04 14:47 . 2001-04-11 17:21 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-01-04 14:47 . 2001-04-11 17:20 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-24 12:17 . 2012-01-30 08:46 448 ----a-w- c:\windows\Fonts\HFF Xmas Hoedown.pfm
2011-12-20 21:14 . 2011-12-20 21:14 1486688 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2011-12-20 21:14 . 2011-12-20 21:14 1486688 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll
2011-12-10 14:24 . 2010-09-08 11:56 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 10:00 . 2011-10-14 13:15 130760 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-07 09:39 . 2010-02-10 06:18 279096 ------w- c:\windows\system32\MpSigStub.exe
2011-12-06 14:55 . 2010-09-08 11:48 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2011-11-30 17:44 . 2011-11-30 17:44 10497024 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-11-30 17:19 . 2011-11-30 17:19 24887808 ----a-w- c:\windows\system32\atio6axx.dll
2011-11-30 17:03 . 2011-11-30 17:03 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-11-30 17:03 . 2011-11-30 17:03 749568 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-11-30 17:01 . 2011-11-30 17:01 893440 ----a-w- c:\windows\system32\aticfx64.dll
2011-11-30 16:58 . 2011-11-30 16:58 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-11-30 16:58 . 2011-11-30 16:58 517120 ----a-w- c:\windows\system32\atieclxx.exe
2011-11-30 16:58 . 2011-11-30 16:58 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-11-30 16:58 . 2011-11-30 16:58 18829312 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-11-30 16:56 . 2011-11-30 16:56 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-11-30 16:56 . 2011-11-30 16:56 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-11-30 16:56 . 2011-11-30 16:56 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-11-30 16:56 . 2011-11-30 16:56 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-11-30 16:56 . 2011-11-30 16:56 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-11-30 16:55 . 2011-11-30 16:55 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-11-30 16:55 . 2011-11-30 16:55 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-11-30 16:51 . 2011-11-30 16:51 4327936 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-11-30 16:40 . 2011-11-30 16:40 5079552 ----a-w- c:\windows\system32\atidxx64.dll
2011-11-30 16:33 . 2011-11-30 16:33 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-11-30 16:33 . 2011-11-30 16:33 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-11-30 16:33 . 2011-11-30 16:33 4044288 ----a-w- c:\windows\system32\atiumd6a.dll
2011-11-30 16:31 . 2011-11-30 16:31 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-11-30 16:31 . 2011-11-30 16:31 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-11-30 16:31 . 2011-11-30 16:31 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-11-30 16:31 . 2011-11-30 16:31 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-11-30 16:30 . 2011-11-30 16:30 9978880 ----a-w- c:\windows\system32\aticaldd64.dll
2011-11-30 16:28 . 2011-11-30 16:28 4356096 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-11-30 16:27 . 2011-11-30 16:27 8449024 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-11-30 16:24 . 2011-11-30 16:24 4189184 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-11-30 16:22 . 2011-11-30 16:22 5512704 ----a-w- c:\windows\system32\atiumd64.dll
2011-11-30 16:20 . 2011-11-30 16:20 58880 ----a-w- c:\windows\system32\coinst.dll
2011-11-30 16:14 . 2011-11-30 16:14 486912 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-30 16:14 . 2011-09-08 16:53 339968 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-11-30 16:13 . 2011-11-30 16:13 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-11-30 16:13 . 2011-11-30 16:13 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-11-30 16:13 . 2011-11-30 16:13 326656 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-11-30 16:12 . 2011-11-30 16:12 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-11-30 16:12 . 2011-11-30 16:12 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-11-30 16:12 . 2011-11-30 16:12 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-11-30 16:12 . 2011-11-30 16:12 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-11-30 16:11 . 2011-11-30 16:11 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-11-30 16:11 . 2011-11-30 16:11 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-11-30 16:11 . 2011-11-30 16:11 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-11-30 16:11 . 2011-11-30 16:11 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-11-30 16:11 . 2011-11-30 16:11 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-11-21 17:51 . 2011-11-21 17:51 86016 ----a-w- c:\windows\system32\ff_vfw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-31_08.28.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-10 06:25 . 2012-01-31 09:57 61170 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-31 09:57 57056 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-08 11:32 . 2012-01-31 09:57 21346 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1864920306-1801672675-3418825883-1001_UserData.bin
- 2010-09-08 10:53 . 2012-01-30 07:34 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-08 10:53 . 2012-01-31 08:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-08 10:53 . 2012-01-31 08:59 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-08 10:53 . 2012-01-30 07:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-30 07:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-31 08:59 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-08 11:17 . 2012-01-31 10:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-08 11:17 . 2012-01-31 08:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-08 11:17 . 2012-01-31 10:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-08 11:17 . 2012-01-31 08:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-31 10:14 . 2012-01-31 10:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-31 08:28 . 2012-01-31 08:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-31 10:14 . 2012-01-31 10:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-23 21:58 . 2012-01-30 13:34 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe
+ 2012-01-31 09:56 . 2012-01-31 09:56 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe
+ 2009-07-14 02:36 . 2012-01-31 10:01 652150 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-30 10:52 652150 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-31 10:01 121082 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-01-30 10:52 121082 c:\windows\system32\perfc009.dat
+ 2012-01-31 09:56 . 2012-01-31 09:56 461984 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_Plugin.exe
- 2012-01-23 21:58 . 2012-01-30 13:34 461984 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_Plugin.exe
+ 2009-07-14 05:12 . 2012-01-31 08:59 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:12 . 2012-01-29 05:18 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:01 . 2012-01-31 08:27 754014 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-31 10:13 754014 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-09-08 12:11 . 2012-01-30 13:34 8527008 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
+ 2012-01-31 09:56 . 2012-01-31 09:56 8527008 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
- 2012-01-23 21:58 . 2012-01-30 13:34 11336864 c:\windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll
+ 2012-01-31 09:56 . 2012-01-31 09:56 11336864 c:\windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll
+ 2010-09-09 00:13 . 2012-01-31 10:13 62990292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1864920306-1801672675-3418825883-1001-12288.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-07-07 24576]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-30 343168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoStartMenuMyGames"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-01-04 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-01-04 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [x]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
S3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys [2010-08-31 14648]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.facemoods.com/?a=ddrnw
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Meronier\AppData\Roaming\Mozilla\Firefox\Profiles\ra6c0z1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/firefox
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1864920306-1801672675-3418825883-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*a*àYqe**€$*02%20snowflake%202%20%2B%20remake%20%28basic%20res.mp3\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1864920306-1801672675-3418825883-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*p*g*¡ °yi**‹file:///F:/MyMusic/Batman%5B1989-2008%5DSoundtracks%20%26%20Scores%20From%20The%20Live-Action%20Films%5BVA%5D-FlynnFlan/The%20Dark%20Knight%5B2008%5DSoundtrack%5BHans%20Zimmer%20%26%20James%20Newton%20Howard%5D-FlynnFlan/01%20-%20Why%20So%20Serious.mp3\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\MSI Afterburner\MSIAfterburner.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-01-31 11:17:52 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-01-31 10:17
.
Vor Suchlauf: 597.190.615.040 bytes free
Nach Suchlauf: 596.708.171.776 bytes free
.
- - End Of File - - 03D150E8963D54DF3AD31DAF68D72E96









.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Meronier at 11:49:28 on 2012-01-31
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.8191.6451 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\msdtc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k PeerDist
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.at/
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{5F051BC7-782B-4446-BB20-9367EE88B72C} : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{CF5231CC-D000-4CC3-8641-7EA66A275433} : DhcpNameServer = 192.168.178.1
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Meronier\AppData\Roaming\Mozilla\Firefox\Profiles\ra6c0z1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/firefox
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: D:\Programme\Mozilla Firefox\plugins\npWebLaunch.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-14 86224]
R2 AntiVirService;Avira Echtzeit Scanner;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-10-14 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys --> C:\Windows\system32\drivers\ha20x22k.sys [?]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2010-8-31 14648]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-4 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-4 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2012-01-31 10:36:29 -------- d-----w- C:\Program Files (x86)\ESET
2012-01-31 10:30:28 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-01-31 10:15:24 -------- d-----w- C:\$RECYCLE.BIN
2012-01-31 09:56:43 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-31 08:22:39 98816 ----a-w- C:\Windows\sed.exe
2012-01-31 08:22:39 518144 ----a-w- C:\Windows\SWREG.exe
2012-01-31 08:22:39 256000 ----a-w- C:\Windows\PEV.exe
2012-01-31 08:22:39 208896 ----a-w- C:\Windows\MBR.exe
2012-01-29 05:40:58 -------- d-----w- C:\Users\Meronier\AppData\Roaming\Ubisoft
2012-01-28 20:32:11 1 ----a-w- C:\Windows\SysWow64\SI.bin
2012-01-27 09:25:53 6219088 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-01-27 09:25:51 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A860EECD-B4BC-4CE7-8874-A742462C9A21}\mpengine.dll
2012-01-25 10:34:04 -------- d-----w- C:\Users\Meronier\AppData\Roaming\Braid
2012-01-21 13:59:15 -------- d-----w- C:\Windows\Uninstall
2012-01-21 12:59:59 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-21 12:59:59 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-01-07 08:37:41 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-01-07 08:37:41 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-01-04 14:47:16 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-01-04 14:47:16 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-01-04 14:47:16 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-01-04 14:47:16 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
.
==================== Find3M ====================
.
2012-01-31 10:30:20 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2011-12-20 21:14:35 1486688 ----a-w- C:\Windows\System32\WdfCoInstaller01007.dll
2011-12-20 21:14:35 1486688 ----a-w- C:\Windows\System32\drivers\WdfCoInstaller01007.dll
2011-12-12 21:19:59 0 ----a-w- C:\Windows\ativpsrm.bin
2011-12-10 14:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-07 09:39:10 279096 ------w- C:\Windows\System32\MpSigStub.exe
2011-12-06 14:55:48 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2011-11-30 17:44:02 10497024 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-11-30 17:19:56 24887808 ----a-w- C:\Windows\System32\atio6axx.dll
2011-11-30 17:03:50 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-11-30 17:03:36 749568 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-11-30 17:01:54 893440 ----a-w- C:\Windows\System32\aticfx64.dll
2011-11-30 16:58:56 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-11-30 16:58:40 517120 ----a-w- C:\Windows\System32\atieclxx.exe
2011-11-30 16:58:02 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-11-30 16:58:00 18829312 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-11-30 16:56:46 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-11-30 16:56:26 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-11-30 16:56:20 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-11-30 16:56:08 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-11-30 16:56:02 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-11-30 16:55:58 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-11-30 16:55:52 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-11-30 16:51:20 4327936 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-11-30 16:40:50 5079552 ----a-w- C:\Windows\System32\atidxx64.dll
2011-11-30 16:33:46 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-11-30 16:33:14 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-11-30 16:33:02 4044288 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-11-30 16:31:18 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-11-30 16:31:16 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-11-30 16:31:06 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-11-30 16:31:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-11-30 16:30:52 9978880 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-11-30 16:28:56 4356096 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-11-30 16:27:02 8449024 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-11-30 16:24:58 4189184 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-11-30 16:22:08 5512704 ----a-w- C:\Windows\System32\atiumd64.dll
2011-11-30 16:20:04 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-11-30 16:14:14 486912 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-11-30 16:14:06 339968 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-11-30 16:13:52 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-11-30 16:13:48 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-11-30 16:13:48 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-11-30 16:13:44 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-11-30 16:13:36 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-11-30 16:13:28 326656 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-11-30 16:12:38 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-11-30 16:12:30 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-11-30 16:12:24 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-11-30 16:12:16 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-11-30 16:11:38 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-11-30 16:11:14 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-11-30 16:11:14 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-11-30 16:11:08 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-11-30 16:11:08 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-21 17:51:32 86016 ----a-w- C:\Windows\System32\ff_vfw.dll
2011-11-17 06:49:14 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2011-11-17 06:41:18 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2011-11-17 06:35:28 395776 ----a-w- C:\Windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:38:39 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 11:49:38,08 ===============






The ESET log file will have to wait. This scans my whole data and this will take ~6 hours or more. And I'm also very concerned about the fact that I should let an unfamiliar programm running in InternetExplorer scan my whole (partly sensitive) data while using the Internet with an infected PC. I trust you, but I'm not negligent.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 PM

Posted 31 January 2012 - 09:13 AM

Hi,

The ESET log file will have to wait. This scans my whole data and this will take ~6 hours or more. And I'm also very concerned about the fact that I should let an unfamiliar programm running in InternetExplorer scan my whole (partly sensitive) data while using the Internet with an infected PC. I trust you, but I'm not negligent.

You are the first user I've met who suspects ESET's online scanner. ESET is well respected security company and I see no threats you should be afraid of when using the scanner :)

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 31 January 2012 - 11:35 AM

Think about it and try this angle: First I have to use all kinds of programms that all work offline(all very convenient, effective and finishing their work in a matter of minutes) and then I have to use one programm that forces you to be online for hours and hours and you have to use IE. Would be great if there was an offline alternative.
It's not that I don't trust it, I simply don't like the act of a longlasting full online scan plus using IE, it's more of a bother than it has to be, even more so if it would be possible to do the same offline.
Anyway, I'll start it before going to sleep.

#8 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 01 February 2012 - 06:31 AM

Here is the ESET result after 9 hours:

C:\Qoobox\Quarantine\C\ProgramData\986b88\8885.mof.vir Win32/RogueAV.A trojan

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 PM

Posted 01 February 2012 - 12:36 PM

Good. Seems that ESET found only an item that ComboFix had quarantined already. Any of those original symptoms remaining?

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 01 February 2012 - 02:35 PM

Looks clean so far, no redirections anymore. :thumbup2:
Great help here in this forum, thank you.

Edited by Merinar56, 01 February 2012 - 02:37 PM.


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 PM

Posted 02 February 2012 - 02:11 AM

Good. Let's see the final steps then :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 02 February 2012 - 07:09 AM

Did the thing for system restore, but ComboFix is impossible to uninstall. Did everything exactly as advised but everytime I start it, it creates a system restore point and then goes on with the scan. No chance to type anything.

Edited by Merinar56, 02 February 2012 - 07:13 AM.


#13 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 02 February 2012 - 07:11 AM

.

Edited by Merinar56, 02 February 2012 - 07:12 AM.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:49 PM

Posted 02 February 2012 - 10:48 AM

Hi,

Did you run ComboFix uninstall command like given and not by just double clicking ComboFix icon?

The command into run box should be: Combofix /uninstall (notice space between x and /)

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Merinar56

Merinar56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 02 February 2012 - 01:08 PM

That was the instruction:

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

Click start means I should open ComboFix, then a dialog pops up asking to 'Run' or 'Cancel', where I click 'Run'.

What do you mean by 'Click START then RUN'?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users