Scanned with TDSSKiller to remove redirection in google when searching

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Scanned with TDSSKiller to remove redirection in google when searching Clueless how to solve this problem.

#1 Basel.A

New Member

Group: Members
Posts: 6
Joined: 04-January 12

Posted 04 January 2012 - 02:04 PM

Hello,
the redirecting of google started since my little brother sat on the computer. Now I got to repair it. When searching for solution someone recommend TDSSKiller. After I scanned with that software, I did what the software told me to do and I restarted. After that I opened Mozilla Firefox and it said there was no internet available, although it worked just a few minutes ago.

I also have attached something, but I am not sure if it will be helpful or not.

Attached File(s)

FSS.txt (899bytes)
Number of downloads: 4
netbt.sys.txt (899bytes)
Number of downloads: 1

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 09 January 2012 - 02:17 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

information and logs:

In your next post I need the following

.logs from DDS
let me know of any problems you may have had

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 Basel.A

New Member

Group: Members
Posts: 6
Joined: 04-January 12

Posted 11 January 2012 - 04:35 PM

Sorry for the late reply, but I have exams this week so I am really busy studying. Also it is very kind of you to help me.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Basal at 19:34:29 on 2012-01-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.767.504 [GMT 0:00]
.
.
============== Running Processes ===============
.
G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\RunDll32.exe
G:\Programme\BabylonToolbar\BabylonToolbar\1.4.23.10\BabylonToolbarsrv.exe
G:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programme\Messenger\msmsgs.exe
G:\Programme\BitTorrent\BitTorrent.exe
G:\Programme\Ralink\Common\RaUI.exe
svchost.exe
G:\WINDOWS\TEMP\wlddkm\setup.exe
G:\Programme\Java\jre6\bin\jqs.exe
G:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Programme\Ralink\Common\RaRegistry.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.bigseekpro.com/anyvideo2dvd/{89D12C7D-2E2B-49A7-AA8F-D124ECC94D52}
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=1c6bd1f3000000000000001109f2e1da&tlver=1.4.23.10&affID=17703
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - g:\programme\any video to dvd toolbar\tbhelper.dll
uURLSearchHooks: softonic-de3 Toolbar: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - g:\programme\softonic-de3\prxtbsof0.dll
BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - g:\programme\pricegong\2.5.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - g:\programme\babylontoolbar\babylontoolbar\1.4.23.10\bh\BabylonToolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - g:\programme\gemeinsame dateien\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - g:\dokumente und einstellungen\basal\anwendungsdaten\flashgetbho\FlashGetBHO3.dll
BHO: softonic-de3 Toolbar: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - g:\programme\softonic-de3\prxtbsof0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - g:\programme\any video to dvd toolbar\tbcore3.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - g:\programme\yontoo layers\YontooIEClient.dll
TB: Any Video To DVD Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - g:\programme\any video to dvd toolbar\tbcore3.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - g:\programme\babylontoolbar\babylontoolbar\1.4.23.10\BabylonToolbarTlbr.dll
TB: softonic-de3 Toolbar: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - g:\programme\softonic-de3\prxtbsof0.dll
uRun: [CTFMON.EXE] g:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "g:\programme\messenger\msmsgs.exe" /background
uRun: [ISUSPM] g:\dokumente und einstellungen\all users\anwendungsdaten\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [BitTorrent] "g:\programme\bittorrent\BitTorrent.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE g:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE g:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Nuance PDF Reader-reminder] "g:\programme\nuance\pdf reader\ereg\ereg.exe" -r "g:\dokumente und einstellungen\all users\anwendungsdaten\nuance\pdf reader\ereg\Ereg.ini"
mRun: [SunJavaUpdateSched] "g:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [BabylonToolbar] "g:\programme\babylontoolbar\babylontoolbar\1.4.23.10\BabylonToolbarsrv.exe" /md I
mRun: [Adobe ARM] "g:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
mRun: [HTC Sync Loader] "g:\programme\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [Malwarebytes' Anti-Malware] "g:\programme\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
StartupFolder: g:\dokume~1\alluse~1\startm~1\progra~1\autost~1\pcperf~1.lnk - g:\dokumente und einstellungen\basal\lokale einstellungen\temporary internet files\content.ie5\2h2xop47\PCPerformer_GN[1].exe
StartupFolder: g:\dokume~1\alluse~1\startm~1\progra~1\autost~1\ralink~1.lnk - g:\programme\ralink\common\RaUI.exe
IE: Download All By FlashGet3 - g:\dokumente und einstellungen\basal\anwendungsdaten\flashgetbho\GetAllUrl.htm
IE: Download By FlashGet3 - g:\dokumente und einstellungen\basal\anwendungsdaten\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - g:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\programme\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: kuaiche.com\software
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - g:\dokumente und einstellungen\basal\anwendungsdaten\mozilla\firefox\profiles\mhv3m0e9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431245&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - component: g:\dokumente und einstellungen\basal\anwendungsdaten\mozilla\firefox\profiles\mhv3m0e9.default\extensions\{db9127a2-3381-41ec-82b3-1b6ed4c6f29a}\components\FlashgetXpi.dll
FF - component: g:\programme\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: g:\dokumente und einstellungen\basal\lokale einstellungen\anwendungsdaten\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: g:\programme\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: g:\programme\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\programme\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: g:\programme\nuance\pdf reader\bin\nppdf.dll
FF - plugin: g:\programme\nuance\pdf reader\bin\nppdf.dll
FF - plugin: g:\programme\research in motion limited\blackberry app world browser plugin\npappworld.dll
.
============= SERVICES / DRIVERS ===============
.
R?2 AMService;AMService;g:\windows\temp\wlddkm\setup.exe run --> g:\windows\temp\wlddkm\setup.exe run [?]
R2 MBAMService;MBAMService;g:\programme\malwarebytes' anti-malware\mbamservice.exe [2011-12-29 652872]
R2 RalinkRegistryWriter;Ralink Registry Writer;g:\programme\ralink\common\RaRegistry.exe [2011-2-21 185632]

Attached File(s)

attach.zip (5.38K)
Number of downloads: 1

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 11 January 2012 - 06:23 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#5 Basel.A

New Member

Group: Members
Posts: 6
Joined: 04-January 12

Posted 12 January 2012 - 04:52 PM

My internet doesn't work on that computer, so I couldn't download and install the windows recovery console. The most important thing would for me be that internet would start working.

ComboFix 12-01-12.04 - Basal 01/12/2012 21:25:23.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.767.571 [GMT 0:00]
Running from: g:\dokumente und einstellungen\Basal\Desktop\ComboFix.exe
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\_Setup.dll
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\20111026204551.log
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\_Default.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\AxInterop.ImageEnXLibrary_1.9000.0.0_L_75236aeec3d51fd0_MSIL.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\CFToolkit_4.1.0.0_a87e673e9ecb6e8e_MSIL.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\DROPPED_20100101190241.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\DROPPED_20100101190244.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\DROPPED_20100101190312.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\FreeOCR_2.1.0.8_L_075a6c69191ec1db_x86.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\Interop.ImageLibrary_1.9000.0.0_L_8cdfa8b955dbb1c7_MSIL.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\Interop.PDFAX0717_7.17.0.0_L_3d5fa783dbb69c0f_MSIL.tiz
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Setup.dat
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Setup.exe
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Setup.ico
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
g:\dokumente und einstellungen\All Users\Anwendungsdaten\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\1.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\1707.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\1708.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\1728.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\2229.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\2255.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\2260.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\371.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\4488.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\450.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\a.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\b.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\c.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\d.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\e.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\f.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\g.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\h.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\i.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\j.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\k.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\l.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\m.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\mru.xml
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\n.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\o.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\p.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\q.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\r.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\s.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\t.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\u.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\v.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\w.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\wlu.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\x.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\y.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\z.txt
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\04fcb6ba0889e64393699743bb24ab3b
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\222d7deb640c3b743c30e267fc509d14
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\26aaf652b3ae60696a4875f485da2f86
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\27c746d432b7a753a0af8d7c033b46fe
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\29821809b7cb6f67e31db41dec5e381f
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\2cc60d08b36af576b11419505050cc6e
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\310c5db19d322e707ce6531fe3fdcd7e
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\36eaa177f2d8f2bfa896ffe0bad8da4c
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\36edbd9cd1d972f7b815c3c429d9e778
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\37ee2f21434bc843766abbbe8fe484f4
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\3b194b7303d1532b1f5d39dea9b3ec11
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\413aeb08619b1e033ea1aae6659c5bff
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\44567846e0387d6a62062ab4dbf9ae96
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\52b66d6979ef2abcea9a736d1b4dbc82
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\5d25dd004ed9512e16e1d76d6deb2a6c
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\72d4fe494fd8962bafdd4578491904c4
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\73effe4a1a89889d523838e458c5996c
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\757a20d7a75ae93435ac64a6095eab39
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\7b13ad7171fedf70a551cfe42879200d
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\89c35566d3dfdce78572ff8c2a627ad2
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9840cd5f73490a37d4f3e47107ced675
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9956734e872eec3ea3e17f52e84dc6cc
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9a3f296b3bc2687f449336b4e47c8e46
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9d810aab3f7bcbacb07c241f8d726714
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\acfc834035dccfb94e7f9067f5d48a83
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\b47f44478c6baaeefa54ba302406a2bf
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\bdcf0ed363b85538f740c9b718bf611c
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c0b9e89d52d9e1ff85c2db9f694af77d
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c3782c9892460edf79a03fb75a965be2
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c48c9e27c16419ab995d48b077a802ff
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c594d37e13c887da6ddc9975fa9aae82
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\d1c3bd31f6f21832188b9cb3edf65f93
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\d57d3f554ba48c6d60c03fb39c9099f9
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\de34dec709d9fb8dd23100219c7fe0a0
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files\0bf30927d79d10ac782c527b156e2c38
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files\50a64809cef1854ef92ce3b3f8c7bc3f
g:\dokumente und einstellungen\Basal\Anwendungsdaten\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files\5ee1b73689874262707dfd8375888fd3
g:\dokumente und einstellungen\Basal\WINDOWS
G:\install.exe
g:\programme\Any Video To DVD Toolbar\tbHElper.dll
g:\windows\$NtUninstallKB32569$
g:\windows\$NtUninstallKB32569$\2191327175
g:\windows\$NtUninstallKB32569$\2306078282\@
g:\windows\$NtUninstallKB32569$\2306078282\bckfg.tmp
g:\windows\$NtUninstallKB32569$\2306078282\cfg.ini
g:\windows\$NtUninstallKB32569$\2306078282\Desktop.ini
g:\windows\$NtUninstallKB32569$\2306078282\keywords
g:\windows\$NtUninstallKB32569$\2306078282\kwrd.dll
g:\windows\$NtUninstallKB32569$\2306078282\L\eysmmokz
g:\windows\$NtUninstallKB32569$\2306078282\U\00000001.@
g:\windows\$NtUninstallKB32569$\2306078282\U\00000002.@
g:\windows\$NtUninstallKB32569$\2306078282\U\00000004.@
g:\windows\$NtUninstallKB32569$\2306078282\U\80000000.@
g:\windows\$NtUninstallKB32569$\2306078282\U\80000004.@
g:\windows\$NtUninstallKB32569$\2306078282\U\80000032.@
g:\windows\IsUn0407.exe
g:\windows\Tab16d20.dll
.
g:\windows\system32\drivers\ipsec.sys was missing
Restored copy from - g:\windows\ServicePackFiles\i386\ipsec.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSERVICE
-------\Service_AMService
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 21:35 . 2008-04-13 19:19 75264 -c--a-w- g:\windows\system32\dllcache\ipsec.sys
2012-01-12 21:35 . 2008-04-13 19:19 75264 ----a-w- g:\windows\system32\drivers\ipsec.sys
2012-01-08 12:08 . 2009-04-21 15:31 19072 ----a-w- g:\windows\system32\drivers\Scutum50.sys
2012-01-08 12:08 . 2009-09-15 14:09 779136 ----a-w- g:\windows\system32\drivers\rt2870.sys
2012-01-08 12:08 . 2009-09-15 14:08 221184 ----a-w- g:\windows\system32\RaCoInst.dll
2012-01-06 20:18 . 2012-01-06 22:14 -------- d-----w- g:\dokumente und einstellungen\Administrator
2012-01-04 16:38 . 2012-01-04 16:38 292 ----a-w- G:\fixme.reg
2012-01-04 15:41 . 2011-12-21 07:24 121816 ----a-w- g:\programme\Mozilla Firefox\components\browsercomps.dll
2012-01-04 15:41 . 2011-12-21 07:24 43992 ----a-w- g:\programme\Mozilla Firefox\mozutils.dll
2012-01-04 15:41 . 2011-12-21 04:30 626688 ----a-w- g:\programme\Mozilla Firefox\msvcr80.dll
2012-01-04 15:41 . 2011-12-21 04:30 548864 ----a-w- g:\programme\Mozilla Firefox\msvcp80.dll
2012-01-04 15:41 . 2011-12-21 04:30 479232 ----a-w- g:\programme\Mozilla Firefox\msvcm80.dll
2012-01-02 15:46 . 2012-01-02 16:03 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\Skype
2012-01-02 15:45 . 2012-01-02 16:04 -------- d-----w- g:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2011-12-30 10:59 . 2011-12-30 10:59 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\MSNInstaller
2011-12-29 15:12 . 2011-12-29 15:12 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\Red Kawa
2011-12-29 15:09 . 2011-12-29 15:09 -------- d-----w- g:\dokumente und einstellungen\Basal\Lokale Einstellungen\Anwendungsdaten\Geckofx
2011-12-29 15:02 . 2011-12-29 15:02 -------- d-----w- g:\programme\AviSynth 2.5
2011-12-29 15:02 . 2011-12-29 15:02 -------- d-----w- g:\programme\Red Kawa
2011-12-29 11:01 . 2011-12-29 11:01 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\Malwarebytes
2011-12-29 11:00 . 2011-12-29 11:00 -------- d-----w- g:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2011-12-29 11:00 . 2011-12-10 15:24 20464 ----a-w- g:\windows\system32\drivers\mbam.sys
2011-12-29 11:00 . 2011-12-29 11:00 -------- d-----w- g:\programme\Malwarebytes' Anti-Malware
2011-12-28 21:03 . 2011-12-28 21:03 -------- d-----r- g:\dokumente und einstellungen\NetworkService\Favoriten
2011-12-28 20:06 . 2011-12-28 20:06 -------- d-sh--w- g:\windows\system32\config\systemprofile\IETldCache
2011-12-28 19:03 . 2011-12-28 19:03 -------- d-sh--w- g:\dokumente und einstellungen\NetworkService\IETldCache
2011-12-28 15:45 . 2011-12-28 15:45 -------- d-----w- g:\dokumente und einstellungen\Basal\Lokale Einstellungen\Anwendungsdaten\SanctionedMedia
2011-12-27 18:25 . 2011-12-28 15:01 -------- d-----w- g:\windows\system32\NtmsData
2011-12-25 15:55 . 2011-12-25 15:55 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-12-23 20:06 . 2011-12-23 20:06 -------- d-----w- g:\windows\system32\wbem\Repository
2011-12-18 14:07 . 2011-12-18 14:07 -------- d-----w- g:\dokumente und einstellungen\All Users\happy_town_by_jela331
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-09 18:10 . 2011-12-09 18:01 153325832 ----a-w- G:\setup_3.0.5579.exe
2011-11-23 14:40 . 2004-08-04 12:00 1859712 ----a-w- g:\windows\system32\win32k.sys
2011-11-04 19:13 . 2004-08-04 12:00 916992 ----a-w- g:\windows\system32\wininet.dll
2011-11-04 19:13 . 2004-08-04 12:00 43520 ----a-w- g:\windows\system32\licmgr10.dll
2011-11-04 19:13 . 2004-08-04 12:00 1469440 ------w- g:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- g:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- g:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- g:\windows\system32\csrsrv.dll
2011-10-26 10:49 . 2004-08-04 12:00 2151424 ----a-w- g:\windows\system32\ntoskrnl.exe
2011-10-26 10:49 . 2004-08-04 00:50 2029568 ----a-w- g:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- g:\windows\system32\encdec.dll
2011-12-21 07:24 . 2012-01-04 15:41 121816 ----a-w- g:\programme\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}"= "g:\programme\softonic-de3\prxtbsof0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
2011-05-09 09:49 176936 ----a-w- g:\programme\softonic-de3\prxtbsof0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-04-13 23:48 194912 ------w- g:\programme\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}"= "g:\programme\softonic-de3\prxtbsof0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065}"= "g:\programme\softonic-de3\prxtbsof0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="g:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"BitTorrent"="g:\programme\BitTorrent\BitTorrent.exe" [2011-03-29 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"Verknüpfung mit der High Definition Audio-Eigenschaftenseite"="HDAudPropShortcut.exe" [2004-03-17 61952]
"Nuance PDF Reader-reminder"="g:\programme\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]
"SunJavaUpdateSched"="g:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BabylonToolbar"="g:\programme\BabylonToolbar\BabylonToolbar\1.4.23.10\BabylonToolbarsrv.exe" [2010-11-07 286720]
"Adobe ARM"="g:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HTC Sync Loader"="g:\programme\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-08-22 593920]
"Malwarebytes' Anti-Malware"="g:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
g:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
PC Performer.lnk - g:\dokumente und einstellungen\Basal\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2H2XOP47\PCPerformer_GN[1].exe [N/A]
Ralink Wireless Utility.lnk - g:\programme\Ralink\Common\RaUI.exe [2011-2-21 1609728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Programme\\BitTorrent\\BitTorrent.exe"=
"g:\\Programme\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"g:\\Dokumente und Einstellungen\\All Users\\cs2d_0119_win\\CounterStrike2D.exe"=
"g:\dokumente und einstellungen\Basal\M-1-52-5782-8752-5245\winsvc.exe"= Microsoft® Windows Update
"g:\\Dokumente und Einstellungen\\Basal\\Anwendungsdaten\\GameRanger\\GameRanger\\GameRanger.exe"=
"g:\\Programme\\Stronghold Crusader Extreme\\Stronghold_Crusader_Extreme.exe"=
"g:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\Programme\\Stronghold Crusader Extreme\\Stronghold Crusader.exe"=
"g:\programme\relevantknowledge\rlvknlg.exe"= rlvknlg.exe
.
R2 MBAMService;MBAMService;g:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [12/29/2011 11:00 AM 652872]
R2 Scutum50;Scutum50 NDIS Protocol Driver;g:\windows\system32\drivers\Scutum50.sys [1/8/2012 12:08 PM 19072]
R3 cmudax;C-Media High Definition Audio Interface;g:\windows\system32\drivers\cmudax.sys [12/31/2002 11:51 PM 1287296]
R3 MBAMProtector;MBAMProtector;g:\windows\system32\drivers\mbam.sys [12/29/2011 11:00 AM 20464]
S2 PassThru Service;Internet Pass-Through Service;g:\programme\HTC\Internet Pass-Through\PassThruSvr.exe --> g:\programme\HTC\Internet Pass-Through\PassThruSvr.exe [?]
S3 HTCAND32;HTC Device Driver;g:\windows\system32\drivers\ANDROIDUSB.sys [12/9/2011 6:12 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;g:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.bigseekpro.com/anyvideo2dvd/{89D12C7D-2E2B-49A7-AA8F-D124ECC94D52}
IE: Download All By FlashGet3 - g:\dokumente und einstellungen\Basal\Anwendungsdaten\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - g:\dokumente und einstellungen\Basal\Anwendungsdaten\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
FF - ProfilePath - g:\dokumente und einstellungen\Basal\Anwendungsdaten\Mozilla\Firefox\Profiles\mhv3m0e9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431245&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Cmaudio - cmicnfg.cpl
SafeBoot-10018737.sys
AddRemove-Dev-C++ - c:\dev-cpp\uninstall.exe
AddRemove-S3 - g:\windows\IsUn0407.exe
AddRemove-{108A39BF-4ED1-4293-B11A-06BD521FB8F7} - g:\dokume~1\ALLUSE~1\ANWEND~1\TARMAI~1\{108A3~1\Setup.exe
AddRemove-{1864B4F0-7777-5A57-9930-C2B307597966} - g:\programme\MusicLab\RealGuitar2\Uninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - g:\dokume~1\ALLUSE~1\ANWEND~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-12 21:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1788)
g:\windows\system32\webcheck.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
g:\windows\system32\RUNDLL32.EXE
g:\windows\system32\RunDll32.exe
g:\programme\Java\jre6\bin\jqs.exe
g:\windows\system32\nvsvc32.exe
g:\programme\Ralink\Common\RaRegistry.exe
g:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-12 21:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 21:46
.
Pre-Run: 7,669,497,856 Bytes frei
Post-Run: 22 Verzeichnis(se), 10,720,800,768 Bytes frei
.
- - End Of File - - D0FBD73CE3907221A27E3CAF5C1EBB9B

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 January 2012 - 04:59 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure "Include All Files" option remains checked.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Gringo

<-- Don't worry every little bit helps.

#7 Basel.A

New Member

Group: Members
Posts: 6
Joined: 04-January 12

Posted 12 January 2012 - 05:06 PM

This is FSS report:

Farbar Service Scanner
Ran by Basal (administrator) on 12-01-2012 at 22:06:06
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

File Check:
========
G:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-04 12:00] - [2008-04-14 02:22] - 0127488 ____A (Microsoft Corporation) C29A1C9B75BA38FA37F8C44405DEC360

G:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
G:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
G:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
G:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
G:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 12:00] - [2009-04-20 17:17] - 0045568 ____A (Microsoft Corporation) 407F3227AC618FD1CA54B335B083DE07

G:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 12:00] - [2008-04-14 02:22] - 0334336 ____A (Microsoft Corporation) CAD058D5F8B889A87CA3EB3CF624DCEF

G:\WINDOWS\system32\netman.dll
[2004-08-04 12:00] - [2008-04-14 02:22] - 0198144 ____A (Microsoft Corporation) E6D88F1F6745BF00B57E7855A2AB696C

G:\WINDOWS\system32\wbem\WMIsvc.dll
[2002-12-31 23:12] - [2008-04-14 02:22] - 0145408 ____A (Microsoft Corporation) 6F3F3973D97714CC5F906A19FE883729

G:\WINDOWS\system32\srsvc.dll
[2002-12-31 23:14] - [2008-04-14 02:22] - 0171520 ____A (Microsoft Corporation) FE77A85495065F3AD59C5C65B6C54182

G:\WINDOWS\system32\Drivers\sr.sys
[2002-12-31 23:14] - [2008-04-14 02:02] - 0073472 ____A (Microsoft Corporation) 50FA898F8C032796D3B1B9951BB5A90F

G:\WINDOWS\system32\wscsvc.dll
[2004-08-04 12:00] - [2008-04-14 02:22] - 0080896 ____A (Microsoft Corporation) 300B3E84FAF1A5C1F791C159BA28035D

G:\WINDOWS\system32\wbem\WMIsvc.dll
[2002-12-31 23:12] - [2008-04-14 02:22] - 0145408 ____A (Microsoft Corporation) 6F3F3973D97714CC5F906A19FE883729

G:\WINDOWS\system32\wuauserv.dll
[2002-12-31 23:14] - [2008-04-14 02:22] - 0006656 ____A (Microsoft Corporation) 7B4FE05202AA6BF9F4DFD0E6A0D8A085

G:\WINDOWS\system32\qmgr.dll
[2002-12-31 23:14] - [2008-04-14 02:22] - 0409088 ____A (Microsoft Corporation) D6F603772A789BB3228F310D650B8BD1

G:\WINDOWS\system32\es.dll
[2004-08-04 12:00] - [2008-07-07 20:26] - 0253952 ____A (Microsoft Corporation) AF4F6B5739D18CA7972AB53E091CBC74

G:\WINDOWS\system32\cryptsvc.dll
[2004-08-04 12:00] - [2008-04-14 02:22] - 0062464 ____A (Microsoft Corporation) 611F824E5C703A5A899F84C5F1699E4D

G:\WINDOWS\system32\svchost.exe
[2004-08-04 12:00] - [2008-04-14 02:23] - 0014336 ____A (Microsoft Corporation) 4FBC75B74479C7A6F829E0CA19DF3366

G:\WINDOWS\system32\rpcss.dll
[2004-08-04 12:00] - [2009-02-09 10:51] - 0401408 ____A (Microsoft Corporation) 3127AFBF2C1ED0AB14A1BBB7AAECB85B

G:\WINDOWS\system32\services.exe
[2004-08-04 12:00] - [2009-02-09 11:21] - 0111104 ____A (Microsoft Corporation) A3EDBE9053889FB24AB22492472B39DC

Extra List:
=======
Gpc(3) IPSec(0) NetBT(11) NwlnkIpx(12) NwlnkNb(13) PSched(7) Tcpip(9) Tcpip6(14)
0x0E0000000A0000000800000005000000010000000200000003000000040000000600000007000000090000000B0000000C0000000D0000000E000000

**** End of log ****

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 January 2012 - 05:20 PM

Hello

here is what I want you to try next

1. Locate the file - C:\Windows\inf\Nettcpip.inf

It's important that you first make a copy of the file. Place the copy on your Desktop.
Once you have done that, use Notepad open the original file for editing.

2. Locate the [MS_TCPIP.PrimaryInstall] section.

3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.

Posted Image

4. Save the file, and then exit Notepad.

Posted Image

5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.

Posted Image

6. On the General tab, click Install, select Protocol, and then click Add.

Posted Image

7. In the Select Network Protocols window, click Have Disk.

Posted Image

8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.

Posted Image

9. Select Internet Protocol (TCP/IP), and then click OK.

Posted Image

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP

Posted Image

Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP

<-- Don't worry every little bit helps.

#9 Basel.A

New Member

Group: Members
Posts: 6
Joined: 04-January 12

Posted 12 January 2012 - 05:50 PM

Thank you very much the internet is working for now. Please don't close just now. Maybe this issue could occur again. Could you wait for one day. Thx

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 January 2012 - 06:32 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#11 Basel.A

New Member

Group: Members
Posts: 6
Joined: 04-January 12

Posted 13 January 2012 - 12:39 PM

It seems like that surfing the internet became really slow. I tried repair but it was still slow. I also uploaded a screenshot.

screenshot.JPG (35.55K)
Number of downloads: 1

ComboFix 12-01-13.03 - Basal 01/13/2012 16:39:30.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.767.360 [GMT 0:00]
Running from: g:\dokumente und einstellungen\Basal\Desktop\ComboFix.exe
Command switches used :: g:\dokumente und einstellungen\Basal\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong
g:\dokumente und einstellungen\Basal\Anwendungsdaten\PriceGong\Data\mru.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-12 21:35 . 2008-04-13 19:19 75264 -c--a-w- g:\windows\system32\dllcache\ipsec.sys
2012-01-12 21:35 . 2008-04-13 19:19 75264 ----a-w- g:\windows\system32\drivers\ipsec.sys
2012-01-08 12:08 . 2009-04-21 15:31 19072 ----a-w- g:\windows\system32\drivers\Scutum50.sys
2012-01-08 12:08 . 2009-09-15 14:09 779136 ----a-w- g:\windows\system32\drivers\rt2870.sys
2012-01-08 12:08 . 2009-09-15 14:08 221184 ----a-w- g:\windows\system32\RaCoInst.dll
2012-01-06 20:18 . 2012-01-06 22:14 -------- d-----w- g:\dokumente und einstellungen\Administrator
2012-01-04 16:38 . 2012-01-04 16:38 292 ----a-w- G:\fixme.reg
2012-01-04 15:41 . 2011-12-21 07:24 121816 ----a-w- g:\programme\Mozilla Firefox\components\browsercomps.dll
2012-01-04 15:41 . 2011-12-21 07:24 43992 ----a-w- g:\programme\Mozilla Firefox\mozutils.dll
2012-01-04 15:41 . 2011-12-21 04:30 626688 ----a-w- g:\programme\Mozilla Firefox\msvcr80.dll
2012-01-04 15:41 . 2011-12-21 04:30 548864 ----a-w- g:\programme\Mozilla Firefox\msvcp80.dll
2012-01-04 15:41 . 2011-12-21 04:30 479232 ----a-w- g:\programme\Mozilla Firefox\msvcm80.dll
2012-01-02 15:46 . 2012-01-02 16:03 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\Skype
2012-01-02 15:45 . 2012-01-02 16:04 -------- d-----w- g:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2011-12-30 10:59 . 2011-12-30 10:59 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\MSNInstaller
2011-12-29 15:12 . 2011-12-29 15:12 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\Red Kawa
2011-12-29 15:09 . 2011-12-29 15:09 -------- d-----w- g:\dokumente und einstellungen\Basal\Lokale Einstellungen\Anwendungsdaten\Geckofx
2011-12-29 15:02 . 2011-12-29 15:02 -------- d-----w- g:\programme\AviSynth 2.5
2011-12-29 15:02 . 2011-12-29 15:02 -------- d-----w- g:\programme\Red Kawa
2011-12-29 11:01 . 2011-12-29 11:01 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\Malwarebytes
2011-12-29 11:00 . 2011-12-29 11:00 -------- d-----w- g:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2011-12-29 11:00 . 2011-12-10 15:24 20464 ----a-w- g:\windows\system32\drivers\mbam.sys
2011-12-29 11:00 . 2011-12-29 11:00 -------- d-----w- g:\programme\Malwarebytes' Anti-Malware
2011-12-28 21:03 . 2011-12-28 21:03 -------- d-----r- g:\dokumente und einstellungen\NetworkService\Favoriten
2011-12-28 20:06 . 2011-12-28 20:06 -------- d-sh--w- g:\windows\system32\config\systemprofile\IETldCache
2011-12-28 19:03 . 2011-12-28 19:03 -------- d-sh--w- g:\dokumente und einstellungen\NetworkService\IETldCache
2011-12-28 15:45 . 2011-12-28 15:45 -------- d-----w- g:\dokumente und einstellungen\Basal\Lokale Einstellungen\Anwendungsdaten\SanctionedMedia
2011-12-27 18:25 . 2011-12-28 15:01 -------- d-----w- g:\windows\system32\NtmsData
2011-12-25 15:55 . 2011-12-25 15:55 -------- d-----w- g:\dokumente und einstellungen\Basal\Anwendungsdaten\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-12-23 20:06 . 2011-12-23 20:06 -------- d-----w- g:\windows\system32\wbem\Repository
2011-12-18 14:07 . 2011-12-18 14:07 -------- d-----w- g:\dokumente und einstellungen\All Users\happy_town_by_jela331
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-09 18:10 . 2011-12-09 18:01 153325832 ----a-w- G:\setup_3.0.5579.exe
2011-11-23 14:40 . 2004-08-04 12:00 1859712 ----a-w- g:\windows\system32\win32k.sys
2011-11-04 19:13 . 2004-08-04 12:00 916992 ----a-w- g:\windows\system32\wininet.dll
2011-11-04 19:13 . 2004-08-04 12:00 43520 ----a-w- g:\windows\system32\licmgr10.dll
2011-11-04 19:13 . 2004-08-04 12:00 1469440 ------w- g:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- g:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- g:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- g:\windows\system32\csrsrv.dll
2011-10-26 10:49 . 2004-08-04 12:00 2151424 ----a-w- g:\windows\system32\ntoskrnl.exe
2011-10-26 10:49 . 2004-08-04 00:50 2029568 ----a-w- g:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- g:\windows\system32\encdec.dll
2011-12-21 07:24 . 2012-01-04 15:41 121816 ----a-w- g:\programme\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-12_21.42.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-13 15:13 . 2012-01-13 15:13 16384 g:\windows\Temp\Perflib_Perfdata_2c4.dat
- 2004-08-04 12:00 . 2012-01-11 00:01 67828 g:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2012-01-13 07:45 67828 g:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-01-11 00:00 44902 g:\windows\system32\perfc007.dat
+ 2004-08-04 12:00 . 2012-01-13 07:45 44902 g:\windows\system32\perfc007.dat
+ 2004-08-04 12:00 . 2012-01-13 07:45 432872 g:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-01-11 00:01 432872 g:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-01-11 00:00 304142 g:\windows\system32\perfh007.dat
+ 2004-08-04 12:00 . 2012-01-13 07:45 304142 g:\windows\system32\perfh007.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}"= "g:\programme\softonic-de3\prxtbsof0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
2011-05-09 09:49 176936 ----a-w- g:\programme\softonic-de3\prxtbsof0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-04-13 23:48 194912 ------w- g:\programme\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}"= "g:\programme\softonic-de3\prxtbsof0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065}"= "g:\programme\softonic-de3\prxtbsof0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="g:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"BitTorrent"="g:\programme\BitTorrent\BitTorrent.exe" [2011-03-29 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"Verknüpfung mit der High Definition Audio-Eigenschaftenseite"="HDAudPropShortcut.exe" [2004-03-17 61952]
"Nuance PDF Reader-reminder"="g:\programme\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]
"SunJavaUpdateSched"="g:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BabylonToolbar"="g:\programme\BabylonToolbar\BabylonToolbar\1.4.23.10\BabylonToolbarsrv.exe" [2010-11-07 286720]
"Adobe ARM"="g:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HTC Sync Loader"="g:\programme\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-08-22 593920]
"Malwarebytes' Anti-Malware"="g:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
g:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
PC Performer.lnk - g:\dokumente und einstellungen\Basal\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2H2XOP47\PCPerformer_GN[1].exe [N/A]
Ralink Wireless Utility.lnk - g:\programme\Ralink\Common\RaUI.exe [2011-2-21 1609728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Programme\\BitTorrent\\BitTorrent.exe"=
"g:\\Programme\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"g:\\Dokumente und Einstellungen\\All Users\\cs2d_0119_win\\CounterStrike2D.exe"=
"g:\dokumente und einstellungen\Basal\M-1-52-5782-8752-5245\winsvc.exe"= Microsoft® Windows Update
"g:\\Dokumente und Einstellungen\\Basal\\Anwendungsdaten\\GameRanger\\GameRanger\\GameRanger.exe"=
"g:\\Programme\\Stronghold Crusader Extreme\\Stronghold_Crusader_Extreme.exe"=
"g:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\Programme\\Stronghold Crusader Extreme\\Stronghold Crusader.exe"=
"g:\programme\relevantknowledge\rlvknlg.exe"= rlvknlg.exe
.
R2 MBAMService;MBAMService;g:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [12/29/2011 11:00 AM 652872]
R2 Scutum50;Scutum50 NDIS Protocol Driver;g:\windows\system32\drivers\Scutum50.sys [1/8/2012 12:08 PM 19072]
R3 cmudax;C-Media High Definition Audio Interface;g:\windows\system32\drivers\cmudax.sys [12/31/2002 11:51 PM 1287296]
R3 MBAMProtector;MBAMProtector;g:\windows\system32\drivers\mbam.sys [12/29/2011 11:00 AM 20464]
S2 PassThru Service;Internet Pass-Through Service;g:\programme\HTC\Internet Pass-Through\PassThruSvr.exe --> g:\programme\HTC\Internet Pass-Through\PassThruSvr.exe [?]
S3 HTCAND32;HTC Device Driver;g:\windows\system32\drivers\ANDROIDUSB.sys [12/9/2011 6:12 PM 24576]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.bigseekpro.com/anyvideo2dvd/{89D12C7D-2E2B-49A7-AA8F-D124ECC94D52}
IE: Download All By FlashGet3 - g:\dokumente und einstellungen\Basal\Anwendungsdaten\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - g:\dokumente und einstellungen\Basal\Anwendungsdaten\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - g:\dokumente und einstellungen\Basal\Anwendungsdaten\Mozilla\Firefox\Profiles\mhv3m0e9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431245&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-13 16:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-13 16:50:31
ComboFix-quarantined-files.txt 2012-01-13 16:50
ComboFix2.txt 2012-01-12 21:46
.
Pre-Run: 21 Verzeichnis(se), 10,683,961,344 Bytes frei
Post-Run: 22 Verzeichnis(se), 10,677,841,920 Bytes frei
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8CA7A2ABD2E5FD53DE8E7B044F90E31D

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 13 January 2012 - 03:37 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter

File sharing infects 500,000 computers

USAToday

infoworld

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

start

settings

control panel

add/remove programs

Babylon toolbar on IE
BitTorrent
Java 2 Runtime Environment, SE v1.4.1_01
Java Web Start
Java™ 6 Update 22
PriceGong 2.5.0
Yontoo Layers 1.10.01

remove

Install Java:

Please go here to install Java

click on the Free Java Download Button
click on Agree and start Free download
click on Run
click on run again
click on install
when install is complete click on close

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidentally close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#13 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 15 January 2012 - 11:55 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,552
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 January 2012 - 01:03 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.