Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 papaya

papaya

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 13 January 2009 - 05:34 AM

Hey,

I'm having problems with an infection on my pc. I don't know what kind of infection it could be.
A red Symbol with an "X" suddenly appears at the bottom right of the screen (where the icons
of running programs are shown - don't know the english word). Ad-Watch tells me, that "pcload.exe"
is trying to modify some registry entries - of course I clicked on "Block". When I open up the taskmanager,
it shows a running, which is, IMO, malware. This file is called "frmwrk32.exe". So now I searched and
deleted both, frmwrk32.exe and pcload.exe.

In the past I had the same problem, but I didn't run any anti spyware programs, so the malware did any
changes to my registry already, like I can't change the desktop background.

I hope you understand my problem and can help me out :-)

Here is the log file of DDS:

-----------------------------------------------------------------------------------


DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 11:23:21,39 on 13.01.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.2047.1338 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 090113-0] *On-access scanning disabled* (Outdated)

============== Running Processes ===============

D:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS.0\Explorer.EXE
D:\Programme\Lavasoft\Ad-Aware\aawservice.exe
D:\Programme\Alwil Software\Avast4\aswUpdSv.exe
D:\Programme\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS.0\SOUNDMAN.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
D:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe
D:\Programme\Java\jre6\bin\jusched.exe
D:\Programme\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS.0\system32\RUNDLL32.EXE
D:\WINDOWS.0\system32\rundll32.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Programme\Internet Download Manager\IDMan.exe
D:\Programme\DAEMON Tools Pro\DTProAgent.exe
D:\Programme\DAEMON Tools Lite\daemon.exe
D:\Programme\DragStrip\DragStrip.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\Programme\Lavasoft\Ad-Aware\Ad-Watch.exe
D:\WINDOWS.0\ATKKBService.exe
D:\Programme\Bonjour\mDNSResponder.exe
svchost.exe
D:\Programme\Sitecom\Bluetooth Software\bin\btwdins.exe
D:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Programme\Java\jre6\bin\jqs.exe
D:\WINDOWS.0\system32\nvsvc32.exe
D:\Programme\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS.0\system32\svchost.exe -k imgsvc
D:\Programme\Alwil Software\Avast4\ashMaiSv.exe
D:\Programme\Alwil Software\Avast4\ashWebSv.exe
D:\Programme\Internet Download Manager\IEMonitor.exe
D:\WINDOWS.0\System32\svchost.exe -k HTTPFilter
D:\Dokumente und Einstellungen\Administrator.DOMI\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
D:\Programme\Winamp\winamp.exe
D:\Programme\Windows Live\Messenger\MsnMsgr.Exe
D:\Programme\skype\Phone\Skype.exe
D:\Programme\Skype\Plugin Manager\skypePM.exe
D:\Programme\Mozilla Firefox\firefox.exe
D:\Dokumente und Einstellungen\Administrator.DOMI\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = about:blank
uInternet Settings,ProxyServer = 80.108.87.171:11033
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\programme\internet download manager\IDMIECC.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\programme\techsmith\snagit 9\SnagitBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\programme\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\programme\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\programme\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - d:\programme\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun: [Ad-Watch] d:\programme\lavasoft\ad-aware\Ad-Watch.exe
dRun: [CTFMON.EXE] d:\windows.0\system32\CTFMON.EXE
StartupFolder: d:\dokume~1\admini~1.dom\startm~1\progra~1\autost~1\dragst~1.lnk - d:\programme\dragstrip\DragStrip.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Download aller Links mit IDM - d:\programme\internet download manager\IEGetAll.htm
IE: Download FLV Video Inhalt mit IDM - d:\programme\internet download manager\IEGetVL.htm
IE: Download mit IDM - d:\programme\internet download manager\IEExt.htm
IE: Nach Microsoft E&xel exportieren - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Senden an &Bluetooth - d:\programme\sitecom\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\programme\sitecom\bluetooth software\btsendto_ie.htm
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - d:\programme\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\programme\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {1C58CDF3-AED6-4918-A09B-D0C23C42894A} = 213.191.92.87 62.109.123.6
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\programme\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - d:\windows.0\system32\BTXPPanel.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows.0\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\programme\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - d:\dokume~1\admini~1.dom\anwend~1\mozilla\firefox\profiles\ypu7qp71.default\
FF - component: d:\dokumente und einstellungen\administrator.domi\anwendungsdaten\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: d:\dokumente und einstellungen\administrator.domi\lokale einstellungen\anwendungsdaten\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: d:\programme\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: d:\programme\mozilla firefox\plugins\npracplug.dll
FF - plugin: d:\programme\real\netscape6\nppl3260.dll
FF - plugin: d:\programme\real\netscape6\nprjplug.dll
FF - plugin: d:\programme\real\netscape6\nprpjplug.dll
FF - plugin: d:\programme\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: XUL Cache: {46DED261-FE21-4C7C-AF7D-8B3EF061ADDD} - d:\windows.0\system32\config\systemprofile\lokale einstellungen\anwendungsdaten\{46ded261-fe21-4c7c-af7d-8b3ef061addd}\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;d:\windows.0\system32\drivers\aswSP.sys [2008-4-20 111184]
R3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;d:\windows.0\system32\drivers\NSDriver.sys [2008-4-29 15648]
R3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;d:\windows.0\system32\drivers\Awrtpd.sys [2008-4-29 12960]
R3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;d:\windows.0\system32\drivers\Awrtrd.sys [2008-4-29 15648]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\programme\alwil software\avast4\ashMaiSv.exe [2008-3-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;d:\programme\alwil software\avast4\ashWebSv.exe [2008-3-27 352920]
R4 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\programme\cyberlink\powerdvd\000.fcl [2008-1-18 41456]
R4 aawservice;Lavasoft Ad-Aware Service;d:\programme\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 aswFsBlk;aswFsBlk;d:\windows.0\system32\drivers\aswFsBlk.sys [2008-4-20 20560]
R4 avast! Antivirus;avast! Antivirus;d:\programme\alwil software\avast4\ashServ.exe [2008-3-27 155160]
S3 scramby_out;Scramby Output;d:\windows.0\system32\drivers\scramby_out.sys [2007-8-8 23840]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-01-11 08:27 410,984 a------- d:\windows.0\system32\deploytk.dll
2009-01-09 20:12 <DIR> --d----- d:\dokume~1\admini~1.dom\anwend~1\Crayon Physics Deluxe
2009-01-09 13:37 <DIR> --d----- d:\dokume~1\admini~1.dom\anwend~1\Fabulous Finds
2009-01-07 18:14 73,216 a------- d:\windows.0\system32\ffkuz.dll
2009-01-06 13:20 188,960 a------- d:\windows.0\system\WINGDE.DLL
2009-01-06 13:20 92,208 a------- d:\windows.0\system\WING.DLL
2009-01-06 13:20 27,136 a------- d:\windows.0\system\WAVMIX16.DLL
2009-01-06 13:20 12,800 a------- d:\windows.0\system\WING32.DLL
2009-01-06 13:20 6,736 a------- d:\windows.0\system\WINGDIB.DRV
2009-01-06 13:20 5,024 a------- d:\windows.0\system\WINGPAL.WND
2009-01-06 13:20 2,554 a------- d:\windows.0\WAVEMIX.INI
2009-01-06 13:20 1,966 a------- d:\windows.0\system\DVA.386
2009-01-06 09:49 <DIR> --d-h--- d:\windows.0\system32\GroupPolicy
2009-01-06 08:38 1,347 a------- d:\windows.0\system32\ahtn.htm
2009-01-06 08:38 4,785 a------- d:\windows.0\system32\warning.gif
2009-01-06 07:06 1 a------- d:\windows.0\system32\uniq.tll
2009-01-04 15:43 <DIR> --d----- d:\dokume~1\alluse~1.0\anwend~1\Mushroom Age
2009-01-01 14:21 1,056 a--sh--- d:\dokume~1\alluse~1.0\anwend~1\KGyGaAvL.sys
2009-01-01 14:21 88 ---shr-- d:\dokume~1\alluse~1.0\anwend~1\1A1FFB8148.sys
2009-01-01 14:20 <DIR> --d----- d:\programme\gemeinsame dateien\Enterbrain
2009-01-01 14:20 <DIR> --d----- d:\programme\Enterbrain
2008-12-31 15:39 <DIR> --d----- d:\dokume~1\admini~1.dom\anwend~1\EternalEden
2008-12-31 10:39 <DIR> --d----- d:\programme\1C
2008-12-28 11:27 533 a------- d:\windows.0\eReg.dat
2008-12-27 21:31 <DIR> --d----- d:\programme\MPEGJOINER
2008-12-27 08:00 <DIR> --d----- d:\programme\Haali
2008-12-26 14:39 284,160 a------- d:\windows.0\unin0407.exe
2008-12-26 14:39 <DIR> --d----- d:\dokumente und einstellungen\administrator.domi\WINDOWS
2008-12-26 09:47 <DIR> --d----- d:\dokume~1\alluse~1.0\anwend~1\Reflexive Ashtons Family Resort
2008-12-26 09:47 <DIR> --d----- d:\dokume~1\admini~1.dom\anwend~1\Reflexive Ashtons Family Resort
2008-12-22 12:32 <DIR> --d----- d:\dokume~1\admini~1.dom\anwend~1\ALLCapture
2008-12-22 12:18 <DIR> --d----- d:\programme\Quick Screen Recorder
2008-12-18 23:33 <DIR> --d-h--- d:\windows.0\PIF
2008-12-18 18:52 160 a------- d:\windows.0\ODBC.INI
2008-12-18 18:50 123 a------- d:\windows.0\mfont.dat
2008-12-18 18:35 <DIR> --d----- D:\cbt
2008-12-18 11:55 <DIR> --d----- d:\dokumente und einstellungen\administrator.domi\uspy
2008-12-18 08:45 <DIR> --d----- d:\programme\CureROM
2008-12-17 02:15 <DIR> --d----- d:\programme\BlackAngel Software
2008-12-16 23:25 <DIR> --d----- d:\programme\BySoft FreeRAM
2008-12-16 23:20 57,344 a------- d:\windows.0\system32\GkSui16.EXE
2008-12-16 08:44 <DIR> --d----- d:\dokume~1\alluse~1.0\anwend~1\NevoSoft Games

==================== Find3M ====================

2009-01-11 14:28 323,584 a------- d:\windows.0\system32\AUDIOGENIE2.DLL
2009-01-11 14:28 237,568 a------- d:\windows.0\system32\rmc_rtspdl.dll
2009-01-11 14:28 156,672 a------- d:\windows.0\system32\rmc_fixasf.exe
2008-11-22 01:09 138,184 a------- d:\windows.0\system32\drivers\PnkBstrK.sys
2008-11-22 01:09 183,112 a------- d:\windows.0\system32\PnkBstrB.exe
2008-11-09 12:48 442,770 a------- d:\windows.0\system32\perfh007.dat
2008-11-09 12:48 78,360 a------- d:\windows.0\system32\perfc007.dat
2008-10-23 13:59 283,648 a------- d:\windows.0\system32\gdi32.dll
2008-10-22 05:29 63,040 a------- d:\windows.0\system32\PnkBstrA.exe
2008-10-16 21:04 826,368 a------- d:\windows.0\system32\wininet.dll
2008-08-22 13:30 22,328 a------- d:\dokume~1\admini~1.dom\anwend~1\PnkBstrK.sys
2008-04-20 14:14 774,144 a------- d:\programme\RngInterstitial.dll

============= FINISH: 11:24:08,92 ===============

Attached Files

  • Attached File  DDS.zip   4.13KB   20 downloads


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:47 PM

Posted 13 January 2009 - 07:54 AM

Hello Papaya and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 papaya

papaya
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 13 January 2009 - 08:28 AM

Wow, this helped a lot! I can change my desktop background again and even firefox seems to run stable now
(I had like 99% CPU usage after opening some tabs with flash and java content).

The program wasn't able to download the Recovery Console. It said "download failure".
Everything else went well.

Here are the logs:

--------------------------------------------------------------------------------------

Goored Log:

GooredFix v1.82 by jpshortstuff
Log created at 13:59 on 13/01/2009 running Option #2 (Administrator)
Firefox version 3.0.5 (de)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{46DED261-FE21-4C7C-AF7D-8B3EF061ADDD}"="D:\WINDOWS.0\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\{46DED261-FE21-4C7C-AF7D-8B3EF061ADDD}\"
->Backing up value... Done.
->Deleting value... Done.

D:\WINDOWS.0\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\{46DED261-FE21-4C7C-AF7D-8B3EF061ADDD}\
->Backing up folder... Done.
->Emptying folder... Failed.
->Deleting folder... Failed.
->Delete on reboot... Set.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="D:\Programme\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="D:\Programme\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="D:\Programme\Java\jre6\lib\deploy\jqs\ff"

=====Reboot=====

--------------------------------------------------------------------

ComboFix Log:

ComboFix 09-01-11.04 - Administrator 2009-01-13 14:17:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.2047.1602 [GMT 1:00]
ausgeführt von:: d:\dokumente und einstellungen\Administrator.DOMI\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090113-0] *On-access scanning disabled* (Outdated)

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\dokumente und einstellungen\Administrator\cftmon.exe
d:\dokumente und einstellungen\LocalService\cftmon.exe
d:\windows.0\system32\ahtn.htm
d:\windows.0\system32\BReWErS.dll
d:\windows.0\system32\drivers\seneka.sys
d:\windows.0\system32\drivers\senekabsygstpm.sys
d:\windows.0\system32\seneka.dat
d:\windows.0\system32\senekaaolcjmng.dll
d:\windows.0\system32\senekacriyyhja.dll
d:\windows.0\system32\senekadf.dat
d:\windows.0\system32\senekajoriccfr.dll
d:\windows.0\system32\senekalog.dat
d:\windows.0\system32\uniq.tll
d:\windows.0\system32\warning.gif

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((( Dateien erstellt von 2008-12-13 bis 2009-01-13 ))))))))))))))))))))))))))))))
.

2009-01-11 08:27 . 2009-01-11 08:27 410,984 --a------ d:\windows.0\system32\deploytk.dll
2009-01-09 20:12 . 2009-01-10 01:54 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Crayon Physics Deluxe
2009-01-09 13:37 . 2009-01-09 13:37 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Fabulous Finds
2009-01-08 10:31 . 2009-01-08 10:32 <DIR> d-------- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Lavasoft
2009-01-07 18:14 . 2009-01-07 18:14 73,216 --a------ d:\windows.0\system32\ffkuz.dll
2009-01-06 13:20 . 1995-04-20 00:00 188,960 --a------ d:\windows.0\system\WINGDE.DLL
2009-01-06 13:20 . 1995-04-20 00:00 92,208 --a------ d:\windows.0\system\WING.DLL
2009-01-06 13:20 . 1995-04-20 00:00 27,136 --a------ d:\windows.0\system\WAVMIX16.DLL
2009-01-06 13:20 . 1995-04-20 00:00 12,800 --a------ d:\windows.0\system\WING32.DLL
2009-01-06 13:20 . 1995-04-20 00:00 6,736 --a------ d:\windows.0\system\WINGDIB.DRV
2009-01-06 13:20 . 1995-04-20 00:00 5,024 --a------ d:\windows.0\system\WINGPAL.WND
2009-01-06 13:20 . 1995-04-20 00:00 2,554 --a------ d:\windows.0\WAVEMIX.INI
2009-01-06 13:20 . 1995-04-20 00:00 1,966 --a------ d:\windows.0\system\DVA.386
2009-01-06 09:49 . 2009-01-06 09:49 <DIR> d--h----- d:\windows.0\system32\GroupPolicy
2009-01-04 15:43 . 2009-01-04 15:43 <DIR> d-------- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Mushroom Age
2009-01-01 14:21 . 2009-01-03 08:39 1,056 --ahs---- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\KGyGaAvL.sys
2009-01-01 14:21 . 2009-01-03 08:39 88 -r-hs---- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\1A1FFB8148.sys
2009-01-01 14:20 . 2009-01-01 14:20 <DIR> d-------- d:\programme\Gemeinsame Dateien\Enterbrain
2009-01-01 14:20 . 2009-01-01 14:20 <DIR> d-------- d:\programme\Enterbrain
2008-12-31 15:39 . 2008-12-31 15:49 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\EternalEden
2008-12-31 10:39 . 2008-12-31 10:39 <DIR> d-------- d:\programme\1C
2008-12-28 11:27 . 2008-12-28 11:27 533 --a------ d:\windows.0\eReg.dat
2008-12-27 21:31 . 2008-12-27 21:31 <DIR> d-------- d:\programme\MPEGJOINER
2008-12-27 08:00 . 2008-12-27 08:00 <DIR> d-------- d:\programme\Haali
2008-12-26 14:39 . 2008-12-26 14:39 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\WINDOWS
2008-12-26 14:39 . 1996-02-08 17:06 284,160 --a------ d:\windows.0\unin0407.exe
2008-12-26 09:47 . 2008-12-26 09:47 <DIR> d-------- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Reflexive Ashtons Family Resort
2008-12-26 09:47 . 2008-12-26 10:02 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Reflexive Ashtons Family Resort
2008-12-22 12:50 . 2008-12-22 12:50 <DIR> d-------- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\TechSmith
2008-12-22 12:49 . 2008-12-22 12:49 <DIR> d-------- d:\programme\TechSmith
2008-12-22 12:32 . 2008-12-22 12:46 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\ALLCapture
2008-12-22 12:18 . 2008-12-22 12:47 <DIR> d-------- d:\programme\Quick Screen Recorder
2008-12-18 23:33 . 2008-12-18 23:33 <DIR> d--h----- d:\windows.0\PIF
2008-12-18 18:52 . 2009-01-05 11:00 160 --a------ d:\windows.0\ODBC.INI
2008-12-18 18:50 . 2009-01-05 01:35 123 --a------ d:\windows.0\mfont.dat
2008-12-18 18:35 . 2008-12-18 18:35 <DIR> d-------- D:\cbt
2008-12-18 11:55 . 2008-12-18 13:02 <DIR> d-------- d:\dokumente und einstellungen\Administrator.DOMI\uspy
2008-12-18 08:45 . 2008-12-18 08:46 <DIR> d-------- d:\programme\CureROM
2008-12-17 02:15 . 2008-12-17 02:15 <DIR> d-------- d:\programme\BlackAngel Software
2008-12-16 23:25 . 2008-12-16 23:31 <DIR> d-------- d:\programme\BySoft FreeRAM
2008-12-16 23:20 . 2000-03-15 02:07 57,344 --a------ d:\windows.0\system32\GkSui16.EXE
2008-12-16 08:44 . 2008-12-16 08:44 <DIR> d-------- d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\NevoSoft Games

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 12:43 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Skype
2009-01-13 09:24 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\skypePM
2009-01-13 05:41 --------- d--h--w d:\programme\InstallShield Installation Information
2009-01-13 05:41 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\DMCache
2009-01-12 18:29 --------- d-----w d:\programme\Soulseek
2009-01-11 15:07 --------- d-----w d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Google Updater
2009-01-11 13:40 --------- d-----w d:\programme\Replay Media Catcher
2009-01-11 13:28 323,584 ----a-w d:\windows.0\system32\AUDIOGENIE2.DLL
2009-01-11 13:28 237,568 ----a-w d:\windows.0\system32\rmc_rtspdl.dll
2009-01-11 13:28 156,672 ----a-w d:\windows.0\system32\rmc_fixasf.exe
2009-01-11 07:27 --------- d-----w d:\programme\Java
2009-01-09 13:04 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Any DVD Converter Professional
2009-01-09 11:40 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\uTorrent
2009-01-08 09:31 --------- d-----w d:\programme\Lavasoft
2009-01-08 09:31 --------- d-----w d:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-31 09:38 --------- d-----w d:\programme\Gemeinsame Dateien\Adobe
2008-12-31 09:37 --------- d-----w d:\programme\AGEIA Technologies
2008-12-23 23:35 --------- d-----w d:\programme\eMule
2008-12-20 19:10 --------- d-----w d:\programme\ICQ6
2008-12-17 00:48 --------- d-----w d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\HipSoft
2008-12-12 10:09 --------- d-----w d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\MumboJumbo
2008-12-11 13:47 --------- d-----w d:\programme\DIFX
2008-12-11 08:27 --------- d-----w d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Gogii Games
2008-12-11 08:27 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Gogii Games
2008-12-08 23:12 --------- d-----w d:\dokumente und einstellungen\All Users.WINDOWS.0\Anwendungsdaten\PlayFirst
2008-12-08 23:12 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\PlayFirst
2008-12-08 20:41 --------- d-----w d:\programme\ratDVD
2008-12-08 16:41 --------- d-----w d:\programme\ElcomSoft
2008-12-08 16:28 --------- d-----w d:\programme\Atomic RAR Password Recovery
2008-12-08 16:19 --------- d-----w d:\programme\Intelore
2008-12-07 18:13 --------- d-----w d:\programme\VstPlugins
2008-12-07 18:13 --------- d-----w d:\programme\Outsim
2008-12-07 18:13 --------- d-----w d:\programme\Image-Line
2008-12-07 18:13 --------- d-----w d:\programme\ASIO4ALL v2
2008-12-03 08:18 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\GameInvest
2008-11-23 16:45 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\SecretIslandEng
2008-11-22 20:21 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\MysteryStudio
2008-11-22 00:09 183,112 ----a-w d:\windows.0\system32\PnkBstrB.exe
2008-11-22 00:09 138,184 ----a-w d:\windows.0\system32\drivers\PnkBstrK.sys
2008-11-21 23:37 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Leadertech
2008-11-21 21:11 --------- d-----w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\.BitTornado
2008-11-13 16:04 --------- d-----w d:\programme\Trend Micro
2008-10-23 12:59 283,648 ----a-w d:\windows.0\system32\gdi32.dll
2008-10-22 04:29 63,040 ----a-w d:\windows.0\system32\PnkBstrA.exe
2008-10-16 20:04 826,368 ----a-w d:\windows.0\system32\wininet.dll
2008-08-22 12:30 22,328 ----a-w d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\PnkBstrK.sys
2008-04-20 13:14 774,144 ----a-w d:\programme\RngInterstitial.dll
2008-03-27 18:28 8,704 ----a-w d:\dokumente und einstellungen\Administrator\8.exe
2008-03-27 18:28 8,704 ----a-w d:\dokumente und einstellungen\Administrator\5.exe
2008-03-27 18:27 8,704 ----a-w d:\dokumente und einstellungen\Administrator\7.exe
2008-03-27 18:27 45,056 ----a-w d:\dokumente und einstellungen\Administrator\win.exe
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="d:\programme\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-09-10 2468200]
"NvCplDaemon"="d:\windows.0\system32\NvCpl.dll" [2008-05-16 13529088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows.0\system32\CTFMON.EXE" [2004-11-11 15360]

d:\dokumente und einstellungen\Administrator\Startmen\Programme\Autostart\
DragStrip.lnk - d:\programme\DragStrip\DragStrip.exe [1998-12-03 258048]

d:\dokumente und einstellungen\Administrator.DOMI\Startmen\Programme\Autostart\
DragStrip.exe.lnk - d:\programme\DragStrip\DragStrip.exe [1998-12-03 258048]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\D:^Dokumente und Einstellungen^All Users.WINDOWS.0^Startmenü^Programme^Autostart^BTTray.lnk]
path=d:\dokumente und einstellungen\All Users.WINDOWS.0\Startmenü\Programme\Autostart\BTTray.lnk
backup=d:\windows.0\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\D:^Dokumente und Einstellungen^All Users.WINDOWS.0^Startmenü^Programme^Autostart^Snagit 9.lnk]
path=d:\dokumente und einstellungen\All Users.WINDOWS.0\Startmenü\Programme\Autostart\Snagit 9.lnk
backup=d:\windows.0\pss\Snagit 9.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2008-02-21 09:24 91432 d:\programme\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BySoft FreeRAM]
--a------ 2004-12-17 21:44 318976 d:\programme\BySoft FreeRAM\FreeRAM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-17 11:40 133104 d:\dokumente und einstellungen\Administrator.DOMI\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-ra------ 2008-12-18 23:33 0 d:\progra~1\MESSEN~1\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 d:\programme\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 14:31 21633320 d:\programme\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-09-25 11:39 185872 d:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programme\\uTorrent\\uTorrent.exe"=
"d:\\Programme\\ICQ6\\ICQ.exe"=
"d:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Programme\\Messenger\\msmsgs.exe"=
"d:\\Programme\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"d:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"d:\\WINDOWS.0\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS.0\\system32\\PnkBstrB.exe"=
"d:\\Programme\\Bonjour\\mDNSResponder.exe"=
"d:\\spiele\\pop\\Prince of Persia.exe"=
"d:\\spiele\\pop\\PrinceOfPersia_Launcher.exe"=
"d:\\Programme\\skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;d:\windows.0\system32\drivers\aswSP.sys [2008-04-20 111184]
R4 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\programme\CyberLink\PowerDVD\000.fcl [2008-01-18 22:01:28 41456]
R4 aswFsBlk;aswFsBlk;d:\windows.0\system32\drivers\aswFsBlk.sys [2008-04-20 20560]
S3 scramby_out;Scramby Output;d:\windows.0\system32\drivers\scramby_out.sys [2007-08-08 23840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73435edb-fcf8-11dc-8ca7-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4518038-fcf9-11dc-843f-044b80808003}]
\Shell\AutoRun\command - G:\autorun.exe
.
Inhalt des "geplante Tasks" Ordners

2009-01-13 d:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-507921405-839522115-500.job
- d:\dokumente und einstellungen\Administrator.DOMI\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2008-09-17 11:40]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - d:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-WinampAgent - d:\programme\Winamp\winampa.exe
MSConfigStartUp-Framework Windows - frmwrk32.exe


.
------- Zusätzlicher Suchlauf -------
.
mStart Page = about:blank
uInternet Settings,ProxyServer = 80.108.87.171:11033
IE: Download aller Links mit IDM - d:\programme\Internet Download Manager\IEGetAll.htm
IE: Download FLV Video Inhalt mit IDM - d:\programme\Internet Download Manager\IEGetVL.htm
IE: Download mit IDM - d:\programme\Internet Download Manager\IEExt.htm
IE: Nach Microsoft E&xel exportieren - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Senden an &Bluetooth - d:\programme\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\Mozilla\Firefox\Profiles\ypu7qp71.default\
FF - component: d:\dokumente und einstellungen\Administrator.DOMI\Anwendungsdaten\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: d:\dokumente und einstellungen\Administrator.DOMI\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: d:\programme\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: d:\programme\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: d:\programme\Real\Netscape6\nppl3260.dll
FF - plugin: d:\programme\Real\Netscape6\nprjplug.dll
FF - plugin: d:\programme\Real\Netscape6\nprpjplug.dll
FF - plugin: d:\programme\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 14:20:42
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\d:\programme\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Electronic Arts\C*o*m*m*a*n*d* *&* *C*o*n*q*u*e*r* *3* *T*i*b*e*r*i*u*m* *W*a*r*s*"!\Kundendienst]
"Order"=hex:08,00,00,00,02,00,00,00,b8,02,00,00,01,00,00,00,04,00,00,00,de,00,
00,00,00,00,00,00,d0,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,be,00,32,\

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:80,36,a9,c9,69,fa,eb,7b,a1,22,40,78,ec,5c,1c,11,7f,fd,c1,3d,fa,2b,f0,
55,9c,86,ad,8a,24,c3,b6,0f,c7,4f,b0,13,6b,33,27,00,8a,47,df,d0,7b,1f,15,56,\
"??"=hex:c3,8f,86,fe,2c,d5,6d,59,28,f3,1b,7a,8b,bf,1b,8c

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:5d,16,7c,d3,10,cd,f8,4f,9d,45,af,0e,50,18,d7,74,2a,ab,5a,33,10,
07,33,f4,8a,6f,ad,53,78,12,46,85,4d,83,86,1c,31,ec,52,73,6f,32,fe,bd,f6,fa,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):72,c7,4b,97,f6,c0,c6,c4,f5,94,42,83,30,ea,37,d2,b1,04,93,44,48,
9d,d7,4c,fe,1e,c2,64,3f,64,99,47,60,62,ec,77,c7,c5,b1,f4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c557bf1e-2da1-4bb3-95cb-aff4a8119a0e}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b4
"Therad"=dword:00000015
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(880)
d:\windows.0\system32\sfc_os.dll
.
Zeit der Fertigstellung: 2009-01-13 14:23:28
ComboFix-quarantined-files.txt 2009-01-13 13:22:11

Vor Suchlauf: 22 Verzeichnis(se), 25,135,448,064 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 26,394,058,752 Bytes frei

264

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:47 PM

Posted 13 January 2009 - 10:37 AM

Hello Papaya,

Looking better now. :thumbsup:

Open Notepad and copy and paste the bold, blue text below in it:@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"d:\windows.0\system32\ffkuz.dll"
"d:\dokumente und einstellungen\Administrator\8.exe"
"d:\dokumente und einstellungen\Administrator\5.exe"
"d:\dokumente und einstellungen\Administrator\7.exe"
"d:\dokumente und einstellungen\Administrator\win.exe") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Save this as del.bat Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and post the content of the log fole that opens in your next reply.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 papaya

papaya
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 13 January 2009 - 10:48 AM

Everything looks great now:

Deleting files
"d:\windows.0\system32\ffkuz.dll" deleted
"d:\dokumente und einstellungen\Administrator\8.exe" deleted
"d:\dokumente und einstellungen\Administrator\5.exe" deleted
"d:\dokumente und einstellungen\Administrator\7.exe" deleted
"d:\dokumente und einstellungen\Administrator\win.exe" deleted

Thanks a lot, Thunder! :-)

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:47 PM

Posted 13 January 2009 - 11:09 AM

Glad we could help, Papaya :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users