Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

E-mails sent by Trojan? How to stop, find the program doing it, see its content...?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Dirkk

Dirkk

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 05 June 2009 - 05:08 AM

There was a Trojan (Zbot, Backdoor-Trojan) on my PC, XP (SP3, updated) a few days ago, deleted by Malwarebytes after detecting the Trojan appearing to be there around one or two days on my PC.

Obviously it installed a program or did it itself, that sent 17 e-mails (I had never seen or written by myself) to somewhere. I saw that randomly in the status bar of Outlook 2007.

Today, when I started Outlook without connecting to the Internet, I randomly saw again displaying near "Transmitting" in the status bar of Outlook, "Sending 14 e-mails", which I hadn't composed, the next time starting Outlook a minute later or so, 15 e-mails are displayed. I am the only person using the PC.

Updated Malwarebytes and SuperAntiSpyWare displayed any malicious software (anymore).

How can I get access to the e-mails (which must be on the PC, because I didn't have a connection to the Internet), read their content, find out anything about them, delete them, avoid sending them, find the program causing that...?...

Or might there be a chance, that these e-mails, respectively the display in the status bar is not caused by malware, but a usual process (what I cannot imagine)?

Nice greetings, Dirk

----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:08, on 05.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\NetDrive\wdService.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Unlocker\UnlockerAssistant.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Ditto\Ditto.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Copy Handler\ch.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\PhraseExpress\phraseexpress.exe
C:\Programme\Alice\signup\AliceCnn.exe
C:\Programme\FreeCommander\FreeCommander.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programme\Java\jre6\bin\javaw.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\Office12\WINWORD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programme\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Programme\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Programme\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Ditto] C:\Programme\Ditto\Ditto.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copy Handler] C:\Programme\Copy Handler\ch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Startup: PhraseExpress.lnk = C:\Programme\PhraseExpress\phraseexpress.exe
O4 - Startup: Secunia PSI.lnk = C:\Programme\Secunia\PSI\psi.exe
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PicGrab - {18B1FD17-63EA-492F-BD74-875A9CCE5C5A} - C:\Programme\PicGrab\iestarter.exe (HKCU)
O9 - Extra button: (no name) - {89045B2A-F81D-44ED-81F3-4E6670D23845} - C:\Programme\PicGrab\iestarter.exe (HKCU)
O9 - Extra 'Tools' menuitem: &PicGrab starten - {89045B2A-F81D-44ED-81F3-4E6670D23845} - C:\Programme\PicGrab\iestarter.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199439078609
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Steuerung des DownloadManager ) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F55B0D99-BC97-47A9-8807-34F9F953F6A8}: NameServer = 213.191.74.19 62.109.123.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Cobian Backup 9 Dienst (CobianBackupAmanita) - Luis Cobian - C:\Programme\Cobian Backup 9\cbService.exe
O23 - Service: ComodoBackupService - COMODO - C:\Programme\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - c:\xampp\filezillaftp\filezillaserver.exe (file missing)
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Programme\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Programme\Virtual CD v9\System\VC9SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Programme\NetDrive\wdService.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - H:\xampp\service.exe

--
End of file - 10024 bytes

Windows 10 Home, 64bit


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 15 June 2009 - 03:19 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 15 June 2009 - 04:21 PM

Oops, what a nice surprise receiving an answer, many thanks for your welcome greetings, thcbytes,

And thanks for your offered help.

Yes, the unwanted horses are gone now indeed and I hope there is any new one on my system.

But while we're at it, I would like to post the mentioned logs nevertheless, a new Trojan...who know's...just a short look...

Many thanks again, nice greetings, Dirk
----------------------------------------------------------------
Attached File  Attach.zip   2.97KB   8 downloads

DDS (Ver_09-05-14.01) - NTFSx86
Run by Besitzer at 23:00:24,45 on 15.06.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.447.54 [GMT 2:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\NetDrive\wdService.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Unlocker\UnlockerAssistant.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Ditto\Ditto.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Copy Handler\ch.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\PhraseExpress\phraseexpress.exe
C:\Programme\Alice\Signup\AliceCnn.exe
C:\Programme\Java\jre6\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Java\jre6\bin\javaw.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programme\FreeCommander\FreeCommander.exe
C:\Programme\Microsoft Office\Office12\WINWORD.EXE
C:\Programme\foobar2000\foobar2000.exe
H:\Eigene Dateien\Software\Downloads\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.de/
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\programme\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\programme\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\programme\free download manager\iefdm2.dll
BHO: IE DOM Explorer: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\programme\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Developer Toolbar: {cc962137-2e78-4f94-975e-fc0c07dbd78f} - c:\programme\internet explorer developer toolbar\IEDevToolbar.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\programme\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\programme\techsmith\snagit 9\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: IE DOM Explorer: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\programme\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [Ditto] c:\programme\ditto\Ditto.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Copy Handler] c:\programme\copy handler\ch.exe
uRun: [SpybotSD TeaTimer] c:\programme\spybot - search & destroy\TeaTimer.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [avgnt] "c:\programme\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [UnlockerAssistant] "c:\programme\unlocker\UnlockerAssistant.exe"
mRun: [ZoneAlarm Client] "c:\programme\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\besitzer\startm~1\progra~1\autost~1\erunta~1.lnk - c:\programme\erunt\AUTOBACK.EXE
StartupFolder: c:\dokume~1\besitzer\startm~1\progra~1\autost~1\phrase~1.lnk - c:\programme\phraseexpress\phraseexpress.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: Alles mit FDM herunterladen - file://c:\programme\free download manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\free download manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Videos mit FDM herunterladen - file://c:\programme\free download manager\dlfvideo.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\programme\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199439078609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: {F55B0D99-BC97-47A9-8807-34F9F953F6A8} = 213.191.74.19 62.109.123.197
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir personaledition classic\avgio.sys [2008-1-9 11608]
R3 avgntflt;avgntflt;c:\programme\avira\antivir personaledition classic\avgntflt.sys [2008-1-9 52056]

=============== Created Last 30 ================

2009-06-12 14:56 <DIR> --d----- C:\a3f1c081bce58d8c78f51c40
2009-06-11 13:10 <DIR> --ds---- C:\ComboFix
2009-06-08 14:35 <DIR> --d----- c:\programme\Folderico
2009-06-07 11:01 <DIR> --d----- c:\programme\OutlookSpy
2009-06-06 23:33 266 a------- c:\windows\xvport.ini
2009-06-05 00:04 <DIR> --d----- c:\programme\WinPcap
2009-06-05 00:03 <DIR> --d----- c:\programme\Wireshark
2009-06-04 19:54 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\Passware
2009-06-04 19:53 <DIR> --d----- c:\programme\Passware
2009-06-02 00:18 <DIR> --d----- c:\programme\Secunia
2009-06-01 15:15 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-06-01 15:15 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-06-01 15:15 286,720 -c------ c:\windows\system32\dllcache\pdh.dll
2009-06-01 15:15 111,104 -c------ c:\windows\system32\dllcache\services.exe
2009-06-01 15:15 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-06-01 15:15 678,400 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-06-01 15:15 736,768 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-06-01 15:15 740,352 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-06-01 15:15 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-01 15:13 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-01 15:13 217,600 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-01 15:08 208,744 a------- c:\windows\system32\muweb.dll
2009-06-01 15:08 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-01 15:08 268,648 a------- c:\windows\system32\mucltui.dll
2009-05-29 01:32 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2009-05-29 01:31 <DIR> --d----- c:\programme\SUPERAntiSpyware
2009-05-29 01:31 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\SUPERAntiSpyware.com
2009-05-29 00:18 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\SecTaskMan
2009-05-29 00:18 <DIR> --d----- c:\programme\Security Task Manager
2009-05-24 13:42 135 a------- c:\windows\wininit.ini
2009-05-22 17:18 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-05-22 17:18 39,424 a------- c:\windows\system32\grpconv.exe
2009-05-21 10:58 84,521 a------- c:\windows\system32\zqpozdheboc
2009-05-20 09:13 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\CUERipper
2009-05-20 09:12 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\CUE Tools

==================== Find3M ====================

2009-06-15 23:01 255,854,624 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-15 16:51 3,004,508 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-02 20:05 446,020 a------- c:\windows\system32\perfh007.dat
2009-06-02 20:05 79,212 a------- c:\windows\system32\perfc007.dat
2009-05-30 16:40 604,416 a------- c:\windows\system32\TUProgSt.exe
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 14:22 11,202 a------- c:\windows\mozver.dat
2009-05-07 17:32 348,160 a------- c:\windows\system32\localspl.dll
2009-04-29 06:42 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 06:41 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-19 21:46 1,847,296 a------- c:\windows\system32\win32k.sys
2009-04-15 16:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-23 22:55 319,498 a------- c:\windows\system32\prfh0407.dat
2009-03-23 22:55 49,000 a------- c:\windows\system32\prfc0407.dat
2009-03-15 02:12 57,472 a------- c:\dokume~1\besitzer\anwend~1\GDIPFONTCACHEV1.DAT
2008-04-24 12:39 1,089,328 a------- c:\programme\CHsetup1.28.exe
2008-04-24 12:37 1,807,380 a------- c:\programme\chsetup32_1.30_final.exe
2008-04-24 12:11 642,632 a------- c:\programme\hdtune_255.exe
2008-04-24 12:11 1,084,311 a------- c:\programme\hdtunepro_300_trial.exe
2008-04-24 11:15 658,687 a------- c:\programme\cspy23.zip
2008-04-14 13:35 14,852 a------- c:\programme\settings.dat
2007-10-14 10:12 10,340 a------- c:\programme\mailform.php
2007-10-13 02:30 9,185 a------- c:\programme\kontakt_formular.php
2001-11-23 06:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL
2006-05-03 12:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 13:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 15:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 23:06:27,31 ===============

Windows 10 Home, 64bit


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 17 June 2009 - 01:09 PM

Hello.

I still see evidence of infection, though it may not be active.

Download and Run Fix with OTListIt
Please download OTListIt by OldTimer to your desktop.
Open OTListIt by double clicking its icon. If you are using Windows Vista, right click OTL.exe and select Run As Administrator.
Copy the contents of the CodeBox below into the Custom Scans/Fixes.
:files
c:\windows\system32\dllcache\grpconv.exe
c:\windows\system32\grpconv.exe
c:\windows\system32\zqpozdheboc

Click the Run Fix button. The fix should take a moment to complete. Post back with the logfile that opens.

After clicking Run Fix, OTListIt may ask to reboot the machine. If so, a logfile will open after the reboot.

Open OTListIt again by double clicking its icon.
Click Run Scan without changing any settings. When the scan is complete, a logfile will open.
Copy the contents of the log into your next reply. It will be saved as OTL.txt where OTL.exe is located.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Please post back with:
-the OTListIt fix log
-the OTListIt scan log
-the GMER scan log

If this file exists, post it as well:
C:\ComboFix.txt

Also tell me what symptoms of infection are still present.

With Regards,
The Panda

Edited by PropagandaPanda, 17 June 2009 - 01:10 PM.


#5 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 17 June 2009 - 06:44 PM

Many thanks for your help, The Panda,

Oh, I hadn't thought there would be something malicious yet or again. MalwareBytes and SuperAntiSpyWare didn't find anything. Or is the malicious code new?

Click Run Scan without changing any settings. When the scan is complete, a logfile will open.
Copy the contents of the log into your next reply. It will be saved as OTL.txt where OTL.exe is located.


Took just a part of a second:

========== FILES ==========
c:\windows\system32\dllcache\grpconv.exe moved successfully.
c:\windows\system32\grpconv.exe moved successfully.
c:\windows\system32\zqpozdheboc moved successfully.

OTL by OldTimer - Version 2.1.1.0 log created on 06172009_212730


Open OTListIt again by double clicking its icon.
Click Run Scan without changing any settings. When the scan is complete, a logfile will open.
Copy the contents of the log into your next reply. It will be saved as OTL.txt where OTL.exe is located.


Alas, OTL doesn't scan to the end, I tried a few times, also with deactivated virus program, SpyBot, ZoneAlarm. Task-Manager shows about 95 to 99 % performance (sometimes the window of OTL becomes white). OTL obviously always stopped at: HKEY_CURRENT_USER\ Internet Explorer Settings...

So I haved added at the bottom here a HijackThis log instead, may be it is needful.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-18 01:34:27
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- EOF - GMER 1.0.15 ----



If this file exists, post it as well:
C:\ComboFix.txt

Do I understand right, an existing ComboFix file, not a new one? Here is an already existing:

ComboFix 09-06-09.06 - Besitzer 10.06.2009 10:58.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.447.223 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Besitzer\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Besitzer\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\dokume~1\Besitzer\LOKALE~1\Temp\pfsvgae.sys"
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PFSVGAE
-------\Legacy_RFNP32
-------\Service_pfsvgae
-------\Service_RFNP32


((((((((((((((((((((((( Dateien erstellt von 2009-05-10 bis 2009-06-10 ))))))))))))))))))))))))))))))
.

2009-06-09 13:13 . 2009-06-09 13:13 -------- d-----w- c:\dokumente und einstellungen\Default User\Lokale Einstellungen\Anwendungsdaten\Microsoft Help
2009-06-08 12:35 . 2009-06-08 12:42 -------- d-----w- c:\programme\Folderico
2009-06-07 09:01 . 2009-06-07 09:01 -------- d-----w- c:\programme\OutlookSpy
2009-06-04 22:04 . 2009-06-04 22:04 -------- d-----w- c:\programme\WinPcap
2009-06-04 22:03 . 2009-06-04 22:05 -------- d-----w- c:\programme\Wireshark
2009-06-04 17:54 . 2009-06-04 17:54 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Passware
2009-06-04 17:53 . 2009-06-04 17:53 367686 ----a-r- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Microsoft\Installer\{48E6CFAD-D99B-40F1-A114-C27C3CEF5540}\icon.exe
2009-06-04 17:53 . 2009-06-04 17:53 -------- d-----w- c:\programme\Passware
2009-06-01 22:18 . 2009-06-01 22:39 -------- d-----w- c:\programme\Secunia
2009-06-01 13:15 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-01 13:15 . 2009-03-06 14:19 286720 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-01 13:15 . 2009-02-09 11:21 111104 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-01 13:15 . 2009-02-09 10:51 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-01 13:15 . 2009-02-09 10:51 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-01 13:15 . 2009-02-09 10:51 678400 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-01 13:15 . 2009-02-09 10:51 736768 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-01 13:15 . 2009-02-09 10:51 740352 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-01 13:15 . 2009-02-09 10:51 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-01 13:13 . 2008-04-21 21:13 217600 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-01 13:08 . 2008-10-16 12:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-01 13:08 . 2008-10-16 12:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-28 23:33 . 2009-06-08 18:39 117760 ----a-w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-28 23:32 . 2009-05-28 23:32 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com
2009-05-28 23:31 . 2009-05-28 23:31 -------- d-----w- c:\programme\SUPERAntiSpyware
2009-05-28 23:31 . 2009-05-28 23:31 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\SUPERAntiSpyware.com
2009-05-28 22:18 . 2009-05-28 22:18 60 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SecTaskMan\icn_00002109910070400000000000F01FEC.dll
2009-05-22 15:18 . 2008-04-14 05:52 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-05-22 15:18 . 2008-04-14 05:52 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-05-20 07:13 . 2009-05-20 07:13 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\CUERipper
2009-05-20 07:12 . 2009-05-20 07:14 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\CUE Tools
2009-05-19 22:11 . 2009-05-19 22:13 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\vlc

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 09:05 . 2008-02-21 19:04 2982548 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-10 09:05 . 2008-02-21 19:04 253909024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-10 08:54 . 2007-09-22 21:07 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Ditto
2009-06-09 20:59 . 2009-02-04 20:46 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\foobar2000
2009-06-09 15:50 . 2008-11-15 00:04 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Free Download Manager
2009-06-09 14:20 . 2009-06-09 14:21 3996672 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-09 13:23 . 2009-03-21 21:55 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-06-09 07:32 . 2008-04-21 18:29 19728538 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-07 19:18 . 2009-04-02 17:52 152576 ----a-w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 09:01 . 2007-07-29 21:53 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-06-07 08:44 . 2009-04-03 19:59 -------- d-----w- c:\programme\MOBackup
2009-06-05 19:12 . 2007-08-21 10:22 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\XnView
2009-06-04 18:08 . 2009-04-05 14:42 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2009-06-04 18:07 . 2009-04-07 08:54 3371383 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-02 18:05 . 2004-08-04 12:00 446020 ----a-w- c:\windows\system32\perfh007.dat
2009-06-02 18:05 . 2004-08-04 12:00 79212 ----a-w- c:\windows\system32\perfc007.dat
2009-06-02 11:08 . 2009-05-28 22:18 -------- d-----w- c:\programme\Security Task Manager
2009-06-02 11:08 . 2009-04-07 12:24 -------- d-----w- c:\programme\CleanUp!
2009-06-02 11:06 . 2008-06-25 22:59 -------- d-----w- c:\programme\FlashGet
2009-06-02 11:06 . 2007-09-07 09:14 -------- d-----w- c:\programme\Spybot - Search & Destroy
2009-06-02 11:06 . 2007-08-19 12:49 -------- d-----w- c:\programme\PhraseExpress
2009-06-02 10:48 . 2009-04-03 20:27 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-06-02 10:47 . 2009-02-24 11:21 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\FileZilla
2009-06-02 10:26 . 2009-03-20 21:16 -------- d-----w- c:\programme\TuneUp Utilities 2009
2009-05-30 20:50 . 2009-03-03 21:19 -------- d-----w- c:\programme\Mozilla Thunderbird
2009-05-30 14:40 . 2009-04-04 18:04 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-28 23:30 . 2009-03-16 18:40 -------- d-----w- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2009-05-28 22:26 . 2009-05-28 22:18 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SecTaskMan
2009-05-28 22:18 . 2009-05-28 22:18 108 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\SecTaskMan\icn_00002109810090400000000000F01FEC.dll
2009-05-27 20:19 . 2008-01-09 11:51 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-26 11:20 . 2009-04-05 14:42 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-04-05 14:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 14:58 . 2008-11-14 19:26 169936 ----a-w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\n9l1617g.default\FlashGot.exe
2009-05-24 14:20 . 2008-03-16 21:19 -------- d-----w- c:\programme\FileZilla FTP Client
2009-05-23 15:46 . 2007-09-07 09:14 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-05-15 12:22 . 2007-08-21 06:32 11202 ----a-w- c:\windows\mozver.dat
2009-05-12 10:28 . 2009-04-03 20:27 -------- d-----w- c:\programme\Your Uninstaller 2008
2009-05-08 13:57 . 2007-08-19 12:47 -------- d-----w- c:\programme\phase5
2009-05-06 17:54 . 2007-09-07 12:44 -------- d-----w- c:\programme\WinMerge
2009-05-05 14:50 . 2009-05-05 14:50 -------- d-----w- c:\programme\VideoLAN
2009-04-27 13:19 . 2009-04-20 12:30 -------- d-----w- c:\programme\FreeCommander
2009-04-26 17:49 . 2008-07-22 23:08 -------- d-----w- c:\programme\WinSCP
2009-04-20 14:21 . 2008-10-09 14:49 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\dvdcss
2009-04-18 15:59 . 2009-04-18 15:56 -------- d-----w- c:\programme\Monkey's Audio
2009-04-18 11:55 . 2009-04-07 21:41 -------- d-----w- c:\programme\PRMT8
2009-04-17 09:01 . 2009-04-17 09:01 -------- d-----w- c:\programme\Medieval Software
2009-04-14 11:05 . 2007-08-19 08:38 109656 ----a-w- c:\dokumente und einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-04-13 22:53 . 2009-02-04 20:46 -------- d-----w- c:\programme\foobar2000
2009-04-13 18:05 . 2009-04-13 18:05 3584 ----a-r- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w- c:\programme\Windows Installer Clean Up
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w- c:\programme\MSECACHE
2009-04-12 18:53 . 2009-02-03 16:57 -------- d-----w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\AccurateRip
2009-04-07 21:36 . 2009-04-07 21:36 245448 ----a-w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-03-31 20:07 . 2009-03-31 20:07 141 ----a-w- c:\dokumente und einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
2009-03-25 13:08 . 2008-10-29 19:30 1 ----a-w- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-03-24 11:03 . 2009-03-24 11:03 7808 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-03-23 20:55 . 2009-03-23 20:07 319498 ----a-w- c:\windows\system32\prfh0407.dat
2009-03-23 20:55 . 2009-03-23 20:07 49000 ----a-w- c:\windows\system32\prfc0407.dat
2009-03-18 20:42 . 2009-03-18 20:42 126976 ----a-r- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Microsoft\Installer\{1CABD5D8-3D90-46BE-82E9-F919BE3E9F8B}\NewShortcut3_3578F861852C40E8B00D3E8FBA99B79A.exe
2009-03-18 20:42 . 2009-03-18 20:42 126976 ----a-r- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Microsoft\Installer\{1CABD5D8-3D90-46BE-82E9-F919BE3E9F8B}\NewShortcut1_3578F861852C40E8B00D3E8FBA99B79A.exe
2009-03-18 20:42 . 2009-03-18 20:42 10134 ----a-r- c:\dokumente und einstellungen\Besitzer\Anwendungsdaten\Microsoft\Installer\{1CABD5D8-3D90-46BE-82E9-F919BE3E9F8B}\ARPPRODUCTICON.exe
2009-03-17 08:38 . 2009-04-18 15:56 364544 ----a-w- c:\windows\system32\MACDll.dll
2008-04-24 10:39 . 2008-04-24 10:39 1089328 ----a-w- c:\programme\CHsetup1.28.exe
2008-04-24 10:37 . 2008-04-24 10:37 1807380 ----a-w- c:\programme\chsetup32_1.30_final.exe
2008-04-24 10:11 . 2008-04-24 10:11 642632 ----a-w- c:\programme\hdtune_255.exe
2008-04-24 10:11 . 2008-04-24 10:11 1084311 ----a-w- c:\programme\hdtunepro_300_trial.exe
2008-04-24 09:15 . 2008-04-24 09:15 658687 ----a-w- c:\programme\cspy23.zip
2008-04-14 11:35 . 2008-04-14 11:35 14852 ----a-w- c:\programme\settings.dat
2007-10-14 08:12 . 2007-10-13 00:29 10340 ----a-w- c:\programme\mailform.php
2007-10-13 00:30 . 2007-10-13 00:29 9185 ----a-w- c:\programme\kontakt_formular.php
2006-05-03 10:06 . 2009-02-05 19:00 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-02-05 19:00 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-02-05 19:00 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-09_10.02.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 09:07 . 2009-06-10 09:07 16384 c:\windows\Temp\Perflib_Perfdata_440.dat
- 2009-03-31 13:04 . 2009-06-02 13:20 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-04-04 20:40 . 2009-04-04 20:40 248632 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PPTPIA.DLL
+ 2009-06-10 07:25 . 2009-06-10 07:25 323584 c:\windows\ERDNT\AutoBackup\10.06.2009\Users\00000002\UsrClass.dat
+ 2009-06-10 07:25 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\10.06.2009\ERDNT.EXE
+ 2009-06-09 13:09 . 2009-06-09 13:09 250928 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-03-31 13:04 . 2009-06-09 13:23 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-03-31 13:04 . 2009-06-02 13:20 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-31 13:04 . 2009-06-09 13:23 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-06-10 07:25 . 2009-06-10 07:25 9175040 c:\windows\ERDNT\AutoBackup\10.06.2009\Users\00000001\NTUSER.DAT
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ditto"="c:\programme\Ditto\Ditto.exe" [2008-01-16 684032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Copy Handler"="c:\programme\Copy Handler\ch.exe" [2009-02-01 436224]
"SpybotSD TeaTimer"="c:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"UnlockerAssistant"="c:\programme\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\Besitzer\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PhraseExpress.lnk - c:\programme\PhraseExpress\phraseexpress.exe [2007-8-19 3786648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiSpyWareDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\xampp\\apache\\bin\\apache.exe"=
"c:\\Programme\\xampp\\mysql\\bin\\mysqld.exe"=
"h:\\xampp\\apache\\bin\\apache.exe"=
"h:\\xampp\\mysql\\bin\\mysqld.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Personal Backup 4\\Persbackup.exe"=
"c:\\Programme\\FileZilla Client\\filezilla.exe"=
"c:\\Programme\\PSPad editor\\PSPad.exe"=
"c:\\Programme\\FlashGet\\FlashGet.exe"=
"c:\\Programme\\PhraseExpress\\PhraseExpress.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programme\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [26.05.2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [26.05.2009 10:05 72944]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [31.03.2009 14:10 113168]
R2 WebDriveFSD;WebDrive File System Driver;c:\programme\NetDrive\rffsd.sys [18.01.2008 03:07 67032]
S3 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice --> c:\xampp\apache\bin\apache.exe [?]
S3 CobianBackupAmanita;Cobian Backup 9 Dienst;c:\programme\Cobian Backup 9\cbService.exe [01.01.2009 12:12 583168]
S3 ComodoBackupService;ComodoBackupService;c:\programme\Comodo\BackUp\CmdBkSvc.exe [04.01.2009 02:29 1023488]
S3 CrystalSysInfo;CrystalSysInfo;c:\programme\MediaCoder\SysInfo.sys [25.09.2007 16:59 15152]
S3 getPlus® Helper;getPlus® Helper;c:\programme\NOS\bin\getPlus_HelperSvc.exe [19.10.2008 10:13 33752]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [31.03.2009 14:10 11392]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06.11.2007 22:22 34064]
S3 PDNMp50;PDNMp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNMp50.sys [28.11.2006 23:46 28224]
S3 PDNSp50;PDNSp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNSp50.sys [28.11.2006 23:46 27072]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24.03.2009 13:03 7808]
S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [26.05.2009 10:05 7408]
S3 VC9SecS;Virtual CD v9 Management Service;c:\programme\Virtual CD v9\System\VC9SecS.exe [31.03.2009 14:05 132424]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
IE: &Alles mit FlashGet laden - c:\programme\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\programme\FlashGet\jc_link.htm
IE: Alles mit FDM herunterladen - file://c:\programme\Free Download Manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\Free Download Manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Videos mit FDM herunterladen - file://c:\programme\Free Download Manager\dlfvideo.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 11:07
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\programme\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2928)
c:\programme\Ditto\focus.dll
c:\programme\Unlocker\UnlockerHook.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\NetDrive\wdService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-06-10 11:22 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-06-10 09:22
ComboFix2.txt 2009-06-09 10:07
ComboFix3.txt 2009-05-21 22:12

Vor Suchlauf: 6.854.733.824 Bytes frei
Nach Suchlauf: 6.760.374.272 Bytes frei

Current=3 Default=3 Failed=0 LastKnownGood=6 Sets=1,2,3,6
278 --- E O F --- 2009-06-09 13:23


Also tell me what symptoms of infection are still present.

I cannot see absolutely any symptons, all seems to run as usual, besides of the slow performance, but that is caused by the old PC and much to less RAM etc., I guess.

Thank you very much again for your help, nice greetings, Dirk

---------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:37:44, on 18.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Ditto\Ditto.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\NetDrive\wdService.exe
C:\Programme\Copy Handler\ch.exe
C:\Programme\PhraseExpress\phraseexpress.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programme\Microsoft Office\Office12\WINWORD.EXE
C:\Programme\Alice\signup\AliceCnn.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\FreeCommander\FreeCommander.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\PSPad editor\PSPad.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\x8mxkqh5.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Programme\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Programme\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [Ditto] C:\Programme\Ditto\Ditto.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copy Handler] C:\Programme\Copy Handler\ch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-220523388-1450960922-1801674531-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Startup: PhraseExpress.lnk = C:\Programme\PhraseExpress\phraseexpress.exe
O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PicGrab - {18B1FD17-63EA-492F-BD74-875A9CCE5C5A} - C:\Programme\PicGrab\iestarter.exe (HKCU)
O9 - Extra button: (no name) - {89045B2A-F81D-44ED-81F3-4E6670D23845} - C:\Programme\PicGrab\iestarter.exe (HKCU)
O9 - Extra 'Tools' menuitem: &PicGrab starten - {89045B2A-F81D-44ED-81F3-4E6670D23845} - C:\Programme\PicGrab\iestarter.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199439078609
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Steuerung des DownloadManager ) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F55B0D99-BC97-47A9-8807-34F9F953F6A8}: NameServer = 213.191.74.19 62.109.123.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Cobian Backup 9 Dienst (CobianBackupAmanita) - Luis Cobian - C:\Programme\Cobian Backup 9\cbService.exe
O23 - Service: ComodoBackupService - COMODO - C:\Programme\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - c:\xampp\filezillaftp\filezillaserver.exe (file missing)
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Programme\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Programme\Virtual CD v9\System\VC9SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Programme\NetDrive\wdService.exe

--
End of file - 10083 bytes

Windows 10 Home, 64bit


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 17 June 2009 - 08:26 PM

Hello.

Yes, that was what I was looking for.

Let's see if an online scan will find anything.

We'll try disabing some startup items with HijackThis next round and see if that helps with the slowness.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#7 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 June 2009 - 07:19 AM

Thank you very much, The Panda,

All done. Nothing found. 7 files wasn't scanned? Is that suspicious?

I didn't find any other report (e.g. txt-file) than this one:

Attached File  online_Scanner_scanning_report_thursday_june18_2009_13_26_10.png   31.57KB   9 downloads

No securtiy programs running while scanning, it was a bit scaring me...

I am a little bit afraid, but I hope these (deleted) entries (are they malicious?) do not have anything to do with malware / malicious code (looks somehow like ZoneAlarm):

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Many thanks for helping, nice greetings, Dirk

Windows 10 Home, 64bit


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 18 June 2009 - 07:33 AM

Hello Dirkk.

That looks good.

Those seven files are system files that are always in use when Windows is running. Scanners can't open them to scan. It's perfectly normal.

Please disable SpyBot's teatimer before continuing.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Use HijackThis to Remove Uneeded Startup Entries
Programs that run automatically at startup can take up memory, causing your computer to be slow. Many of these entries are not needed.

Below is a list of entries in your HijackThis log that can be removed safely. Below each entry, you will find a brief description of it. Some are up to preference.

To remove entries you do not want, open HijackThis (if you are using Windows Vista, right click the icon and select Run As Administrator), select "Do a system scan only", put a check mark next to those entries and select "Fix checked".

If you experience any issues after removing any items, use the Backup feature to restore the items.

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKCU\..\Run: [Ditto] C:\Programme\Ditto\Ditto.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copy Handler] C:\Programme\Copy Handler\ch.exe
O4 - Startup: PhraseExpress.lnk = C:\Programme\PhraseExpress\phraseexpress.exe

Take a new DDS.txt log please.

Slowness still there? It looks like almost all the RAM is being used at once.

With Regards,
The Panda

#9 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 June 2009 - 10:02 AM

Hello The Panda,

That was very fast, many thanks.

That looks good.


Uff, thank goodness.

Close/Exit Spybot Search and Destroy

Use HijackThis to Remove Uneeded Startup Entries


All done.

Slowness still there?

Yes (I have restarted), at least not the way I could see a differnce until now, but I will test for a while. Firefox needs about 1 to 3, 4 minutes to fully open, the context menu opens about 10 to 30 seconds after a right click on a file, the second click immediately after the first click on the same file causes the menu to open in about 3 to 5 seconds always.

I guess the PC is too old, too slow itself, too many programs on it etc. I guess, I would need some of the programs with deleted registry entries now, but it is worth a try, so I will do it for a while.

It looks like almost all the RAM is being used at once.

Yes, indeed, actually all the time, the CPU runs with 95 to 100 % very often.

I am very glad about your help, nice greetings, Dirk

---------------------------------------------------------------
Attached File  attach_2.zip   3.26KB   4 downloads


DDS (Ver_09-05-14.01) - NTFSx86
Run by Besitzer at 16:55:01,87 on 18.06.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.447.99 [GMT 2:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\NetDrive\wdService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Alice\Signup\AliceCnn.exe
C:\Programme\FreeCommander\FreeCommander.exe
C:\Programme\Java\jre6\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\PSPad editor\PSPad.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.de/
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\programme\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\programme\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\programme\free download manager\iefdm2.dll
BHO: IE DOM Explorer: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\programme\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Developer Toolbar: {cc962137-2e78-4f94-975e-fc0c07dbd78f} - c:\programme\internet explorer developer toolbar\IEDevToolbar.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\programme\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\programme\techsmith\snagit 9\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: IE DOM Explorer: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\programme\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\programme\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\programme\zone labs\zonealarm\zlclient.exe"
mRun: [TrueImageMonitor.exe] c:\programme\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\programme\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\programme\gemeinsame dateien\acronis\schedule2\schedhlp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\besitzer\startm~1\progra~1\autost~1\erunta~1.lnk - c:\programme\erunt\AUTOBACK.EXE
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: Alles mit FDM herunterladen - file://c:\programme\free download manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\free download manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Videos mit FDM herunterladen - file://c:\programme\free download manager\dlfvideo.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\programme\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199439078609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: {F55B0D99-BC97-47A9-8807-34F9F953F6A8} = 213.191.74.19 62.109.123.197
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\programme\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programme\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\besitzer\anwend~1\mozilla\firefox\profiles\n9l1617g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - component: c:\dokumente und einstellungen\besitzer\anwendungsdaten\mozilla\firefox\profiles\n9l1617g.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\dokumente und einstellungen\besitzer\anwendungsdaten\mozilla\firefox\profiles\n9l1617g.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\dokumente und einstellungen\besitzer\anwendungsdaten\mozilla\firefox\profiles\n9l1617g.default\extensions\cifftoolbare@craftec.co.jp\components\CiFFToolBar.dll
FF - component: c:\programme\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\programme\opera\program\plugins\np_gp.dll
FF - plugin: c:\programme\opera\program\plugins\npdrmv2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 18

============= SERVICES / DRIVERS ===============

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-6-18 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [2009-6-16 971552]
R1 avgio;avgio;c:\programme\avira\antivir personaledition classic\avgio.sys [2008-1-9 11608]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-15 127768]
R1 SASDIFSV;SASDIFSV;c:\programme\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\programme\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2009-3-31 113168]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-21 394952]
R2 WebDriveFSD;WebDrive File System Driver;c:\programme\netdrive\rffsd.sys [2008-1-18 67032]
R3 avgntflt;avgntflt;c:\programme\avira\antivir personaledition classic\avgntflt.sys [2008-1-9 52056]
S3 CrystalSysInfo;CrystalSysInfo;c:\programme\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\dokume~1\besitzer\lokale~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-6-18 70144]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2009-3-31 11392]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PDNMp50;PDNMp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNMp50.sys [2006-11-28 28224]
S3 PDNSp50;PDNSp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNSp50.sys [2006-11-28 27072]
S3 SASENUM;SASENUM;c:\programme\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-06-18 16:39 134,272 a------- c:\windows\system32\drivers\snman380.sys
2009-06-18 10:53 <DIR> --d----- C:\Test - Onlilne-Scanner
2009-06-17 21:27 <DIR> --d----- C:\_OTL
2009-06-16 20:08 971,552 a------- c:\windows\system32\drivers\tdrpm174.sys
2009-06-16 20:08 540,000 a------- c:\windows\system32\drivers\timntr.sys
2009-06-16 20:08 44,704 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-06-16 20:06 <DIR> --d----- c:\programme\gemeinsame dateien\Acronis
2009-06-12 14:56 <DIR> --d----- C:\a3f1c081bce58d8c78f51c40
2009-06-11 13:10 <DIR> --ds---- C:\ComboFix
2009-06-08 14:35 <DIR> --d----- c:\programme\Folderico
2009-06-07 11:01 <DIR> --d----- c:\programme\OutlookSpy
2009-06-06 23:33 266 a------- c:\windows\xvport.ini
2009-06-05 00:04 <DIR> --d----- c:\programme\WinPcap
2009-06-05 00:03 <DIR> --d----- c:\programme\Wireshark
2009-06-04 19:54 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\Passware
2009-06-04 19:53 <DIR> --d----- c:\programme\Passware
2009-06-01 15:15 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-06-01 15:15 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-06-01 15:15 286,720 -c------ c:\windows\system32\dllcache\pdh.dll
2009-06-01 15:15 111,104 -c------ c:\windows\system32\dllcache\services.exe
2009-06-01 15:15 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-06-01 15:15 678,400 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-06-01 15:15 736,768 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-06-01 15:15 740,352 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-06-01 15:15 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-01 15:13 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-01 15:13 217,600 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-01 15:08 208,744 a------- c:\windows\system32\muweb.dll
2009-06-01 15:08 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-01 15:08 268,648 a------- c:\windows\system32\mucltui.dll
2009-05-29 01:32 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\SUPERAntiSpyware.com
2009-05-29 01:31 <DIR> --d----- c:\programme\SUPERAntiSpyware
2009-05-29 01:31 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\SUPERAntiSpyware.com
2009-05-29 00:18 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\SecTaskMan
2009-05-29 00:18 <DIR> --d----- c:\programme\Security Task Manager
2009-05-24 13:42 135 a------- c:\windows\wininit.ini
2009-05-22 17:18 39,424 ac------ c:\windows\system32\dllcache\grpconv.exe
2009-05-22 17:18 39,424 a------- c:\windows\system32\grpconv.exe
2009-05-20 09:13 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\CUERipper
2009-05-20 09:12 <DIR> --d----- c:\dokume~1\besitzer\anwend~1\CUE Tools

==================== Find3M ====================

2009-06-18 16:54 257,861,664 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-18 16:41 3,029,036 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-02 20:05 446,020 a------- c:\windows\system32\perfh007.dat
2009-06-02 20:05 79,212 a------- c:\windows\system32\perfc007.dat
2009-05-30 16:40 604,416 a------- c:\windows\system32\TUProgSt.exe
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 14:22 11,202 a------- c:\windows\mozver.dat
2009-05-07 17:32 348,160 a------- c:\windows\system32\localspl.dll
2009-04-29 06:42 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 06:41 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-19 21:46 1,847,296 a------- c:\windows\system32\win32k.sys
2009-04-15 16:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-23 22:55 319,498 a------- c:\windows\system32\prfh0407.dat
2009-03-23 22:55 49,000 a------- c:\windows\system32\prfc0407.dat
2009-03-15 02:12 57,472 a------- c:\dokume~1\besitzer\anwend~1\GDIPFONTCACHEV1.DAT
2008-04-24 12:39 1,089,328 a------- c:\programme\CHsetup1.28.exe
2008-04-24 12:37 1,807,380 a------- c:\programme\chsetup32_1.30_final.exe
2008-04-24 12:11 642,632 a------- c:\programme\hdtune_255.exe
2008-04-24 12:11 1,084,311 a------- c:\programme\hdtunepro_300_trial.exe
2008-04-24 11:15 658,687 a------- c:\programme\cspy23.zip
2008-04-14 13:35 14,852 a------- c:\programme\settings.dat
2007-10-14 10:12 10,340 a------- c:\programme\mailform.php
2007-10-13 02:30 9,185 a------- c:\programme\kontakt_formular.php
2001-11-23 06:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL
2006-05-03 12:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 13:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 15:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 16:57:15,29 ===============

Windows 10 Home, 64bit


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 18 June 2009 - 10:19 AM

Hello Dirkk.

Let's see if we can identify what is taking up all that CPU.

Press Ctrl+Alt+Del to open the Task Manager.
Select the Processes tab.
Looking at the CPU column, note which processes are using high amounts of CPU.

Tell me how it goes.

With Regards,
The Panda

#11 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 June 2009 - 11:10 AM

Hello The Panda,

Thank you.

Usually Firefox takes about 50 to 60 % (without doing anything, just when its opened), often 90 to 98 % periodically for a longer time, seems to depend on the pages / websites which are opened, some pages seem to cause high efficiency, need a minute or so to open fully. Word 30 to 60 % very often permanently (without doing anything).

In order of efficiency:
Attached File  datai_manager.jpg   58.03KB   9 downloads

Many thanks, nice greetings, Dirk

Windows 10 Home, 64bit


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 18 June 2009 - 01:23 PM

Hello.

It's not a startup program that is causing the slowness, so there isn't anything we can do about that.

I would consider purchasing more RAM memory.

In any case, your comptuer is clean.

Run CleanUp with OTListIt
This will remove OTListIt and other tools commonly used in the malware removal process.

Open OTL.exe. Click the CleanUp button. Reboot if prompted.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 June 2009 - 01:49 PM

So many thanks for your quick and great easily to understand help, The Panda,

I am really very glad about it. It is a great feeling to know having a clean PC.

Do you have any questions or concerns?


Yes, indeed. What I were interested in, would to know why MalwareBytes and SuperAntiSpyWare didn't find anything of the malicious code,

c:\windows\system32\dllcache\grpconv.exe
c:\windows\system32\grpconv.exe
c:\windows\system32\zqpozdheboc



because I am wondering whether I should use them in the future, but if they won't find code like that...they are said to be one of the best anti-malware programs, if I see right.

And these entries are not malicious ones, aren't they? They had been made by ZoneAlarm?

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)


Thank you very much again, The Panda.

Nice greetings, Dirk

Windows 10 Home, 64bit


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 AM

Posted 18 June 2009 - 02:57 PM

Hello.

No program is perfect. Those were simply leftover files, not active infections, thus, they were difficult to detect.

The GMER log entries are normal.

With Regards,
The Panda

#15 Dirkk

Dirkk
  • Topic Starter

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 June 2009 - 03:27 PM

Hello The Panda,

Once again, thank you very much for your great and fast help and all the information.

Nice greetings, Dirk

Windows 10 Home, 64bit





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users