Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirection problem


  • This topic is locked This topic is locked
17 replies to this topic

#1 caramba

caramba

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 09 October 2011 - 01:52 PM

Google redirects my searches to weird sites that are called something like "Web Directory" and such. After refreshing or hitting enter in the address bar the site loads properly.

I tried running a quick scan with Malwarebytes, but after a few seconds the scan just stops and the program closes. A try to open the program again results in a message that tells me that I don't have the authority or that the path the the file is wrong

Would really, really appreciate if I can finally get rid of the Google problem.

Thanks

Edited by caramba, 09 October 2011 - 02:15 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,906 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:54 PM

Posted 10 October 2011 - 01:47 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 10 October 2011 - 12:46 PM

Thanks for your reply. I have the first logs here for you, but running GMER.exe did not work. More below the logs.

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
Run by sebastian at 19:26:17 on 2011-10-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3038.2024 [GMT 2:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\3513276670:27760430.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\STacSV.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\aestsrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.at/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_at&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_at&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_at&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = local;*.local
uURLSearchHooks: H - No File
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\programme\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download aller Links mit IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV-Videoinhalt mit IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download mit IDM - c:\program files\internet download manager\IEExt.htm
IE: Download with Mipony - file://c:\program files\mipony\browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\programme\microsoft office\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\programme\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\programme\microsoft office\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F80527C-4A85-4AB6-9278-EDFF9B7C41C0} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\programme\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\programme\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sebastian\appdata\roaming\mozilla\firefox\profiles\y3ioiqd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - component: c:\users\sebastian\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\users\sebastian\appdata\roaming\mozilla\firefox\profiles\y3ioiqd3.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_fa807195\AEstSrv.exe [2009-7-1 81920]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-8-5 222568]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2011-3-17 86280]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-2-28 365952]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-8-5 36640]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-22 52768]
S2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-4-21 4869488]
S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-4-21 416112]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-28 222512]
S3 hcw66xxx;WinTV HVR-900H;c:\windows\system32\drivers\hcw66xxx.sys [2009-9-6 420096]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-9-29 9216]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2010-8-5 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2010-8-5 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2010-8-5 123648]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-16 15656]
.
=============== Created Last 30 ================
.
2011-10-08 22:17:30 98816 ----a-w- c:\windows\sed.exe
2011-10-08 22:17:30 518144 ----a-w- c:\windows\SWREG.exe
2011-10-08 22:17:30 256000 ----a-w- c:\windows\PEV.exe
2011-10-08 22:17:30 208896 ----a-w- c:\windows\MBR.exe
2011-10-08 22:17:12 -------- d-s---w- C:\ComboFix
2011-10-08 21:51:53 -------- d-----w- c:\program files\CCleaner
2011-10-05 20:19:42 -------- d-----w- c:\program files\AVG9
2011-10-05 20:19:42 -------- d-----w- c:\program files\AVG
2011-10-05 17:44:05 -------- d-----w- c:\programdata\AVAST Software
2011-10-05 17:44:05 -------- d-----w- c:\program files\AVAST Software
2011-10-05 16:55:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-04 12:42:57 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7e7eb1ed-cf5b-4a8a-94a6-47be749f2d77}\mpengine.dll
2011-09-29 17:58:01 9216 ----a-w- c:\windows\system32\drivers\massfilter.sys
2011-09-29 17:58:01 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2011-09-29 17:58:01 105856 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2011-09-29 17:58:01 105856 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2011-09-29 17:58:01 105856 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2011-09-29 17:57:50 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-09-29 17:57:50 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-09-29 17:57:50 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-09-29 17:57:50 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-09-29 17:57:22 -------- dc-h--w- c:\programdata\{DA2F5D5B-4923-48EE-B46B-0FC936630A20}
2011-09-29 17:57:18 -------- d-----w- c:\program files\bob internet
2011-09-29 17:57:08 -------- d-----w- c:\programdata\mquadr.at
2011-09-29 17:56:52 -------- d-----w- c:\users\sebastian\appdata\local\PackageAware
2011-09-27 16:28:28 -------- d-----w- c:\users\sebastian\appdata\roaming\MicroST
2011-09-23 15:58:22 -------- d--h--w- c:\windows\PIF
2011-09-23 14:10:16 -------- d-----w- c:\programdata\MAGIX
2011-09-23 14:10:12 -------- d-----w- c:\users\sebastian\appdata\roaming\MAGIX
2011-09-23 14:00:36 -------- d-----w- c:\programdata\Xara
2011-09-23 14:00:36 -------- d-----w- c:\program files\Xara
2011-09-13 21:40:35 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-09-13 21:40:35 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-09-13 21:40:34 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-09-13 21:40:34 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-09-13 21:40:34 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-09-13 21:40:29 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-09-13 21:40:28 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-09-13 21:29:44 -------- d-----w- c:\program files\Infogrames Interactive
2011-09-13 21:29:03 -------- d-----w- c:\users\sebastian\appdata\roaming\WinMount
2011-09-13 21:28:39 65856 ----a-w- c:\windows\system32\drivers\WMDrive.sys
.
==================== Find3M ====================
.
2011-09-07 16:59:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54:40 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-07-31 15:47:19 173 ----a-w- c:\program files\3DG63DR1.bat
.
============= FINISH: 19:28:58,64 ===============


Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 01.07.2009 22:45:40
System Uptime: 10.10.2011 19:21:51 (0 hours ago)
.
Motherboard: Quanta | | 306C
Processor: Pentium® Dual-Core CPU T4200 @ 2.00GHz | CPU | 1200/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 222 GiB total, 15,252 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1,724 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Description:
Device ID: ROOT\HIDCLASS\0001
Manufacturer: Wacom
Name:
PNP Device ID: ROOT\HIDCLASS\0001
Service:
.
==== System Restore Points ===================
.
RP717: 10.10.2011 03:00:50 - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CSI CS4
Adobe Default Language CS4
Adobe Dreamweaver CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS5
Adobe Reader 9 - Deutsch
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Atheros Driver Installation Program
µTorrent
Bamboo
bob internet
Bonjour
CCleaner
ClassicPro© v1.12
Connect
CoreAVC Professional Edition (remove only)
CyberLink DVD Suite
CyberLink YouCam
DEUTSCHLAND SPIELT GAME CENTER
DivX-Setup
Download Updater (AOL LLC)
Easy Video Splitter 1.28
eReg
ESU for Microsoft Vista
FastStone Image Viewer 3.9
FileZilla Client 3.2.7.1
GeoGebra WebStart
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Common Access Service Library
HP Customer Experience Enhancements
HP DVD Play 3.7
HP Help and Support
HP Quick Launch Buttons 6.40 M1
HP Total Care Advisor
HP Total Care Setup
HP Update
HP User Guides 0138
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
IDT Audio
ImgBurn
Internet Download Manager
InterVideo FilterSDK for Hauppauge
iTunes
JarFileStarter 1.0
Java Auto Updater
Java™ 6 Update 26
K-Lite Mega Codec Pack 5.8.3
kuler
LabelPrint
LightScribe System Software 1.14.17.1
linksadoor 1.29
Logitech SetPoint 6.0
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (German) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove MUI (German) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office Language Pack 2007 - German/Deutsch
Microsoft Office O MUI (German) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (German) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Office X MUI (German) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MiPony 1.0.2
Mozilla Firefox (3.5.1)
Mozilla Firefox 7.0.1 (x86 de)
Mozilla Thunderbird (2.0.0.22)
Mozilla Thunderbird (3.1.15)
MSVCRT
MSVCRT Redists
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
My HP Games
Norton Internet Security
NVIDIA Drivers
NVIDIA PhysX
OpenAL
PDF Settings CS4
PDF Settings CS5
Photoshop Camera Raw
Pidgin
Pinnacle TVCenter Pro
PowerISO
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
RollerCoaster Tycoon 2
RollerCoaster Tycoon 2: Time Twister
RollerCoaster Tycoon 2: Wacky Worlds
Samsung New PC Studio
SAMSUNG USB Driver for Mobile Phones
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
ShowInfo
Skype Toolbars
Skype™ 5.0
Snapshot Viewer
Sony Media Manager 2.2
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
System Requirements Lab
System Requirements Lab CYRI
Topaz Adjust 4
Topaz Vivacity
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Outlook 2007 Junk Email Filter (KB2553110)
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.18
Vegas Pro 10.0
VLC media player 1.1.11
WebTablet IE Plugin
WebTablet Netscape Plugin
Winamp
Windows Live-Uploadtool
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Player Firefox Plugin
WinRAR archiver
WinZip 14.5
Xara Web Designer 7 Premium
Xara3D6
XMedia Recode 3.0.0.2
.
==== End Of File ===========================






When trying to run gmer.exe the same thing happens when I ran Malwarebytes. The program opens and stays open for about a second, the all of a sudden crashes.
Posted Image
After the crash a little symbol gets added to the gmer.exe icon. When trying to open it again, I receive an error message. It is in German on the screenshot, it says something like "Can't access the requested device or path or file. You might not have the necessary permission to access the element."

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 11 October 2011 - 10:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\Windows\3513276670
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 October 2011 - 12:56 AM

Man, thanks so much, the Google redirection appear to be gone! :)
The only weird thing that remains is the altered gmer.exe (screenshot at the bottom of post #3) which I apparently I don't have permission to access, therefore I don't have permission to delete it either, oviously. So how can I get rid of it?

Logs:

DummyCreator by Farbar
Ran by sebastian (administrator) on 12-10-2011 at 06:40:51
**************************************************************

C:\Windows\3513276670 [12-10-2011 06:40:51]

== End of log ==




ComboFix 11-10-11.05 - sebastian 12.10.2011 7:00.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3038.2081 [GMT 2:00]
ausgeführt von:: c:\users\sebastian\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\sebastian\AppData\Local\Windows Server
c:\users\sebastian\AppData\Local\Windows Server\admin.txt
c:\users\sebastian\AppData\Local\Windows Server\server.dat
c:\users\sebastian\AppData\Local\Windows Server\uses32.dat
c:\users\sebastian\AppData\Roaming\chrtmp
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\chrome.manifest
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\idmhelper.js
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\idmhelper2.js
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\idmmzcc.dll
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\idmmzcc64.dll
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\iIDMHelper.xpt
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\iIDMHelper2.xpt
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\components2\iIDMMzCC.xpt
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\install.js
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\install.rdf
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\META-INF\manifest.mf
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\users\sebastian\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.sf
c:\users\sebastian\AppData\Roaming\igfxtray.dat
c:\users\sebastian\AppData\Roaming\Microsoft\Windows\Recent\IGN WWE SmackDown vs. Raw 2010 Trailer, Videos and Movies.URL
c:\users\sebastian\AppData\Roaming\wndsksi.inf
c:\windows\$NtUninstallKB26998$
c:\windows\$NtUninstallKB26998$\4267206865\@
c:\windows\$NtUninstallKB26998$\4267206865\click.tlb
c:\windows\$NtUninstallKB26998$\4267206865\L\qnbwvoto
c:\windows\$NtUninstallKB26998$\4267206865\loader.tlb
c:\windows\$NtUninstallKB26998$\4267206865\U\@00000001
c:\windows\$NtUninstallKB26998$\4267206865\U\@000000c0
c:\windows\$NtUninstallKB26998$\4267206865\U\@000000cb
c:\windows\$NtUninstallKB26998$\4267206865\U\@000000cf
c:\windows\$NtUninstallKB26998$\4267206865\U\@80000000
c:\windows\$NtUninstallKB26998$\4267206865\U\@800000c0
c:\windows\$NtUninstallKB26998$\4267206865\U\@800000cb
c:\windows\$NtUninstallKB26998$\4267206865\U\@800000cf
c:\windows\$NtUninstallKB26998$\771757530
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\3513276670
c:\windows\IsUn0407.exe
c:\windows\iun6002.exe
c:\windows\system32\
c:\windows\system32\c_15740.nls
c:\windows\system32\PRAGMAerrors.log
c:\windows\system32\shimg.dll
c:\windows\system32\shsvcs.dll.vgorg
c:\windows\system32\spsys.log
c:\windows\system32\themeui.dll.vgorg
c:\windows\system32\uxtheme.dll.vgorg
c:\windows\unin0407.exe
.
Infizierte Kopie von c:\windows\system32\drivers\dfsc.sys wurde gefunden und desinfiziert
Kopie von - The cat found it :) wurde wiederhergestellt
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\aestsrv.exe . . . ist infiziert!!
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\aestsrv.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . ist infiziert!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Bonjour\mDNSResponder.exe . . . ist infiziert!!
c:\program files\Bonjour\mDNSResponder.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\FsUsbExService.Exe . . . ist infiziert!!
c:\windows\system32\FsUsbExService.Exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe . . . ist infiziert!!
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe . . . ist infiziert!!
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\iPod\bin\iPodService.exe . . . ist infiziert!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\LightScribe\LSSrvc.exe . . . ist infiziert!!
c:\program files\Common Files\LightScribe\LSSrvc.exe . . . was deleted!! You should re-install the program it pertains to
.
Infizierte Kopie von c:\windows\system32\nvvsvc.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\System32\DriverStore\FileRepository\nvhm.inf_6242fa03\nvvsvc.exe wurde wiederhergestellt
.
c:\program files\SMINST\BLService.exe . . . ist infiziert!!
c:\program files\SMINST\BLService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\STacSV.exe . . . ist infiziert!!
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\STacSV.exe . . . was deleted!! You should re-install the program it pertains to
.
Infizierte Kopie von c:\program files\Tablet\Pen\Pen_Tablet.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\System32\Pen_Tablet.exe wurde wiederhergestellt
.
c:\program files\Tablet\Pen\Pen_TouchService.exe . . . ist infiziert!!
c:\program files\Tablet\Pen\Pen_TouchService.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_fe5868d1
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-09-12 bis 2011-10-12 ))))))))))))))))))))))))))))))
.
.
2011-10-12 05:28 . 2011-10-12 05:33 -------- d-----w- c:\users\sebastian\AppData\Local\temp
2011-10-12 05:28 . 2011-10-12 05:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-12 04:54 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-10-08 21:51 . 2011-10-08 21:51 -------- d-----w- c:\program files\CCleaner
2011-10-05 20:19 . 2011-10-05 20:19 -------- d-----w- c:\program files\AVG
2011-10-05 17:44 . 2011-10-06 00:18 -------- d-----w- c:\programdata\AVAST Software
2011-10-05 17:44 . 2011-10-05 17:44 -------- d-----w- c:\program files\AVAST Software
2011-10-05 16:55 . 2011-10-09 18:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-04 12:42 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7E7EB1ED-CF5B-4A8A-94A6-47BE749F2D77}\mpengine.dll
2011-09-29 17:58 . 2010-03-02 12:54 105856 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2011-09-29 17:58 . 2010-03-02 12:54 105856 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2011-09-29 17:58 . 2010-03-02 12:54 105856 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2011-09-29 17:58 . 2010-02-22 08:06 9216 ----a-w- c:\windows\system32\drivers\massfilter.sys
2011-09-29 17:58 . 2009-12-28 13:05 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2011-09-29 17:57 . 2009-12-08 19:19 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-09-29 17:57 . 2009-12-07 18:53 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-09-29 17:57 . 2009-10-12 14:22 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-09-29 17:57 . 2007-08-09 03:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-09-29 17:57 . 2011-09-29 17:57 -------- dc-h--w- c:\programdata\{DA2F5D5B-4923-48EE-B46B-0FC936630A20}
2011-09-29 17:57 . 2011-09-29 17:59 -------- d-----w- c:\program files\bob internet
2011-09-29 17:57 . 2011-09-29 17:59 -------- d-----w- c:\programdata\mquadr.at
2011-09-29 17:56 . 2011-09-29 17:56 -------- d-----w- c:\users\sebastian\AppData\Local\PackageAware
2011-09-27 16:28 . 2011-10-05 00:42 -------- d-----w- c:\users\sebastian\AppData\Roaming\MicroST
2011-09-23 15:58 . 2011-09-23 15:58 -------- d--h--w- c:\windows\PIF
2011-09-23 14:10 . 2011-09-23 14:10 -------- d-----w- c:\programdata\MAGIX
2011-09-23 14:10 . 2011-09-23 14:10 -------- d-----w- c:\users\sebastian\AppData\Roaming\MAGIX
2011-09-23 14:00 . 2011-09-23 14:00 -------- d-----w- c:\programdata\Xara
2011-09-23 14:00 . 2011-09-23 14:00 -------- d-----w- c:\program files\Xara
2011-09-13 21:40 . 2002-12-05 12:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-09-13 21:40 . 2002-12-02 11:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-09-13 21:40 . 2002-12-05 12:12 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-09-13 21:40 . 2002-12-02 13:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-09-13 21:40 . 2002-12-02 11:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-09-13 21:40 . 2011-09-13 21:40 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-09-13 21:40 . 2011-09-13 21:40 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-09-13 21:29 . 2011-09-13 21:29 -------- d-----w- c:\program files\Infogrames Interactive
2011-09-13 21:29 . 2011-09-13 21:29 -------- d-----w- c:\users\sebastian\AppData\Roaming\WinMount
2011-09-13 21:28 . 2011-09-13 21:28 65856 ----a-w- c:\windows\system32\drivers\WMDrive.sys
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-07 16:59 . 2011-06-22 01:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54 . 2011-08-10 17:15 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-07-31 15:47 . 2009-07-31 15:47 173 ----a-w- c:\program files\3DG63DR1.bat
2011-09-30 00:20 . 2011-03-24 19:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-03-02 16:23 68216 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-04-04 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\programme\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 01:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 05:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\programme\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 06:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 14:34 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 15:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-04-30 23:07 13781536 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-10-10 11:24 206128 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-23 15:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 10:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-01-20 08:39 483420 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2008-12-03 20:15 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-12-24 13:45 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
2008-12-08 10:25 432432 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\aestsrv.exe [x]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [x]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [x]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [x]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-12-04 222512]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-03-26 36640]
R3 hcw66xxx;WinTV HVR-900H;c:\windows\system32\Drivers\hcw66xxx.sys [2008-05-28 420096]
R3 jfdcd;jfdcd;c:\users\SEBAST~1\AppData\Local\Temp\jfdcd.sys [x]
R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-02-22 9216]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2010-03-25 98432]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2010-03-25 14848]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2010-03-25 123648]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-01-30 15656]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-04 691696]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-03-17 86280]
S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2009-11-23 4497704]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 08:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.at/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_at&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = local;*.local
IE: Download aller Links mit IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV-Videoinhalt mit IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download mit IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\programme\Microsoft Office\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\sebastian\AppData\Roaming\Mozilla\Firefox\Profiles\y3ioiqd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - (no file)
WebBrowser-{CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - (no file)
MSConfigStartUp-DAT951D.tmp - c:\users\SEBAST~1\AppData\Local\Temp\DAT951D.tmp.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-12 07:33
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-478807199-3609679544-129123539-1000_Classes\Applications\DTLite.exe\shell]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-478807199-3609679544-129123539-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):e6,5a,81,0e,51,d2,19,d2,fa,c1,cf,ba,3a,3d,91,a6,db,c6,eb,89,a8,
97,81,21,a9,1a,c1,77,37,36,b8,92,a9,c2,16,a6,dc,9c,cf,e8,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-478807199-3609679544-129123539-1000_Classes\CLSID\{aeaf6af0-764e-4c6d-b34d-d7218c0ed753}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000141
"Therad"=dword:0000001f
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-10-12 07:44:52 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-10-12 05:44
.
Vor Suchlauf: 9 Verzeichnis(se), 15.891.292.160 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 15.814.217.728 Bytes frei
.
- - End Of File - - 5236EB309B07652943C75B3988A255E9

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 12 October 2011 - 01:11 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Driver::
jfdcd


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 October 2011 - 02:30 AM

ComboFix 11-10-11.05 - sebastian 12.10.2011 8:58.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3038.2222 [GMT 2:00]
ausgeführt von:: c:\users\sebastian\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\sebastian\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_JFDCD
-------\Service_jfdcd
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-09-12 bis 2011-10-12 ))))))))))))))))))))))))))))))
.
.
2011-10-12 07:10 . 2011-10-12 07:14 -------- d-----w- c:\users\sebastian\AppData\Local\temp
2011-10-12 07:10 . 2011-10-12 07:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-12 05:51 . 2011-10-12 05:51 100864 ----a-w- C:\fxldqpow.sys
2011-10-12 04:54 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-10-08 21:51 . 2011-10-08 21:51 -------- d-----w- c:\program files\CCleaner
2011-10-05 20:19 . 2011-10-05 20:19 -------- d-----w- c:\program files\AVG
2011-10-05 17:44 . 2011-10-06 00:18 -------- d-----w- c:\programdata\AVAST Software
2011-10-05 17:44 . 2011-10-05 17:44 -------- d-----w- c:\program files\AVAST Software
2011-10-05 16:55 . 2011-10-09 18:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-04 12:42 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7E7EB1ED-CF5B-4A8A-94A6-47BE749F2D77}\mpengine.dll
2011-09-29 17:58 . 2010-03-02 12:54 105856 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2011-09-29 17:58 . 2010-03-02 12:54 105856 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2011-09-29 17:58 . 2010-03-02 12:54 105856 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2011-09-29 17:58 . 2010-02-22 08:06 9216 ----a-w- c:\windows\system32\drivers\massfilter.sys
2011-09-29 17:58 . 2009-12-28 13:05 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2011-09-29 17:57 . 2009-12-08 19:19 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-09-29 17:57 . 2009-12-07 18:53 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-09-29 17:57 . 2009-10-12 14:22 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-09-29 17:57 . 2007-08-09 03:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-09-29 17:57 . 2011-09-29 17:57 -------- dc-h--w- c:\programdata\{DA2F5D5B-4923-48EE-B46B-0FC936630A20}
2011-09-29 17:57 . 2011-09-29 17:59 -------- d-----w- c:\program files\bob internet
2011-09-29 17:57 . 2011-09-29 17:59 -------- d-----w- c:\programdata\mquadr.at
2011-09-29 17:56 . 2011-09-29 17:56 -------- d-----w- c:\users\sebastian\AppData\Local\PackageAware
2011-09-27 16:28 . 2011-10-05 00:42 -------- d-----w- c:\users\sebastian\AppData\Roaming\MicroST
2011-09-23 15:58 . 2011-09-23 15:58 -------- d--h--w- c:\windows\PIF
2011-09-23 14:10 . 2011-09-23 14:10 -------- d-----w- c:\programdata\MAGIX
2011-09-23 14:10 . 2011-09-23 14:10 -------- d-----w- c:\users\sebastian\AppData\Roaming\MAGIX
2011-09-23 14:00 . 2011-09-23 14:00 -------- d-----w- c:\programdata\Xara
2011-09-23 14:00 . 2011-09-23 14:00 -------- d-----w- c:\program files\Xara
2011-09-13 21:40 . 2002-12-05 12:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-09-13 21:40 . 2002-12-02 11:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-09-13 21:40 . 2002-12-05 12:12 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-09-13 21:40 . 2002-12-02 13:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-09-13 21:40 . 2002-12-02 11:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-09-13 21:40 . 2011-09-13 21:40 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-09-13 21:40 . 2011-09-13 21:40 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-09-13 21:29 . 2011-09-13 21:29 -------- d-----w- c:\program files\Infogrames Interactive
2011-09-13 21:29 . 2011-09-13 21:29 -------- d-----w- c:\users\sebastian\AppData\Roaming\WinMount
2011-09-13 21:28 . 2011-09-13 21:28 65856 ----a-w- c:\windows\system32\drivers\WMDrive.sys
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-07 16:59 . 2011-06-22 01:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54 . 2011-08-10 17:15 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-07-31 15:47 . 2009-07-31 15:47 173 ----a-w- c:\program files\3DG63DR1.bat
2011-09-30 00:20 . 2011-03-24 19:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-10 . 3A0FE40A2DAFF1752579BB8638B7E7FD . 627712 . . [6.0.6001.18000] . . c:\windows\System32\user32.dll
[7] 2009-04-10 . 75510147B94598407666F4802797C75A . 627712 . . [6.0.6002.18005] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll
[7] 2008-01-21 . B974D9F06DC7D1908E825DC201681269 . 627200 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll
.
[-] 2011-07-09 . 179AF7B52C59EED5635F69870D9E75E0 . 247808 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
[7] 2009-07-10 . 1E3FDB80E40A3CE645F229DFBDFB7694 . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18287_none_cce0e39c1d282219\shsvcs.dll
[7] 2009-07-10 . 94285A002D2826D2FD1C0806455136E9 . 245760 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16883_none_caf6a3ce20052bcc\shsvcs.dll
[7] 2009-07-10 . 6898575E052CE7CB1CB87622EF187CDA . 245760 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.21081_none_cb7e18273924cc2a\shsvcs.dll
[7] 2009-07-10 . 6669714ACE90E9BB4E8C1D550C67B160 . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.22467_none_cd80222536358728\shsvcs.dll
[7] 2009-07-10 . F0942394F642F5CE3D9A86474FA293FA . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.22169_none_cf6894a1335a0efa\shsvcs.dll
[7] 2009-07-10 . C7230FBEE14437716701C15BE02C27B8 . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18063_none_ced8f61a1a41d726\shsvcs.dll
[7] 2009-04-10 . C818C44C201898399BF999BB6B35D4E3 . 247296 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18005_none_cf1bd6361a0f622e\shsvcs.dll
[7] 2008-01-21 . 27F10F348E508243F6254846F8370D0D . 247296 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-03-02 16:23 68216 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-04-04 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\programme\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 01:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 05:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\programme\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 06:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 14:34 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 15:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-04-30 23:07 13781536 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-10-10 11:24 206128 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-23 15:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 10:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-01-20 08:39 483420 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2008-12-03 20:15 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-12-24 13:45 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
2008-12-08 10:25 432432 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\aestsrv.exe [x]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [x]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [x]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [x]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-12-04 222512]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-03-26 36640]
R3 hcw66xxx;WinTV HVR-900H;c:\windows\system32\Drivers\hcw66xxx.sys [2008-05-28 420096]
R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-02-22 9216]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2010-03-25 98432]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2010-03-25 14848]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2010-03-25 123648]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-01-30 15656]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-04 691696]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-03-17 86280]
S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2009-11-23 4497704]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 08:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.at/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_at&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = local;*.local
IE: Download aller Links mit IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV-Videoinhalt mit IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download mit IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\programme\Microsoft Office\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\sebastian\AppData\Roaming\Mozilla\Firefox\Profiles\y3ioiqd3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-12 09:13
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-478807199-3609679544-129123539-1000_Classes\Applications\DTLite.exe\shell]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-478807199-3609679544-129123539-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):e6,5a,81,0e,51,d2,19,d2,fa,c1,cf,ba,3a,3d,91,a6,db,c6,eb,89,a8,
97,81,21,a9,1a,c1,77,37,36,b8,92,a9,c2,16,a6,dc,9c,cf,e8,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-478807199-3609679544-129123539-1000_Classes\CLSID\{aeaf6af0-764e-4c6d-b34d-d7218c0ed753}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000141
"Therad"=dword:0000001f
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-10-12 09:23:48 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-10-12 07:23
ComboFix2.txt 2011-10-12 05:44
.
Vor Suchlauf: 14 Verzeichnis(se), 15.883.943.936 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 15.870.566.400 Bytes frei
.
- - End Of File - - DE99930FCD5B5A4D525D04165F497894




I got one registry error during the CF scanning.
Everything else seems to be fine.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 12 October 2011 - 02:37 AM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 October 2011 - 02:42 AM

That log comes out empty ..

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 12 October 2011 - 02:46 AM

Hello

1. make sure junction.exe is on the C drive

2.click on start

3. click on run

4. type CMD into the run box and click on OK

5. copy and paste thes line into the CMD window


cd c:\
junction -s c:\>log.txt
start log.txt

6. wait about 5 min untill the report popsup

7.copy and paste this report here

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 October 2011 - 03:09 AM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users

\\?\c:\\Dokumente und Einstellungen: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users


Failed to open \\?\c:\\hiberfil.sys: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.



Failed to open \\?\c:\\pagefile.sys: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.


\\?\c:\\Programme: JUNCTION
Print Name : C:\Program Files
Substitute Name: C:\Program Files

...

\\?\c:\\Program Files\Gemeinsame Dateien: JUNCTION
Print Name : C:\Program Files\Common Files
Substitute Name: C:\Program Files\Common Files

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\Program Files\Windows NT\Zubehör: JUNCTION
Print Name : C:\Program Files\Windows NT\Accessories
Substitute Name: C:\Program Files\Windows NT\Accessories



.
Failed to open \\?\c:\\Program Files\Xara\Xara Web Designer 7 Premium\WebDesigner.exe: Zugriff verweigert


..

...

...

.\\?\c:\\ProgramData\Anwendungsdaten: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Dokumente: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favoriten: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Startmenü: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

\\?\c:\\ProgramData\Vorlagen: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..

...


Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3e5f81582c1faba92cb914b53abc726a_4399e4cc-a536-4473-969b-e2c62c4832e4: Zugriff verweigert


..\\?\c:\\ProgramData\Microsoft\Windows\Start Menu\Programme: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu\Programs
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu\Programs

.

...

...


Failed to open \\?\c:\\Qoobox\BackEnv: Zugriff verweigert


.\\?\c:\\Qoobox\Quarantine\C\Windows\$NtUninstallKB26998$\771757530.vir: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config

..

...

...
Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Zugriff verweigert



Failed to open \\?\c:\\System Volume Information\{56ec0a52-f408-11e0-8394-00238bc952f0}{3808876b-c176-4e48-b7ae-04046e6cc752}: Zugriff verweigert



Failed to open \\?\c:\\System Volume Information\{56ec0a64-f408-11e0-8394-00238bc952f0}{3808876b-c176-4e48-b7ae-04046e6cc752}: Zugriff verweigert




\\?\c:\\Users\All Users: SYMBOLIC LINK
Print Name : C:\ProgramData
Substitute Name: \??\C:\ProgramData

\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default

\\?\c:\\Users\All Users\Anwendungsdaten: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Dokumente: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Favoriten: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Startmenü: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

\\?\c:\\Users\All Users\Vorlagen: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

...

...
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3e5f81582c1faba92cb914b53abc726a_4399e4cc-a536-4473-969b-e2c62c4832e4: Zugriff verweigert




.\\?\c:\\Users\All Users\Microsoft\Windows\Start Menu\Programme: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu\Programs
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu\Programs

..

...

...\\?\c:\\Users\Default\Anwendungsdaten: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Druckumgebung: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Eigene Dateien: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\Lokale Einstellungen: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\Netzwerkumgebung: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Startmenü: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\Vorlagen: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Anwendungsdaten: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\AppData\Local\Verlauf: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History



\\?\c:\\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programme: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

\\?\c:\\Users\Default\Documents\Eigene Bilder: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\Eigene Musik: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\Eigene Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Public\Documents\Eigene Bilder: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\Eigene Musik: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\Eigene Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

\\?\c:\\Users\sebastian\Anwendungsdaten: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming
Substitute Name: C:\Users\sebastian\AppData\Roaming

\\?\c:\\Users\sebastian\Cookies: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\sebastian\Druckumgebung: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\sebastian\Eigene Dateien: JUNCTION
Print Name : C:\Users\sebastian\Documents
Substitute Name: C:\Users\sebastian\Documents

\\?\c:\\Users\sebastian\Lokale Einstellungen: JUNCTION
Print Name : C:\Users\sebastian\AppData\Local
Substitute Name: C:\Users\sebastian\AppData\Local

\\?\c:\\Users\sebastian\Netzwerkumgebung: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\sebastian\Recent: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\sebastian\SendTo: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\sebastian\Startmenü: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\sebastian\Vorlagen: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\sebastian\AppData\Local\Anwendungsdaten: JUNCTION
Print Name : C:\Users\sebastian\AppData\Local
Substitute Name: C:\Users\sebastian\AppData\Local

\\?\c:\\Users\sebastian\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\sebastian\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\sebastian\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\sebastian\AppData\Local\Verlauf: JUNCTION
Print Name : C:\Users\sebastian\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\sebastian\AppData\Local\Microsoft\Windows\History

...

...

...

...

...

...

...

...

...

...

.\\?\c:\\Users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu\Programme: JUNCTION
Print Name : C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
Substitute Name: C:\Users\sebastian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

..

...

..
Failed to open \\?\c:\\Users\sebastian\Desktop\autoruns.exe: Zugriff verweigert



Failed to open \\?\c:\\Users\sebastian\Desktop\gmer.exe: Zugriff verweigert


.

...

...

...

...

...

...

..
Failed to open \\?\c:\\Users\sebastian\Desktop\Neuer Ordner\gmer.exe: Zugriff verweigert


.

...\\?\c:\\Users\sebastian\Documents\Eigene Bilder: JUNCTION
Print Name : C:\Users\sebastian\Pictures
Substitute Name: C:\Users\sebastian\Pictures

\\?\c:\\Users\sebastian\Documents\Eigene Musik: JUNCTION
Print Name : C:\Users\sebastian\Music
Substitute Name: C:\Users\sebastian\Music

\\?\c:\\Users\sebastian\Documents\Eigene Videos: JUNCTION
Print Name : C:\Users\sebastian\Videos
Substitute Name: C:\Users\sebastian\Videos



...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Windows\System32\mrt.exe: Zugriff verweigert


..

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Zugriff verweigert


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 12 October 2011 - 03:20 AM

Hello

We need to reset some permisions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\Program Files\Xara\Xara Web Designer 7 Premium\WebDesigner.exe
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3e5f81582c1faba92cb914b53abc726a_4399e4cc-a536-4473-969b-e2c62c4832e4
c:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{56ec0a52-f408-11e0-8394-00238bc952f0}
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3e5f81582c1faba92cb914b53abc726a_4399e4cc-a536-4473-969b-e2c62c4832e4
c:\Users\sebastian\Desktop\autoruns.exe
c:\Users\sebastian\Desktop\gmer.exe
c:\Users\sebastian\Desktop\Neuer Ordner\gmer.exe
c:\Windows\System32\mrt.exe
c:\Windows\System32\LogFiles\WMI\RtBackup


Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 October 2011 - 03:27 AM

GrantPerms by Farbar
Ran by sebastian at 2011-10-12 10:26:27

===============================================
\\?\c:\Program Files\Xara\Xara Web Designer 7 Premium\WebDesigner.exe

Owner: VORDEFINIERT\Administratoren

DACL(P)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


\\?\c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3e5f81582c1faba92cb914b53abc726a_4399e4cc-a536-4473-969b-e2c62c4832e4

Owner: VORDEFINIERT\Administratoren

DACL(NP)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


ERROR: Parsing the SD of <\\?\c:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Zugriff verweigert


Operating system error message: Zugriff verweigert
ERROR: Parsing the SD of <\\?\c:\System Volume Information\{56ec0a52-f408-11e0-8394-00238bc952f0}> failed with: Das System kann die angegebene Datei nicht finden.


Operating system error message: Das System kann die angegebene Datei nicht finden.
\\?\c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3e5f81582c1faba92cb914b53abc726a_4399e4cc-a536-4473-969b-e2c62c4832e4

Owner: VORDEFINIERT\Administratoren

DACL(NP)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


\\?\c:\Users\sebastian\Desktop\autoruns.exe

Owner: VORDEFINIERT\Administratoren

DACL(P)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


\\?\c:\Users\sebastian\Desktop\gmer.exe

Owner: VORDEFINIERT\Administratoren

DACL(P)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


\\?\c:\Users\sebastian\Desktop\Neuer Ordner\gmer.exe

Owner: VORDEFINIERT\Administratoren

DACL(P)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


\\?\c:\Windows\System32\mrt.exe

Owner: VORDEFINIERT\Administratoren

DACL(P)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (NI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (NI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (NI)


\\?\c:\Windows\System32\LogFiles\WMI\RtBackup

Owner: VORDEFINIERT\Administratoren

DACL(P)(AI):
VORDEFINIERT\Administratoren FULL ALLOW (CI)(OI)
NT-AUTORITÄT\SYSTEM FULL ALLOW (CI)(OI)
VORDEFINIERT\Benutzer READ/EXECUTE ALLOW (CI)(OI)

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 12 October 2011 - 03:57 AM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 caramba

caramba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 October 2011 - 02:04 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Datenbank Version: 7929

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12.10.2011 20:59:12
mbam-log-2011-10-12 (20-59-12).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 176970
Laufzeit: 6 Minute(n), 43 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)


--------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:03:26, on 12.10.2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_at&c=91&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download aller Links mit IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV-Videoinhalt mit IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download mit IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with Mipony - file://C:\Program Files\MiPony\Browser\IEContext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programme\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\aestsrv.exe (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (file missing)
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FsUsbExService - Unknown owner - C:\Windows\system32\FsUsbExService.Exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Unknown owner - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe (file missing)
O23 - Service: hpqwmiex - Unknown owner - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (file missing)
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\STacSV.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_Tablet.exe
O23 - Service: Wacom Consumer Touch Service (TouchServicePen) - Unknown owner - C:\Program Files\Tablet\Pen\Pen_TouchService.exe (file missing)

--
End of file - 8082 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users