Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, ping.exe virus after XP security removal


  • This topic is locked This topic is locked
41 replies to this topic

#1 HOPE1974

HOPE1974

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 December 2011 - 01:25 AM

Today I had suddenly XP Security 2012 malware on my computer. I removed it following the instructions under this link: http://www.bleepingcomputer.com/virus-removal/remove-vista-internet-security-2012

Malewarebytes found 5 infections and deleted them. After restart I opened Firefox and noticed google search results got redirected to other websites. I followed the instructions in the Preperations Guide and created logs running dds and gmer. During this process I had a window error message popping up about a ping.exe and Avira found a TR/Rootkit.Gen2 in Windows\system32\drivers\ipsec.sys

Can you please help me removing this malware I still having on my computer? Thank you so much.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
Run by Assmann at 18:14:42 on 2011-12-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.1022.253 [GMT -8:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EB-0D24-347CA8A3377C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Samsung\AVStation premium\bin\AVStation agent.exe
C:\Programme\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Program Files\SVRemote\USB20Remote.exe
C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe
C:\Programme\InterVideo\WinDVR3\WinRemote.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Assmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.5\MoeMonitor.exe
C:\Programme\TomTom HOME 2\HOMERunner.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\OpenOffice.org 2.2\program\soffice.exe
C:\Programme\OpenOffice.org 2.2\program\soffice.BIN
C:\Programme\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programme\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\Programme\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\system32\HPZinw12.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.applehostels.com/
uSearch Page = hxxp://de.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://de.search.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://de.yahoo.com
mDefault_Search_URL = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
mSearch Page = hxxp://de.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://de.search.yahoo.com
mStart Page = hxxp://de.yahoo.com
uInternet Settings,ProxyOverride = fritz.box
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programme\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MoeMonitor.exe] "c:\dokumente und einstellungen\assmann\lokale einstellungen\anwendungsdaten\microsoft\live mesh\bin\servicing\0.9.3424.5\MoeMonitor.exe"
uRun: [TomTomHOME.exe] "c:\programme\tomtom home 2\HOMERunner.exe"
uRun: [Yahoo! Pager] "c:\programme\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\programme\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\programme\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPLpr] c:\programme\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [farstone]
mRun: [MagicKeyboard] c:\programme\samsung\magickbd\PreMKBD.exe
mRun: [AVStation premium] "c:\programme\samsung\avstation premium\bin\AVStation agent.exe"
mRun: [BatteryManager] c:\programme\samsung\samsung battery manager\BatteryManager.exe
mRun: [RemoteControl] c:\programme\cyberlink\powerdvd\PDVDServ.exe
mRun: [ATIPTA] "c:\programme\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DAEMON Tools-1033] "c:\programme\d-tools\daemon.exe" -lang 1033
mRun: [IntelliPoint] "c:\programme\microsoft intellipoint\point32.exe"
mRun: [SVRemote] c:\program files\svremote\USB20Remote.exe
mRun: [WinDVR SchSvr] "c:\programme\gemeinsame dateien\intervideo\schsvr\SchSvr.exe"
mRun: [WinRemote] c:\programme\intervideo\windvr3\WinRemote.exe
mRun: [QuickTime Task] "c:\programme\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\programme\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "c:\programme\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [IETI] c:\programme\skype\phone\ieplugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
StartupFolder: c:\dokume~1\assmann\startm~1\progra~1\autost~1\openof~1.lnk - c:\programme\openoffice.org 2.2\program\quickstart.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\acroba~1.lnk - c:\programme\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~2.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\autoca~1.lnk - c:\programme\gemeinsame dateien\autodesk shared\acstart16.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\deskto~1.lnk - c:\programme\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpdigi~1.lnk - c:\programme\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\interv~1.lnk - c:\programme\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\micros~1.lnk - c:\programme\microsoft office\office\OSA9.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\paloal~1.lnk - c:\windows\installer\{6b2d979e-216d-43a4-bae2-71a185922ca1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_803138DCE93649E4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\programme\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\programme\winhttrack\WinHTTrackIEBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programme\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\programme\yahoo!\common\yinsthelper.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/63.27/uploader2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/24.19/uploader2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.0.10/xplugLiteDL.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{007875EF-5B48-4130-9782-E321DE012D01} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{2FC4A583-D2CE-4B49-B3B2-68D84B25776C} : NameServer = 208.67.222.222,208.67.220.220
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programme\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
Notify: wlcrdplauncher - c:\programme\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\dokumente und einstellungen\assmann\anwendungsdaten\mozilla\firefox\profiles\ghajluwv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programme\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\dokumente und einstellungen\assmann\anwendungsdaten\mozilla\firefox\profiles\ghajluwv.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - plugin: c:\dokumente und einstellungen\assmann\anwendungsdaten\mozilla\firefox\profiles\ghajluwv.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\programme\google\picasa3\npPicasa3.dll
FF - plugin: c:\programme\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\programme\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-2 36000]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2005-11-21 11008]
R1 NETDSL;AVM PPP over Ethernet;c:\windows\system32\drivers\netdsl.sys [2006-12-14 11264]
R2 AntiVirSchedulerService;Avira Scheduler;c:\programme\avira\antivir desktop\sched.exe [2011-11-2 86224]
R2 AntiVirService;Avira Realtime Protection;c:\programme\avira\antivir desktop\avguard.exe [2011-11-2 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-8 74640]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2005-8-30 4300]
R2 MBAMService;MBAMService;c:\programme\malwarebytes' anti-malware\mbamservice.exe [2011-12-10 366152]
R2 SNM WLAN Service;SNM WLAN Service;c:\programme\samsung\samsung network manager\SNMWLANService.exe [2005-5-27 36864]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\programme\live mesh\remote desktop\wlcrasvc.exe [2008-12-11 42824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 22216]
R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\drivers\NETFWDSL.SYS [2006-12-14 361472]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2008-12-11 10056]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2008-12-11 20424]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2005-6-8 17792]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [2006-7-25 60688]
S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\drivers\avmunet.sys [2006-12-14 15104]
S3 awhost32;Symantec pcAnywhere Host-Dienst;c:\programme\symantec\pcanywhere\awhost32.exe [2006-2-24 106496]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\pfc027.sys [2005-4-8 162176]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2007-5-10 77824]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2006-8-1 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2006-8-1 5248]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-12-10 15:59:11 -------- d-----w- c:\dokumente und einstellungen\assmann\anwendungsdaten\Malwarebytes
2011-12-10 15:58:55 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
2011-12-10 15:58:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 15:58:50 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-10-19 23:56:50 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-19 23:56:50 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2008-05-05 18:24:58 9216 ----a-w- c:\programme\rphelperapp.exe
2008-05-05 18:24:58 7168 ----a-w- c:\programme\realjbox.exe
2008-05-05 18:24:57 214560 ----a-w- c:\programme\realplay.exe
2004-08-04 12:00:00 94800 --sh--w- c:\windows\twain.dll
2008-04-14 02:22:30 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:52:56 974848 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 02:22:18 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 02:22:18 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 02:22:18 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 02:22:23 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 02:22:23 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 02:22:58 12288 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 18:17:21.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:58 AM

Posted 12 December 2011 - 03:29 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 December 2011 - 08:10 AM

Hi Gringo,

Thanks so much for getting back to me. I followed your instructions and run ComboFix. I had an error message that Avira was still runnig even though I had an closed umbrella as described. I did not know what to do and tried to click the cross on the window instead of the ok but ComboFix started running anyway. It run through with no problems. I had windows from a maleware called Security Squere 2012 popping up during the process. ComboFix told me that it found the Rootkit ZeroAccess and that I should run ComboFix again if I have no internet access after a restart.

I had no internet access and I run ComboFix again. Still no internet. I rebooted again. Still no internet. I opened a dos window and typed ipconfig/all and I get an error message and no information about IP and such. So obviously something is broken there. Can you help me to fix it?

Below are the ComboFix logs. I am attaching both (from the first and second run).

1. RUN:

ComboFix 11-12-12.01 - Assmann 12/12/2011 3:11.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.1022.586 [GMT -8:00]
Running from: c:\dokumente und einstellungen\Assmann\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\dokumente und einstellungen\All Users\Anwendungsdaten\dO28300BgFaI28300
c:\dokumente und einstellungen\All Users\Anwendungsdaten\dO28300BgFaI28300\dO28300BgFaI28300
c:\dokumente und einstellungen\All Users\Anwendungsdaten\dO28300BgFaI28300\dO28300BgFaI28300.exe
c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
c:\dokumente und einstellungen\Assmann\WINDOWS
c:\windows\$NtUninstallKB65145$\1527446287
c:\windows\$NtUninstallKB65145$\3917289220\@
c:\windows\$NtUninstallKB65145$\3917289220\bckfg.tmp
c:\windows\$NtUninstallKB65145$\3917289220\cfg.ini
c:\windows\$NtUninstallKB65145$\3917289220\Desktop.ini
c:\windows\$NtUninstallKB65145$\3917289220\keywords
c:\windows\$NtUninstallKB65145$\3917289220\kwrd.dll
c:\windows\$NtUninstallKB65145$\3917289220\L\eqmrabvk
c:\windows\$NtUninstallKB65145$\3917289220\lsflt7.ver
c:\windows\$NtUninstallKB65145$\3917289220\U\00000001.@
c:\windows\$NtUninstallKB65145$\3917289220\U\00000002.@
c:\windows\$NtUninstallKB65145$\3917289220\U\00000004.@
c:\windows\$NtUninstallKB65145$\3917289220\U\80000000.@
c:\windows\$NtUninstallKB65145$\3917289220\U\80000004.@
c:\windows\$NtUninstallKB65145$\3917289220\U\80000032.@
c:\windows\IsUn0407.exe
c:\windows\unin0407.exe
c:\windows\$NtUninstallKB65145$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))
.
.
2011-12-12 11:05 . 2008-04-14 01:49 188800 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-12 11:05 . 2008-04-14 01:49 188800 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-10 15:59 . 2011-12-10 15:59 -------- d-----w- c:\dokumente und einstellungen\Assmann\Anwendungsdaten\Malwarebytes
2011-12-10 15:58 . 2011-12-10 15:58 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2011-12-10 15:58 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 15:58 . 2011-12-10 15:58 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:34 . 2011-11-02 16:02 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-19 23:56 . 2011-11-02 16:02 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-19 23:56 . 2009-12-08 23:19 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2008-05-05 18:25 . 2008-05-05 18:25 14336 ----a-w- c:\programme\wmdmhelper.dll
2008-05-05 18:25 . 2008-05-05 18:25 692224 ----a-w- c:\programme\dtdr3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 659456 ----a-w- c:\programme\rjbres.dll
2008-05-05 18:25 . 2008-05-05 18:25 36352 ----a-w- c:\programme\ierjplug.dll
2008-05-05 18:25 . 2008-05-05 18:25 339968 ----a-w- c:\programme\rjdlg.dll
2008-05-05 18:25 . 2008-05-05 18:25 19456 ----a-w- c:\programme\rjprog.dll
2008-05-05 18:25 . 2008-05-05 18:25 139264 ----a-w- c:\programme\DUNZIP32.dll
2008-05-05 18:25 . 2008-05-05 18:25 6656 ----a-w- c:\programme\fixrjb.exe
2008-05-05 18:25 . 2008-05-05 18:25 41472 ----a-w- c:\programme\mmcdda32.dll
2008-05-05 18:25 . 2008-05-05 18:25 19456 ----a-w- c:\programme\tnetdtct.dll
2008-05-05 18:25 . 2008-05-05 18:25 81920 ----a-w- c:\programme\tsasdk.dll
2008-05-05 18:25 . 2008-05-05 18:25 57344 ----a-w- c:\programme\tpasdk.dll
2008-05-05 18:25 . 2008-05-05 18:25 32768 ----a-w- c:\programme\rpwa3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 16296 ----a-w- c:\programme\realtfon.fon
2008-05-05 18:25 . 2008-05-05 18:25 43088 ----a-w- c:\programme\rpshellsearch.dll
2008-05-05 18:25 . 2008-05-05 18:25 719360 ----a-w- c:\programme\dbghelp.dll
2008-05-05 18:25 . 2008-05-05 18:25 308856 ----a-w- c:\programme\rpbrowserrecordplugin.dll
2008-05-05 18:25 . 2008-05-05 18:25 153176 ----a-w- c:\programme\RecordingManager.exe
2008-05-05 18:25 . 2008-05-05 18:25 65536 ----a-w- c:\programme\rjwmapln.dll
2008-05-05 18:25 . 2008-05-05 18:25 53248 ----a-w- c:\programme\rpau3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 102400 ----a-w- c:\programme\HXAudioDeviceHook.dll
2008-05-05 18:25 . 2008-05-05 18:25 95816 ----a-w- c:\programme\rdsf3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 86016 ----a-w- c:\programme\rpplugprot.dll
2008-05-05 18:25 . 2008-05-05 18:25 98304 ----a-w- c:\programme\rpshellextension.dll
2008-05-05 18:25 . 2008-05-05 18:25 63040 ----a-w- c:\programme\rpshell.dll
2008-05-05 18:24 . 2008-05-05 18:24 9216 ----a-w- c:\programme\rphelperapp.exe
2008-05-05 18:24 . 2008-05-05 18:24 7168 ----a-w- c:\programme\realjbox.exe
2008-05-05 18:24 . 2008-05-05 18:24 214560 ----a-w- c:\programme\realplay.exe
2004-08-04 12:00 94800 --sh--w- c:\windows\twain.dll
2008-04-14 02:22 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:52 974848 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 02:22 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 02:22 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 02:22 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 02:22 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 02:22 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 02:22 12288 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\dokumente und einstellungen\Assmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.5\MoeMonitor.exe" [2008-12-12 1225032]
"TomTomHOME.exe"="c:\programme\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"Yahoo! Pager"="c:\programme\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SoundMAXPnP"="c:\programme\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"MagicKeyboard"="c:\programme\SAMSUNG\MagicKBD\PreMKBD.exe" [2005-04-11 151552]
"AVStation premium"="c:\programme\Samsung\AVStation premium\bin\AVStation agent.exe" [2005-07-15 200704]
"BatteryManager"="c:\programme\Samsung\Samsung Battery Manager\BatteryManager.exe" [2005-08-18 1933312]
"RemoteControl"="c:\programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-03-16 32768]
"ATIPTA"="c:\programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"DAEMON Tools-1033"="c:\programme\D-Tools\daemon.exe" [2004-08-23 81920]
"IntelliPoint"="c:\programme\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2006-01-09 24576]
"WinDVR SchSvr"="c:\programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" [2005-08-16 106496]
"WinRemote"="c:\programme\InterVideo\WinDVR3\WinRemote.exe" [2005-08-16 208896]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2007-05-19 98304]
"HP Software Update"="c:\programme\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"Malwarebytes' Anti-Malware"="c:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IETI"="c:\programme\Skype\Phone\IEPlugin\unins000.exe" [2007-04-18 674138]
.
c:\dokumente und einstellungen\Assmann\Startmenü\Programme\Autostart\
OpenOffice.org 2.2.lnk - c:\programme\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
.
c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
Acrobat Assistant.lnk - c:\programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-7-25 82026]
Adobe Gamma Loader.exe.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-25 110592]
Adobe Gamma Loader.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-25 110592]
AutoCAD Startup Accelerator.lnk - c:\programme\Gemeinsame Dateien\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Desktop Manager.lnk - c:\programme\Research In Motion\BlackBerry\DesktopMgr.exe [2007-1-18 1212416]
HP Digital Imaging Monitor.lnk - c:\programme\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
InterVideo WinCinema Manager.lnk - c:\programme\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-5-10 208896]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Palo Alto Software Update Manager 9.0.lnk - c:\windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2007-6-12 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2006-02-24 19:00 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2008-12-12 00:34 22856 ----a-w- c:\programme\Live Mesh\Remote Desktop\wlcrdplauncher.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Programme\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Programme\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Programme\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=
"c:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"c:\\Programme\\Windows Media Player\\wmplayer.exe"=
"c:\\Programme\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programme\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Dokumente und Einstellungen\\Assmann\\Lokale Einstellungen\\Anwendungsdaten\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Programme\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/2/2011 8:02 AM 36000]
R1 NETDSL;AVM PPP over Ethernet;c:\windows\system32\drivers\netdsl.sys [12/14/2006 9:30 AM 11264]
R2 AntiVirSchedulerService;Avira Scheduler;c:\programme\Avira\AntiVir Desktop\sched.exe [11/2/2011 8:02 AM 86224]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [8/30/2005 12:43 AM 4300]
R2 MBAMService;MBAMService;c:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 7:58 AM 366152]
R2 SNM WLAN Service;SNM WLAN Service;c:\programme\Samsung\Samsung Network Manager\SNMWLANService.exe [5/27/2005 10:35 PM 36864]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\programme\Live Mesh\Remote Desktop\wlcrasvc.exe [12/11/2008 4:35 PM 42824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/10/2011 7:58 AM 22216]
R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\drivers\NETFWDSL.SYS [12/14/2006 9:30 AM 361472]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/12/2008 10:41 PM 47360]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [12/11/2008 4:35 PM 10056]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [12/11/2008 4:35 PM 20424]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [6/8/2005 6:58 AM 17792]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [7/25/2006 11:25 AM 60688]
S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\drivers\avmunet.sys [12/14/2006 9:24 AM 15104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\pfc027.sys [4/8/2005 12:46 AM 162176]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [5/10/2007 4:54 PM 77824]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8/1/2006 12:14 AM 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8/1/2006 12:14 AM 5248]
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-29 c:\windows\Tasks\HPFRU Task 2003-06-24 19:40ewlett-Packard2003-06-24 19:40p officejet 7100 series2889F2163A36016833EE17BCE444564664912314153854313.job
- c:\programme\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-24 23:10]
.
2009-11-24 c:\windows\Tasks\MTR_test.job
- c:\programme\Recorder\Recorder.exe [2009-04-05 05:24]
.
2011-12-12 c:\windows\Tasks\User_Feed_Synchronization-{B97C38B1-A2C2-4E24-BF3E-AE2AAC3C1592}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.applehostels.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://de.yahoo.com
uInternet Settings,ProxyOverride = fritz.box
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_803138DCE93649E4.dll/cmsidewiki.html
TCP: Interfaces\{007875EF-5B48-4130-9782-E321DE012D01}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{2FC4A583-D2CE-4B49-B3B2-68D84B25776C}: NameServer = 208.67.222.222,208.67.220.220
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.0.10/xplugLiteDL.cab
FF - ProfilePath - c:\dokumente und einstellungen\Assmann\Anwendungsdaten\Mozilla\Firefox\Profiles\ghajluwv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\programme\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-dO28300BgFaI28300 - c:\dokumente und einstellungen\All Users\Anwendungsdaten\dO28300BgFaI28300\dO28300BgFaI28300.exe
HKLM-Run-farstone - (no file)
HKU-Default-Run-dO28300BgFaI28300 - c:\dokumente und einstellungen\All Users\Anwendungsdaten\dO28300BgFaI28300\dO28300BgFaI28300.exe
AddRemove-Adobe InDesign 1.5 - c:\windows\ISUN0407.EXE
AddRemove-Adobe InDesign 2.0 - c:\windows\ISUN0407.EXE
AddRemove-Adobe Photoshop 6.0 - c:\windows\ISUN0407.EXE
AddRemove-Adobe Photoshop 7.0 - c:\windows\IsUn0407.exe
AddRemove-Adobe Photoshop 7.0.1 - c:\windows\ISUN0407.EXE
AddRemove-FRITZ!DSL - c:\windows\IsUn0407.exe
AddRemove-HP Fotodruck-Programm - c:\windows\IsUn0407.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-12 03:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2648)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\dokumente und einstellungen\Assmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
c:\programme\SAMSUNG\MagicKBD\MagicKBD.exe
c:\programme\OpenOffice.org 2.2\program\soffice.exe
c:\programme\OpenOffice.org 2.2\program\soffice.BIN
c:\programme\Gemeinsame Dateien\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\programme\Gemeinsame Dateien\Research In Motion\USB Drivers\BbDevMgr.exe
c:\programme\HP\Digital Imaging\bin\hpqnrs08.exe
c:\windows\system32\dwwin.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\FRITZ!DSL\IGDCTRL.EXE
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\PAStiSvc.exe
c:\programme\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2011-12-12 03:59:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-12 11:59
.
Pre-Run: 8,486,674,432 Bytes frei
Post-Run: 43 Verzeichnis(se), 11,871,858,688 Bytes frei
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8B04CB5D2BDF046EC0608C4F50FDE845




2. RUN:

ComboFix 11-12-12.01 - Assmann 12/12/2011 4:22.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.1022.529 [GMT -8:00]
Running from: c:\dokumente und einstellungen\Assmann\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))
.
.
2011-12-12 11:05 . 2008-04-14 01:49 188800 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-12 11:05 . 2008-04-14 01:49 188800 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-10 15:59 . 2011-12-10 15:59 -------- d-----w- c:\dokumente und einstellungen\Assmann\Anwendungsdaten\Malwarebytes
2011-12-10 15:58 . 2011-12-10 15:58 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2011-12-10 15:58 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 15:58 . 2011-12-10 15:58 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:34 . 2011-11-02 16:02 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-19 23:56 . 2011-11-02 16:02 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-19 23:56 . 2009-12-08 23:19 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2008-05-05 18:25 . 2008-05-05 18:25 14336 ----a-w- c:\programme\wmdmhelper.dll
2008-05-05 18:25 . 2008-05-05 18:25 692224 ----a-w- c:\programme\dtdr3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 659456 ----a-w- c:\programme\rjbres.dll
2008-05-05 18:25 . 2008-05-05 18:25 36352 ----a-w- c:\programme\ierjplug.dll
2008-05-05 18:25 . 2008-05-05 18:25 339968 ----a-w- c:\programme\rjdlg.dll
2008-05-05 18:25 . 2008-05-05 18:25 19456 ----a-w- c:\programme\rjprog.dll
2008-05-05 18:25 . 2008-05-05 18:25 139264 ----a-w- c:\programme\DUNZIP32.dll
2008-05-05 18:25 . 2008-05-05 18:25 6656 ----a-w- c:\programme\fixrjb.exe
2008-05-05 18:25 . 2008-05-05 18:25 41472 ----a-w- c:\programme\mmcdda32.dll
2008-05-05 18:25 . 2008-05-05 18:25 19456 ----a-w- c:\programme\tnetdtct.dll
2008-05-05 18:25 . 2008-05-05 18:25 81920 ----a-w- c:\programme\tsasdk.dll
2008-05-05 18:25 . 2008-05-05 18:25 57344 ----a-w- c:\programme\tpasdk.dll
2008-05-05 18:25 . 2008-05-05 18:25 32768 ----a-w- c:\programme\rpwa3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 16296 ----a-w- c:\programme\realtfon.fon
2008-05-05 18:25 . 2008-05-05 18:25 43088 ----a-w- c:\programme\rpshellsearch.dll
2008-05-05 18:25 . 2008-05-05 18:25 719360 ----a-w- c:\programme\dbghelp.dll
2008-05-05 18:25 . 2008-05-05 18:25 308856 ----a-w- c:\programme\rpbrowserrecordplugin.dll
2008-05-05 18:25 . 2008-05-05 18:25 153176 ----a-w- c:\programme\RecordingManager.exe
2008-05-05 18:25 . 2008-05-05 18:25 65536 ----a-w- c:\programme\rjwmapln.dll
2008-05-05 18:25 . 2008-05-05 18:25 53248 ----a-w- c:\programme\rpau3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 102400 ----a-w- c:\programme\HXAudioDeviceHook.dll
2008-05-05 18:25 . 2008-05-05 18:25 95816 ----a-w- c:\programme\rdsf3260.dll
2008-05-05 18:25 . 2008-05-05 18:25 86016 ----a-w- c:\programme\rpplugprot.dll
2008-05-05 18:25 . 2008-05-05 18:25 98304 ----a-w- c:\programme\rpshellextension.dll
2008-05-05 18:25 . 2008-05-05 18:25 63040 ----a-w- c:\programme\rpshell.dll
2008-05-05 18:24 . 2008-05-05 18:24 9216 ----a-w- c:\programme\rphelperapp.exe
2008-05-05 18:24 . 2008-05-05 18:24 7168 ----a-w- c:\programme\realjbox.exe
2008-05-05 18:24 . 2008-05-05 18:24 214560 ----a-w- c:\programme\realplay.exe
2004-08-04 12:00 94800 --sh--w- c:\windows\twain.dll
2008-04-14 02:22 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:52 974848 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 02:22 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 02:22 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 02:22 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 02:22 12288 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-12_11.49.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-12 12:07 . 2011-12-12 12:07 16384 c:\windows\Temp\Perflib_Perfdata_b0c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\dokumente und einstellungen\Assmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.5\MoeMonitor.exe" [2008-12-12 1225032]
"TomTomHOME.exe"="c:\programme\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"Yahoo! Pager"="c:\programme\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SoundMAXPnP"="c:\programme\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"MagicKeyboard"="c:\programme\SAMSUNG\MagicKBD\PreMKBD.exe" [2005-04-11 151552]
"AVStation premium"="c:\programme\Samsung\AVStation premium\bin\AVStation agent.exe" [2005-07-15 200704]
"BatteryManager"="c:\programme\Samsung\Samsung Battery Manager\BatteryManager.exe" [2005-08-18 1933312]
"RemoteControl"="c:\programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-03-16 32768]
"ATIPTA"="c:\programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"DAEMON Tools-1033"="c:\programme\D-Tools\daemon.exe" [2004-08-23 81920]
"IntelliPoint"="c:\programme\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2006-01-09 24576]
"WinDVR SchSvr"="c:\programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" [2005-08-16 106496]
"WinRemote"="c:\programme\InterVideo\WinDVR3\WinRemote.exe" [2005-08-16 208896]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2007-05-19 98304]
"HP Software Update"="c:\programme\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"Malwarebytes' Anti-Malware"="c:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IETI"="c:\programme\Skype\Phone\IEPlugin\unins000.exe" [2007-04-18 674138]
.
c:\dokumente und einstellungen\Assmann\Startmenü\Programme\Autostart\
OpenOffice.org 2.2.lnk - c:\programme\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
.
c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
Acrobat Assistant.lnk - c:\programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-7-25 82026]
Adobe Gamma Loader.exe.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-25 110592]
Adobe Gamma Loader.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-25 110592]
AutoCAD Startup Accelerator.lnk - c:\programme\Gemeinsame Dateien\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Desktop Manager.lnk - c:\programme\Research In Motion\BlackBerry\DesktopMgr.exe [2007-1-18 1212416]
HP Digital Imaging Monitor.lnk - c:\programme\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
InterVideo WinCinema Manager.lnk - c:\programme\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-5-10 208896]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Palo Alto Software Update Manager 9.0.lnk - c:\windows\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2007-6-12 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2006-02-24 19:00 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2008-12-12 00:34 22856 ----a-w- c:\programme\Live Mesh\Remote Desktop\wlcrdplauncher.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Programme\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Programme\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Programme\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=
"c:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"c:\\Programme\\Windows Media Player\\wmplayer.exe"=
"c:\\Programme\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programme\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Dokumente und Einstellungen\\Assmann\\Lokale Einstellungen\\Anwendungsdaten\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Programme\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/2/2011 8:02 AM 36000]
R1 NETDSL;AVM PPP over Ethernet;c:\windows\system32\drivers\netdsl.sys [12/14/2006 9:30 AM 11264]
R2 AntiVirSchedulerService;Avira Scheduler;c:\programme\Avira\AntiVir Desktop\sched.exe [11/2/2011 8:02 AM 86224]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [8/30/2005 12:43 AM 4300]
R2 MBAMService;MBAMService;c:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 7:58 AM 366152]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\programme\Live Mesh\Remote Desktop\wlcrasvc.exe [12/11/2008 4:35 PM 42824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/10/2011 7:58 AM 22216]
R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\drivers\NETFWDSL.SYS [12/14/2006 9:30 AM 361472]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/12/2008 10:41 PM 47360]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [12/11/2008 4:35 PM 10056]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [12/11/2008 4:35 PM 20424]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [6/8/2005 6:58 AM 17792]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [7/25/2006 11:25 AM 60688]
S2 SNM WLAN Service;SNM WLAN Service;c:\programme\Samsung\Samsung Network Manager\SNMWLANService.exe [5/27/2005 10:35 PM 36864]
S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\drivers\avmunet.sys [12/14/2006 9:24 AM 15104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\pfc027.sys [4/8/2005 12:46 AM 162176]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [5/10/2007 4:54 PM 77824]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8/1/2006 12:14 AM 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8/1/2006 12:14 AM 5248]
.
Contents of the 'Scheduled Tasks' folder
.
2006-10-29 c:\windows\Tasks\HPFRU Task 2003-06-24 19:40ewlett-Packard2003-06-24 19:40p officejet 7100 series2889F2163A36016833EE17BCE444564664912314153854313.job
- c:\programme\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-24 23:10]
.
2009-11-24 c:\windows\Tasks\MTR_test.job
- c:\programme\Recorder\Recorder.exe [2009-04-05 05:24]
.
2011-12-12 c:\windows\Tasks\User_Feed_Synchronization-{B97C38B1-A2C2-4E24-BF3E-AE2AAC3C1592}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.applehostels.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://de.yahoo.com
uInternet Settings,ProxyOverride = fritz.box
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_803138DCE93649E4.dll/cmsidewiki.html
TCP: Interfaces\{007875EF-5B48-4130-9782-E321DE012D01}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{2FC4A583-D2CE-4B49-B3B2-68D84B25776C}: NameServer = 208.67.222.222,208.67.220.220
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.0.10/xplugLiteDL.cab
FF - ProfilePath - c:\dokumente und einstellungen\Assmann\Anwendungsdaten\Mozilla\Firefox\Profiles\ghajluwv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\programme\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-12 04:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1240)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-12 04:45:16
ComboFix-quarantined-files.txt 2011-12-12 12:45
.
Pre-Run: 42 Verzeichnis(se), 11,881,836,544 Bytes frei
Post-Run: 43 Verzeichnis(se), 11,864,928,256 Bytes frei
.
- - End Of File - - 50EE28AFA3794970E9B4A574DA4B01C0


Thanks again for your help!

#4 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 December 2011 - 08:20 AM

Just wanted to add that Avira is showing me a message: Maleware found. A virus or unwanted program TR/Rootkit.Gen2 was found in file C:\WINDOWS\system32\drivers\IPSec.sys

Any idea what to to do about this?

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:58 AM

Posted 12 December 2011 - 08:31 AM

Hello


Don't let avira do anything with that file - most likely that is what is going on with the internet but lets check a few things first

lets try this to get you back online, let me know if it works

Download and run WinSockFix. This is a two step process that will Back up the Registry and Reset the Winsock Stack.
  • Double click on WinsockXPFix.exe to open.
  • On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
  • On the ERDNT Welcome screen, click "OK".
  • On the Backup to: screen, click "OK".
  • On the Folder does not exist question screen click "Yes".
  • You will see a status screen as your registry is being backed up.
  • On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.
  • If your computer was not using DHCP, you will need to reconfigure TCP/IP.
  • You should have connectivity restored.
If you have internet back come back and let me know if not go to next step

Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Click "Finish" and LSPfix will restore the chain numbers.
  • restart the computer


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 December 2011 - 08:50 AM

After pressing Yes on the folder does not exist question I get following error message: Error saving file C:\ERDNT\SECURITY ! Continue with next file?

What do you want me to do here? Yes or No?

#7 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 December 2011 - 09:15 AM

Or do you just want me to use the other tool (LSPfix)?

#8 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 December 2011 - 09:16 AM

.

Edited by HOPE1974, 12 December 2011 - 09:18 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:58 AM

Posted 13 December 2011 - 12:19 AM

click ok on the error and keep going



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 13 December 2011 - 10:20 AM

Hi Gringo,

I run Wunsockfix as described. As I said I had several error messages backing up the registry but the repair went through ok. I still was not able to connect to the Internet afterwards though.

I run ispfix. It said that nothing needed to be repaired. I restarted afterwards anyway and unfortunately I am still unable to connect to the Internet?

Can you please help me further?

Thanks a lot.

#11 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 13 December 2011 - 10:39 AM

I also wanted to let you know that I am unable to turn the Windows Firewall on. It says that the service can not be started.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:58 AM

Posted 13 December 2011 - 01:51 PM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 13 December 2011 - 08:58 PM

Here is the FSS log:

Farbar Service Scanner
Ran by Assmann (administrator) on 13-12-2011 at 17:45:26
Microsoft Windows XP Home Edition Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2005-08-30 09:19] - [2008-04-13 18:23] - 0014336 ____A (Microsoft Corporation) 4FBC75B74479C7A6F829E0CA19DF3366

C:\WINDOWS\system32\rpcss.dll
[2005-08-30 09:18] - [2009-02-09 02:51] - 0401408 ____A (Microsoft Corporation) 3127AFBF2C1ED0AB14A1BBB7AAECB85B

C:\WINDOWS\system32\services.exe
[2005-08-30 09:19] - [2009-02-09 03:21] - 0111104 ____A (Microsoft Corporation) A3EDBE9053889FB24AB22492472B39DC

C:\WINDOWS\system32\dhcpcsvc.dll
[2005-08-30 09:18] - [2008-04-13 18:22] - 0127488 ____A (Microsoft Corporation) C29A1C9B75BA38FA37F8C44405DEC360

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2005-08-30 09:18] - [2008-04-13 11:19] - 0075264 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\WINDOWS\system32\dnsrslvr.dll
[2005-08-30 09:18] - [2008-04-13 18:22] - 0045568 ____A (Microsoft Corporation) 8C9ED3B2834AAE63081AB2DA831C6FE9


Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:58 AM

Posted 13 December 2011 - 09:15 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
ipsec.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 HOPE1974

HOPE1974
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 13 December 2011 - 09:29 PM

Here is the SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:22 on 13/12/2011 by Assmann
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [00:44 11/12/2008] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [19:19 13/04/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [17:18 30/08/2005] [19:19 13/04/2008] (Unable to calculate MD5)

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users