Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problems with Sality (Tanatos/Heur) [Solved]

Started by Lorca , Dec 18 2008 01:40 AM

  • This topic is locked This topic is locked

#1
Lorca
Posted 18 December 2008 - 01:40 AM

Lorca

    Member

  • Member
  • PipPip
  • 66 posts
Hello!

I've had a rough few days with my laptop, here's why:

I have the sality virus (or tanatos/heur, if you will) and just can't get rid of it.

I first noticed it when my task manager was disabled all of a sudden.
The virus has now also disabled the safe mode, regedit and the task manager (even though I am able
to access the task manager thanks to the Task Manager Fix tool, only works for a few seconds, though,
so I have to be quick clicking ctrl+alt+del)

The Rat's Cheddar tool, which should be able to enable the registry, task manager, etc., does not work.

The virus also blocks me from accessing online scanners and antivirus sites. I also have problems
getting this site to show properly.

Also not effective is the AVG Sality Removal tool rmsality.exe. (It won't start.)

I currently have these programs working on my computer: Malwarebytes' Anti-Malware and
SUPERAntispyware

I had AVG 8 for a short while on my laptop, which was able to identify it (tanatos/heur), but
unable to remove it: "file could not be healed" or something like that. I no longer have it installed.

I'm on Win XP with Service Pack 2 installed and patched.

ATF Cleaner (btw, great tool!), SysRestore, Erunt all done.

I'll post my Malwarebytes' and HijackThis logs below.

I would appreciate any advice you could give me!

Thanks!


Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 2

18.12.2008 01:35:11
mbam-log-2008-12-18 (01-35-11).txt

Scan type: Quick Scan
Objects scanned: 69941
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36:23, on 18.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOKUME~1\Ludwig\LOKALE~1\Temp\bjre.exe
C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winsnenyx.exe
C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winsxss.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online....w5_internet.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Programme\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: lxcz_device - Unknown owner - C:\WINDOWS\system32\lxczcoms.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5615 bytes
  • 0

Advertisements

#2
emeraldnzl
Posted 20 December 2008 - 10:13 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello lorca,

Welcome to Geekstogo.

Lets see if your computer will allow you to use this.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
Lorca
Posted 20 December 2008 - 11:16 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Here you go!

(The log says I do not have the recovery console installed,
but it did not get a prompt to install it when starting ComboFix...)




ComboFix 08-12-20.03 - Ludwig 2008-12-20 22:49:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.511.140 [GMT -6:00]
Running from: c:\dokumente und einstellungen\Ludwig\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programme\icroso~1.net
c:\windows\system32\ahvrsbix.ini
c:\windows\system32\atbiiwvd.ini
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\bdnojunb.ini
c:\windows\system32\bskovmft.ini
c:\windows\system32\bvhocnry.ini
c:\windows\system32\ccmaojbn.ini
c:\windows\system32\cgekyslq.ini
c:\windows\system32\cifseacw.ini
c:\windows\system32\cjfyjvdo.ini
c:\windows\system32\ckcakxux.ini
c:\windows\system32\cpsjdyyr.ini
c:\windows\system32\cqtbaouh.ini
c:\windows\system32\crosof~1
c:\windows\system32\daaxkgup.ini
c:\windows\system32\dblhjece.ini
c:\windows\system32\ddvcxgfg.ini
c:\windows\system32\dgwoogge.ini
c:\windows\system32\djvgaute.ini
c:\windows\system32\dljicaks.ini
c:\windows\system32\dufdvdfs.ini
c:\windows\system32\dxieooik.ini
c:\windows\system32\dyxrsbpn.ini
c:\windows\system32\efgwknrh.ini
c:\windows\system32\eyvcanpt.ini
c:\windows\system32\foxhmphu.ini
c:\windows\system32\fpubuqaj.ini
c:\windows\system32\fvbmrtta.ini
c:\windows\system32\fwieunjs.ini
c:\windows\system32\gcndwfoa.ini
c:\windows\system32\gxnbeitq.ini
c:\windows\system32\hnuuwrfk.ini
c:\windows\system32\hqdumexu.ini
c:\windows\system32\iafiypnn.ini
c:\windows\system32\iflfcjth.ini
c:\windows\system32\igxlvelw.ini
c:\windows\system32\iijpditn.ini
c:\windows\system32\imobpiaa.ini
c:\windows\system32\ipvxgmfa.ini
c:\windows\system32\iycbimvf.ini
c:\windows\system32\jodsvnmn.ini
c:\windows\system32\jtxgorjk.ini
c:\windows\system32\kaplenet.ini
c:\windows\system32\kewfokuv.ini
c:\windows\system32\klfstncy.ini
c:\windows\system32\libkatdy.ini
c:\windows\system32\liglajbb.ini
c:\windows\system32\ljmkqjgd.ini
c:\windows\system32\llescxts.ini
c:\windows\system32\maotfgxa.ini
c:\windows\system32\merhwkcj.ini
c:\windows\system32\mnuctxsq.ini
c:\windows\system32\mveviqmq.ini
c:\windows\system32\mwsxoalq.ini
c:\windows\system32\nddkegye.ini
c:\windows\system32\npeuuvlg.ini
c:\windows\system32\nvmuannj.ini
c:\windows\system32\odnygvga.ini
c:\windows\system32\ofnilkpg.ini
c:\windows\system32\ogipelgi.ini
c:\windows\system32\ondpvflp.ini
c:\windows\system32\opmwpfod.ini
c:\windows\system32\palsrysp.ini
c:\windows\system32\paythors.ini
c:\windows\system32\pbjnytco.ini
c:\windows\system32\pvveirih.ini
c:\windows\system32\qstyjqmd.ini
c:\windows\system32\qxgtvfkg.ini
c:\windows\system32\rauxgsrf.ini
c:\windows\system32\rcitthah.ini
c:\windows\system32\rvkeohss.ini
c:\windows\system32\rwbteodj.ini
c:\windows\system32\rxsewliw.ini
c:\windows\system32\scwtiaqp.ini
c:\windows\system32\ssplcnyx.ini
c:\windows\system32\suafafyk.ini
c:\windows\system32\svpnuoiy.ini
c:\windows\system32\tbnpneqm.ini
c:\windows\system32\tkpmicbr.ini
c:\windows\system32\tnbgngtw.ini
c:\windows\system32\tqihcwdv.ini
c:\windows\system32\tqjvpujw.ini
c:\windows\system32\tusptvsq.ini
c:\windows\system32\ucvhynqr.ini
c:\windows\system32\uteymora.ini
c:\windows\system32\uuatdfca.ini
c:\windows\system32\uvampnft.ini
c:\windows\system32\uxirobtw.ini
c:\windows\system32\vccweppu.ini
c:\windows\system32\vknqhfau.ini
c:\windows\system32\vojnardw.ini
c:\windows\system32\wjhqmprs.ini
c:\windows\system32\wwmglpoi.ini
c:\windows\system32\wxtufmro.ini
c:\windows\system32\wyopbsbl.ini
c:\windows\system32\xupqvmke.ini
c:\windows\system32\xxxyypba.ini
c:\windows\system32\yjbtaajp.ini
c:\windows\system32\yoikqvsa.ini
c:\windows\system32\yppyssgf.ini
c:\windows\system32\yumwrpgt.ini
c:\windows\system32\ywspxinx.ini
c:\windows\system32\yytvsvrq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-18 01:35 . 2008-12-18 01:35 <DIR> d-------- c:\programme\Trend Micro
2008-12-18 00:27 . 2008-12-18 00:27 <DIR> d-------- c:\programme\ERUNT
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\programme\SUPERAntiSpyware
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\SUPERAntiSpyware.com
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\SUPERAntiSpyware.com
2008-12-16 15:31 . 2008-12-16 15:31 <DIR> d-------- c:\programme\AVG
2008-12-16 15:31 . 2008-12-16 19:26 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8
2008-12-16 00:32 . 2008-12-16 17:02 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-12-16 00:32 . 2008-12-16 00:32 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Malwarebytes
2008-12-16 00:32 . 2008-12-16 00:32 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\Malwarebytes
2008-12-16 00:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 18:22 . 2008-12-15 18:22 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\Google Updater
2008-12-15 17:03 . 2008-12-15 17:03 16,244 --a------ c:\windows\system32\rrt_is.wav
2008-12-15 17:03 . 2008-12-15 17:03 7,302 --a------ c:\windows\system32\rrt_vf.wav
2008-12-15 17:03 . 2008-12-15 17:03 7,148 --a------ c:\windows\system32\rrt_tv.wav
2008-12-15 17:03 . 2008-12-15 17:03 6,282 --a------ c:\windows\system32\rrt_tn.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 18:14 35,444 ----a-w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\wklnhst.dat
2008-12-18 06:39 --------- d-----w c:\programme\BearShare Applications
2008-12-18 06:36 29,422,344 ----a-w C:\avastsetupeng.exe
2008-12-18 06:26 791,393 ----a-w C:\erunt_setup.exe
2008-12-18 06:18 132,608 ----a-w C:\ATF_Cleaner.exe
2008-12-18 06:07 212,849 ----a-w C:\hijackthis.zip
2008-12-17 01:36 5,853,728 ----a-w C:\SUPERAntiSpyware.exe
2008-12-16 19:05 --------- d-----w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Skype
2008-12-16 17:35 --------- d-----w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\skypePM
2008-12-16 06:44 53,682,216 ----a-w C:\avg_free_stf_en_8_176a1399.exe
2008-12-16 06:31 2,641,800 ----a-w C:\mbam-setup.exe
2008-12-16 06:06 --------- d-----w c:\programme\AviSynth 2.5
2008-12-16 06:06 --------- d-----w c:\programme\Alarm Clock
2008-12-16 06:05 --------- d-----w c:\programme\FLV Player
2008-12-16 06:05 --------- d-----w c:\programme\eMule.de Neu
2008-12-16 06:05 --------- d-----w c:\programme\eMule
2008-12-16 06:05 --------- d-----w c:\programme\CD to MP3 Ripper
2008-12-16 06:05 --------- d-----w c:\programme\Canto Pod
2008-12-16 02:17 --------- d-----w c:\programme\Windows Live Safety Center
2008-12-16 00:42 4,035,917 ----a-w C:\ScanSpyware_3.9.1.2.exe
2008-12-16 00:31 152,576 ----a-w C:\setupeng.exe
2008-12-15 23:39 16,969 ----a-w C:\bassam.zip
2008-12-15 23:00 139,167 ----a-w C:\RRT.zip
2008-12-15 00:35 151,552 ----a-w C:\TaskManagerFix.exe
2008-12-14 21:25 --------- d-----w c:\programme\QuickTime
2008-12-14 21:25 --------- d-----w c:\programme\GSpot
2008-12-14 21:25 --------- d-----w c:\programme\Family Tree Maker 2005
2008-12-14 21:25 --------- d-----w c:\programme\Azureus
2008-11-26 02:11 --------- d-----w c:\programme\Winamp
2008-11-21 02:11 33,056 -c--a-w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 23:39 1,378,435 ----a-w C:\VirtualDub-1.8.6.zip
2006-06-10 14:51 47,450 -c--a-w c:\dokumente und einstellungen\Ludwig ????Anwendungsdaten\wklnhst.dat
2005-10-15 19:12 70,416 -c--a-w c:\dokumente und einstellungen\Ludwig ????\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2003-08-05 16:41 53,248 -c--a-w c:\windows\inf\ap561.exe
2002-11-26 21:24 32,768 -c--a-w c:\windows\inf\Remove561.exe
2002-11-22 20:56 118,784 -c--a-w c:\windows\inf\ShowBmp.exe
2002-10-29 23:07 36,864 -c--a-w c:\windows\inf\Setup8a.exe
2002-10-01 19:43 119,798 -c--a-w c:\windows\inf\spca561.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1879280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2006-10-30 326208]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 226704]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\dokumente und einstellungen\All Users.WINDOWS\Startmen\Programme\Autostart\
DSLMON.lnk - c:\programme\SAGEM\SAGEM F@st 800-840\dslmon.exe [2004-07-16 962663]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-12 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\eMule\\emule.exe"=
"c:\\Programme\\Skype\\Phone\\Skype .exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\ICQ6\\ICQ.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Programme\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Programme\\iTunes\\iTunesHelper.exe"=
"c:\\Programme\\Java\\jre1.6.0_07\\bin\\jucheck.exe"=
"c:\\Programme\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\system32\\CF11420.exe"=
"c:\\ComboFix\\nircmd.com"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\windskvof.exe"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\winhwve.exe"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\winildj.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\programme\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\programme\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 NwSapAgent;SAP-Agent;c:\windows\system32\svchost.exe -k netsvcs [2003-04-02 14336]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qjineh.sys []
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2006-06-11 190465]
R3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;c:\windows\system32\DRIVERS\DLKRCB.SYS [2007-07-02 25434]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2006-06-11 5817]
R3 SASENUM;SASENUM;\??\c:\programme\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.t-online.de/service/redir/tosw5_internet.htm
FF - ProfilePath - c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Mozilla\Firefox\Profiles\tigsrjm0.NeuProf\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\Mozilla Firefox\plugins\npmozax.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 22:56:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\programme\iPod\bin\iPodService.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\windskvof.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winhwve.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winildj.exe
c:\programme\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-12-20 23:04:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 05:04:26

Pre-Run: 685.850.624 Bytes frei
Post-Run: 602,673,152 Bytes frei

297 --- E O F --- 2008-12-18 07:04:37

Edited by emeraldnzl, 12 January 2009 - 12:14 AM.

  • 0

#4
emeraldnzl
Posted 20 December 2008 - 11:32 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Unless I am missing something I don't see and anti-virus program or firewall on your computer.

Before we do anything else please download and install one of these good antivirus programs (these are free for personal use):
You should also have a good firewall. Choose one from these that are free for personal use:
  • Comodo Note:Comodo Firewall is no longer available as a stand-alone download and you should choose firewall only during installation.
  • PC Tools Firewall Plus
It is critical to have both a firewall and anti virus to protect your system.

Download all updates for your antivirus and then run a full scan of your computer. Save the results of the scan and then let the program fix all problems it finds. Post results of the scan back here.
  • 0

#5
Lorca
Posted 21 December 2008 - 12:36 AM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
PC Tools Firewall installed successfully,
no such luck on the Antivirus programs, though.

I was able to download all of them, but couldn't install them.
Avira didn't even start up, Avast was there for a few seconds,
and then disappeared.
I was able to go through the installation process with AVG,
but at the end, I got this error message:

Local machine: installation failed
Installation:
Error: Action failed for file avgemc.exe: starting service....
Error 0x8007041d
Warning: Preparation to unload of the service avg8wd failed.
Specified file was not found.
Rollback:
Error: Action failed for file avgwd.log: restoring from backup....
Error 0x80070005 %DESTINATION% = "C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\Log\avgwd.log", %SOURCE% = "C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\Log\avgwd.log.install_backup"
Error: Action failed for file avgwdsvc.exe: stopping service....
Error 0x8007006d


Then I was prompted to restart the computer to finish the installation, which I did, but alas, AVG was not installed
when I rebooted.

Thanks for your help so far!
  • 0

#6
emeraldnzl
Posted 21 December 2008 - 12:26 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Lorca,

Some malware will prevent anti-virus programs from running. I see that while you don't seem to have an anti-virus running now that there are files for AVG and Avast showing in you logs so I guess you must have had programs running in the past.

What we want once your system will accept it, is one anti-virus program. More than one will create conflict and cause you problems. In the meantime we will continue removing the bad ones causing this.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\drivers\qjineh.sys
c:\dokume~1\Ludwig\LOKALE~1\temp\windskvof.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winhwve.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winildj.exe

Driver::
abp470n5

SysRst::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#7
Lorca
Posted 21 December 2008 - 02:49 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Yes, I did have Antivirus programs installed in the past.
Apparently I did not remove them thoroughly enough...

I did not have Malwarebytes' Anti-Malware or SUPERAntiSpyware open,
but I left the Firewall on, hope that was OK. I closed my browser.

This time, I got the prompt the install that recovery program, but ComboFix could not connect
to the Internet. Don't know why...

Here's the log (sorry that part of it is not in English, don't know where to change that):



ComboFix 08-12-20.03 - Ludwig 2008-12-21 14:20:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.511.229 [GMT -6:00]
ausgeführt von:: c:\dokumente und einstellungen\Ludwig\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Ludwig\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!

FILE ::
c:\dokume~1\Ludwig\LOKALE~1\temp\windskvof.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winhwve.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winildj.exe
c:\windows\system32\drivers\qjineh.sys
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((( Dateien erstellt von 2008-11-21 bis 2008-12-21 ))))))))))))))))))))))))))))))
.

2008-12-21 00:20 . 2008-12-21 00:20 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-21 00:19 . 2008-12-21 00:19 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-21 00:19 . 2008-12-21 00:19 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-21 00:09 . 2008-12-21 00:10 22,058,104 --a------ C:\antivir_workstation_winu_en_h.exe
2008-12-20 23:58 . 2008-12-20 23:57 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-20 23:50 . 2008-12-20 23:50 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\PCToolsFirewallPlus
2008-12-20 23:48 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2008-12-20 23:48 . 2008-12-11 12:32 132,976 --a------ c:\windows\system32\drivers\PCTCore.sys
2008-12-20 23:48 . 2008-12-11 12:32 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2008-12-20 23:47 . 2008-12-20 23:51 <DIR> d-------- c:\programme\PC Tools Firewall Plus
2008-12-20 23:47 . 2008-12-20 23:48 <DIR> d-------- c:\programme\Gemeinsame Dateien\PC Tools
2008-12-20 23:47 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys
2008-12-20 23:47 . 2008-12-11 17:01 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys
2008-12-18 01:35 . 2008-12-18 01:35 <DIR> d-------- c:\programme\Trend Micro
2008-12-18 00:32 . 2008-12-18 00:36 29,504,264 --a------ C:\palimpalim.exe
2008-12-18 00:27 . 2008-12-18 00:27 <DIR> d-------- c:\programme\ERUNT
2008-12-18 00:26 . 2008-12-18 00:26 791,393 --a------ C:\erunt_setup.exe
2008-12-18 00:18 . 2008-12-18 00:18 132,608 --a------ C:\ATF_Cleaner.exe
2008-12-18 00:07 . 2008-12-18 00:07 212,849 --a------ C:\hijackthis.zip
2008-12-17 23:22 . 2008-12-17 23:23 <DIR> d-------- C:\HJT
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\programme\SUPERAntiSpyware
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\SUPERAntiSpyware.com
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\SUPERAntiSpyware.com
2008-12-16 19:35 . 2008-12-16 19:36 5,853,728 --a------ C:\SUPERAntiSpyware.exe
2008-12-16 15:54 . 2008-12-16 16:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-16 15:31 . 2008-12-16 15:31 <DIR> d-------- c:\programme\AVG
2008-12-16 15:31 . 2008-12-21 00:20 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8
2008-12-16 00:43 . 2008-12-16 00:44 53,682,216 --a------ C:\avg_free_stf_en_8_176a1399.exe
2008-12-16 00:32 . 2008-12-16 17:02 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-12-16 00:32 . 2008-12-16 00:32 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Malwarebytes
2008-12-16 00:32 . 2008-12-16 00:32 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\Malwarebytes
2008-12-16 00:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 00:31 . 2008-12-16 00:31 2,641,800 --a------ C:\mbam-setup.exe
2008-12-15 18:41 . 2008-12-15 18:42 4,035,917 --a------ C:\ScanSpyware_3.9.1.2.exe
2008-12-15 18:30 . 2008-12-15 18:31 152,576 --a------ C:\setupeng.exe
2008-12-15 18:22 . 2008-12-15 18:22 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\Google Updater
2008-12-15 17:39 . 2008-12-15 17:39 16,969 --a------ C:\bassam.zip
2008-12-15 17:01 . 2008-11-02 15:13 14,876 --a------ C:\pad_file.xml
2008-12-15 17:01 . 2008-11-02 15:13 6,742 --a------ C:\info.htm
2008-12-15 17:00 . 2008-12-15 17:00 139,167 --a------ C:\RRT.zip
2008-12-14 18:35 . 2008-12-14 18:35 151,552 --a------ C:\TaskManagerFix.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 20:32 --------- d---a-w c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\TEMP
2008-12-21 20:14 --------- d-----w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Skype
2008-12-21 18:21 --------- d-----w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\skypePM
2008-12-21 05:57 --------- d-----w c:\programme\Java
2008-12-18 18:14 35,444 ----a-w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\wklnhst.dat
2008-12-18 06:39 --------- d-----w c:\programme\BearShare Applications
2008-12-16 06:06 --------- d-----w c:\programme\AviSynth 2.5
2008-12-16 06:06 --------- d-----w c:\programme\Alarm Clock
2008-12-16 06:05 --------- d-----w c:\programme\FLV Player
2008-12-16 06:05 --------- d-----w c:\programme\eMule.de Neu
2008-12-16 06:05 --------- d-----w c:\programme\eMule
2008-12-16 06:05 --------- d-----w c:\programme\CD to MP3 Ripper
2008-12-16 06:05 --------- d-----w c:\programme\Canto Pod
2008-12-16 02:17 --------- d-----w c:\programme\Windows Live Safety Center
2008-12-14 21:25 --------- d-----w c:\programme\QuickTime
2008-12-14 21:25 --------- d-----w c:\programme\GSpot
2008-12-14 21:25 --------- d-----w c:\programme\Family Tree Maker 2005
2008-12-14 21:25 --------- d-----w c:\programme\Azureus
2008-11-26 02:11 --------- d-----w c:\programme\Winamp
2008-11-21 02:11 33,056 -c--a-w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 23:39 1,378,435 ----a-w C:\VirtualDub-1.8.6.zip
2006-06-10 14:51 47,450 -c--a-w c:\dokumente und einstellungen\Ludwig ?????\Anwendungsdaten\wklnhst.dat
2005-10-15 19:12 70,416 -c--a-w c:\dokumente und einstellungen\Ludwig ?????\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2003-08-05 16:41 53,248 -c--a-w c:\windows\inf\ap561.exe
2002-11-26 21:24 32,768 -c--a-w c:\windows\inf\Remove561.exe
2002-11-22 20:56 118,784 -c--a-w c:\windows\inf\ShowBmp.exe
2002-10-29 23:07 36,864 -c--a-w c:\windows\inf\Setup8a.exe
2002-10-01 19:43 119,798 -c--a-w c:\windows\inf\spca561.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_23.00.48.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-21 06:19:55 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2008-06-10 06:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-21 05:57:34 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 06:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-21 05:57:34 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 07:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-21 05:57:34 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-21 20:31:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_66c.dat
+ 2008-12-21 20:33:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_a14.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2006-10-30 326208]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2008-12-20 218520]
"00PCTFW"="c:\programme\PC Tools Firewall Plus\FirewallGUI.exe" [2008-12-11 2832280]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\dokumente und einstellungen\All Users.WINDOWS\Startmen\Programme\Autostart\
DSLMON.lnk - c:\programme\SAGEM\SAGEM F@st 800-840\dslmon.exe [2004-07-16 962663]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-12 151552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\eMule\\emule.exe"=
"c:\\Programme\\Skype\\Phone\\Skype .exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\ICQ6\\ICQ.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Programme\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Programme\\iTunes\\iTunesHelper.exe"=
"c:\\Programme\\Java\\jre1.6.0_07\\bin\\jucheck.exe"=
"c:\\Programme\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\ComboFix\\nircmd.com"=
"c:\\WINDOWS\\system32\\CF29587.exe"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\winvtbk.exe"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\winarqdk.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-21 97928]
R1 pctgntdi;pctgntdi;\??\c:\windows\system32\drivers\pctgntdi.sys [2008-12-20 159600]
R1 SASDIFSV;SASDIFSV;\??\c:\programme\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\programme\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-21 305432]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-21 76040]
R2 NwSapAgent;SAP-Agent;c:\windows\system32\svchost.exe -k netsvcs [2003-04-02 14336]
R2 PCTAppEvent;PCTAppEvent Driver;\??\c:\windows\system32\drivers\PCTAppEvent.sys [2008-12-20 73840]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2006-06-11 190465]
R3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;c:\windows\system32\DRIVERS\DLKRCB.SYS [2007-07-02 25434]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2006-06-11 5817]
R3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pctplfw.sys [2008-12-20 95640]
S3 SASENUM;SASENUM;\??\c:\programme\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

*Newly Created Service* - ABP470N5
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.t-online.de/service/redir/tosw5_internet.htm
FF - ProfilePath - c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Mozilla\Firefox\Profiles\tigsrjm0.NeuProf\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\Mozilla Firefox\plugins\npmozax.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:32:05
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...


c:\windows\wiaservc.log 50 bytes
c:\windows\WindowsUpdate.log
c:\windows\Sti_Trace.log 0 bytes

Scan erfolgreich abgeschlossen
versteckte Dateien: 3

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programme\iPod\bin\iPodService.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winvtbk.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winarqdk.exe
c:\windows\system32\netsh.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-12-21 14:40:58 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-12-21 20:40:53
ComboFix2.txt 2008-12-21 05:04:30

Vor Suchlauf: 332.906.496 Bytes frei
Nach Suchlauf: 309,387,264 Bytes frei

244 --- E O F --- 2008-12-18 07:04:37

Edited by emeraldnzl, 12 January 2009 - 12:24 AM.

  • 0

#8
emeraldnzl
Posted 21 December 2008 - 03:24 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

This time, I got the prompt the install that recovery program, but ComboFix could not connect
to the Internet. Don't know why...


Most likely your firewall.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\$AVG8.VAULT$

Folder::
c:\programme\AVG


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) Java 1.6.0_7 or later.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Now go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • ComboFix.txt
  • Kaspersky scan results
  • 0

#9
Lorca
Posted 21 December 2008 - 05:26 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I've done ComboFix, and this time the recovery console installed successfully.
The log is posted below.

(Btw, on every startup, I now see this error message from the firewall:
"Error while unpacking, code LP5. Please report to author.")

I also have the latest version of Java.

I unfortunately was not able to access the Kaspersky website. Other websites work fine,
so I guess that the virus is blocking it.


ComboFix 08-12-20.03 - Ludwig 2008-12-21 16:15:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.511.285 [GMT -6:00]
ausgeführt von:: c:\dokumente und einstellungen\Ludwig\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Ludwig\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
C:\$AVG8.VAULT$
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programme\AVG
c:\programme\AVG\AVG8\avg.snu
c:\programme\AVG\AVG8\avg7api.dll
c:\programme\AVG\AVG8\avg8us.lng
c:\programme\AVG\AVG8\avgapix.dll
c:\programme\AVG\AVG8\avgcfgx.dll
c:\programme\AVG\AVG8\avgcorex.dll
c:\programme\AVG\AVG8\avgcrlpx.dll
c:\programme\AVG\AVG8\avginet.dll
c:\programme\AVG\AVG8\avgiproxy.exe
c:\programme\AVG\AVG8\avglngx.dll
c:\programme\AVG\AVG8\avglogx.dll
c:\programme\AVG\AVG8\avgmvflx.dll
c:\programme\AVG\AVG8\avgrsx.exe
c:\programme\AVG\AVG8\avgscanx.dll
c:\programme\AVG\AVG8\avgsched.dll
c:\programme\AVG\AVG8\avgsrmax.exe
c:\programme\AVG\AVG8\avgupd.dll
c:\programme\AVG\AVG8\avgupd.exe
c:\programme\AVG\AVG8\avgvvx.dll
c:\programme\AVG\AVG8\avgwd.dll
c:\programme\AVG\AVG8\avgwdsvc.exe
c:\programme\AVG\AVG8\avgwdwsc.dll
c:\programme\AVG\AVG8\avgxpl.dll
c:\programme\AVG\AVG8\cfg\mail.cfg
c:\programme\AVG\AVG8\cfg\sched.cfg
c:\programme\AVG\AVG8\dfncfg.dat
c:\programme\AVG\AVG8\fixcfg.exe
c:\programme\AVG\AVG8\log\history.xml

.
((((((((((((((((((((((( Dateien erstellt von 2008-11-21 bis 2008-12-21 ))))))))))))))))))))))))))))))
.

2008-12-21 00:20 . 2008-12-21 00:20 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-21 00:19 . 2008-12-21 00:19 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-21 00:19 . 2008-12-21 00:19 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-21 00:09 . 2008-12-21 00:10 22,058,104 --a------ C:\antivir_workstation_winu_en_h.exe
2008-12-20 23:58 . 2008-12-20 23:57 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-20 23:50 . 2008-12-20 23:50 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\PCToolsFirewallPlus
2008-12-20 23:48 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2008-12-20 23:48 . 2008-12-11 12:32 132,976 --a------ c:\windows\system32\drivers\PCTCore.sys
2008-12-20 23:48 . 2008-12-11 12:32 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2008-12-20 23:47 . 2008-12-20 23:51 <DIR> d-------- c:\programme\PC Tools Firewall Plus
2008-12-20 23:47 . 2008-12-20 23:48 <DIR> d-------- c:\programme\Gemeinsame Dateien\PC Tools
2008-12-20 23:47 . 2008-09-22 12:29 97,408 --a------ c:\windows\system32\drivers\pctfw.sys
2008-12-20 23:47 . 2008-12-11 17:01 95,640 --a------ c:\windows\system32\drivers\pctplfw.sys
2008-12-18 01:35 . 2008-12-18 01:35 <DIR> d-------- c:\programme\Trend Micro
2008-12-18 00:32 . 2008-12-18 00:36 29,504,264 --a------ C:\palimpalim.exe
2008-12-18 00:27 . 2008-12-18 00:27 <DIR> d-------- c:\programme\ERUNT
2008-12-18 00:26 . 2008-12-18 00:26 791,393 --a------ C:\erunt_setup.exe
2008-12-18 00:18 . 2008-12-18 00:18 132,608 --a------ C:\ATF_Cleaner.exe
2008-12-18 00:07 . 2008-12-18 00:07 212,849 --a------ C:\hijackthis.zip
2008-12-17 23:22 . 2008-12-17 23:23 <DIR> d-------- C:\HJT
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\programme\SUPERAntiSpyware
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\SUPERAntiSpyware.com
2008-12-16 19:53 . 2008-12-16 19:53 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\SUPERAntiSpyware.com
2008-12-16 19:35 . 2008-12-16 19:36 5,853,728 --a------ C:\SUPERAntiSpyware.exe
2008-12-16 15:54 . 2008-12-16 16:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-16 15:31 . 2008-12-21 00:20 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8
2008-12-16 00:43 . 2008-12-16 00:44 53,682,216 --a------ C:\avg_free_stf_en_8_176a1399.exe
2008-12-16 00:32 . 2008-12-16 17:02 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-12-16 00:32 . 2008-12-16 00:32 <DIR> d-------- c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Malwarebytes
2008-12-16 00:32 . 2008-12-16 00:32 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\Malwarebytes
2008-12-16 00:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 00:31 . 2008-12-16 00:31 2,641,800 --a------ C:\mbam-setup.exe
2008-12-15 18:41 . 2008-12-15 18:42 4,035,917 --a------ C:\ScanSpyware_3.9.1.2.exe
2008-12-15 18:30 . 2008-12-15 18:31 152,576 --a------ C:\setupeng.exe
2008-12-15 18:22 . 2008-12-15 18:22 <DIR> d-------- c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\Google Updater
2008-12-15 17:39 . 2008-12-15 17:39 16,969 --a------ C:\bassam.zip
2008-12-15 17:01 . 2008-11-02 15:13 14,876 --a------ C:\pad_file.xml
2008-12-15 17:01 . 2008-11-02 15:13 6,742 --a------ C:\info.htm
2008-12-15 17:00 . 2008-12-15 17:00 139,167 --a------ C:\RRT.zip
2008-12-14 18:35 . 2008-12-14 18:35 151,552 --a------ C:\TaskManagerFix.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 22:19 --------- d---a-w c:\dokumente und einstellungen\All Users.WINDOWS\Anwendungsdaten\TEMP
2008-12-21 20:14 --------- d-----w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Skype
2008-12-21 18:21 --------- d-----w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\skypePM
2008-12-21 05:57 --------- d-----w c:\programme\Java
2008-12-18 18:14 35,444 ----a-w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\wklnhst.dat
2008-12-18 06:39 --------- d-----w c:\programme\BearShare Applications
2008-12-16 06:06 --------- d-----w c:\programme\AviSynth 2.5
2008-12-16 06:06 --------- d-----w c:\programme\Alarm Clock
2008-12-16 06:05 --------- d-----w c:\programme\FLV Player
2008-12-16 06:05 --------- d-----w c:\programme\eMule.de Neu
2008-12-16 06:05 --------- d-----w c:\programme\eMule
2008-12-16 06:05 --------- d-----w c:\programme\CD to MP3 Ripper
2008-12-16 06:05 --------- d-----w c:\programme\Canto Pod
2008-12-16 02:17 --------- d-----w c:\programme\Windows Live Safety Center
2008-12-14 21:25 --------- d-----w c:\programme\QuickTime
2008-12-14 21:25 --------- d-----w c:\programme\GSpot
2008-12-14 21:25 --------- d-----w c:\programme\Family Tree Maker 2005
2008-12-14 21:25 --------- d-----w c:\programme\Azureus
2008-11-26 02:11 --------- d-----w c:\programme\Winamp
2008-11-21 02:11 33,056 -c--a-w c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 23:39 1,378,435 ----a-w C:\VirtualDub-1.8.6.zip
2006-06-10 14:51 47,450 -c--a-w c:\dokumente und einstellungen\Ludwig ?????\Anwendungsdaten\wklnhst.dat
2005-10-15 19:12 70,416 -c--a-w c:\dokumente und einstellungen\Ludwig ????? Weber\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2003-08-05 16:41 53,248 -c--a-w c:\windows\inf\ap561.exe
2002-11-26 21:24 32,768 -c--a-w c:\windows\inf\Remove561.exe
2002-11-22 20:56 118,784 -c--a-w c:\windows\inf\ShowBmp.exe
2002-10-29 23:07 36,864 -c--a-w c:\windows\inf\Setup8a.exe
2002-10-01 19:43 119,798 -c--a-w c:\windows\inf\spca561.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_23.00.48.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-21 06:19:55 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2008-06-10 06:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-21 05:57:34 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 06:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-21 05:57:34 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 07:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-21 05:57:34 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-21 22:19:00 16,384 ----atw c:\windows\temp\Perflib_Perfdata_73c.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2006-10-30 326208]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2008-12-20 218520]
"00PCTFW"="c:\programme\PC Tools Firewall Plus\FirewallGUI.exe" [2008-12-11 2832280]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\dokumente und einstellungen\All Users.WINDOWS\Startmen\Programme\Autostart\
DSLMON.lnk - c:\programme\SAGEM\SAGEM F@st 800-840\dslmon.exe [2004-07-16 962663]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-12 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\eMule\\emule.exe"=
"c:\\Programme\\Skype\\Phone\\Skype .exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\ICQ6\\ICQ.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Programme\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Programme\\iTunes\\iTunesHelper.exe"=
"c:\\Programme\\Java\\jre1.6.0_07\\bin\\jucheck.exe"=
"c:\\Programme\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\ComboFix\\nircmd.com"=
"c:\\Programme\\SAGEM\\SAGEM F@st 800-840\\dslmon.exe"=
"c:\\WINDOWS\\system32\\CF18767.exe"=
"c:\\Programme\\PC Tools Firewall Plus\\FirewallGUI.exe"=
"c:\\Programme\\Java\\jre6\\bin\\jusched.exe"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\winykye.exe"=
"c:\\DOKUME~1\\Ludwig\\LOKALE~1\\Temp\\wintmeck.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-21 97928]
R1 pctgntdi;pctgntdi;\??\c:\windows\system32\drivers\pctgntdi.sys [2008-12-20 159600]
R1 SASDIFSV;SASDIFSV;\??\c:\programme\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\programme\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-21 76040]
R2 PCTAppEvent;PCTAppEvent Driver;\??\c:\windows\system32\drivers\PCTAppEvent.sys [2008-12-20 73840]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qjineh.sys []
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2006-06-11 190465]
R3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;c:\windows\system32\DRIVERS\DLKRCB.SYS [2007-07-02 25434]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2006-06-11 5817]
R3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pctplfw.sys [2008-12-20 95640]
S3 SASENUM;SASENUM;\??\c:\programme\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.t-online.de/service/redir/tosw5_internet.htm
FF - ProfilePath - c:\dokumente und einstellungen\Ludwig\Anwendungsdaten\Mozilla\Firefox\Profiles\tigsrjm0.NeuProf\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\programme\Mozilla Firefox\plugins\npmozax.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\programme\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 16:18:56
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programme\iPod\bin\iPodService.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\winykye.exe
c:\dokume~1\Ludwig\LOKALE~1\temp\wintmeck.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-12-21 16:30:57 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-12-21 22:30:53
ComboFix2.txt 2008-12-21 20:41:01
ComboFix3.txt 2008-12-21 05:04:30

Vor Suchlauf: 277.131.264 Bytes frei
Nach Suchlauf: 268,824,576 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

262 --- E O F --- 2008-12-18 07:04:37

Edited by emeraldnzl, 12 January 2009 - 12:23 AM.

  • 0

#10
emeraldnzl
Posted 21 December 2008 - 06:10 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

  • 0

Advertisements

#11
Lorca
Posted 21 December 2008 - 06:43 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Safe mode is still not working. I'm able to get into the menu and select it, but then
a blue screen very briefly shows up and the computer restarts.
  • 0

#12
emeraldnzl
Posted 21 December 2008 - 07:23 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Okay then lets do this.

You may have used Malwarebytes before. If you have and still have it on your machine please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#13
Lorca
Posted 21 December 2008 - 07:56 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I updated Malwarebytes, ran the Quick scan and restarted.

Here's the log:


Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 2

21.12.2008 19:49:18
mbam-log-2008-12-21 (19-49-18).txt

Scan type: Quick Scan
Objects scanned: 69990
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: c:\windows\system32\~.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: system32\~.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
  • 0

#14
emeraldnzl
Posted 21 December 2008 - 08:08 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Lorca,

Please try that Safe Mode and SDFix again.
  • 0

#15
Lorca
Posted 21 December 2008 - 08:20 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Still not working, same problem!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP