[fmeyer01]

Good Day!

Someone in my friendship-acquaintance savaged by a Trojan gave me his computer since he cannot help himself.

Establishing an Ethernet-Connection that accesses the internet invokes the Windows XP user interface to be blocked even when no browser is used. It displays some stupid stuff about criminal activities that now impliy a civil penalty that has to be paid and gives instructions how to do this.

Two Photos of the screen displayed is here:
http://img842.images...0/dscn4769g.jpg
http://img6.imagesha...6/dscn4770t.jpg

Ctrl-Alt-Del doesn't work when the trojan is active and also the taskmanager is not available even when the computer works normally (that is, when without internet connection).
However, I can listen that the computer's virus scanner (AVIRA) is still running in the background - but Alt-Tab doesn't work either.

OTL created the logfile attached.
What should I do next?

Firstly I tried to get help by using two German help sites but the instuctions there did not help at all.
http://bka-trojaner.de/
http://blog.botfrei....ows-xp-vista-7/


Is it a good Idea to ask for help when trying to fix a German computer?

I will read further manuals here to help myself but even help in this topic would be appreciated!
Thanks a lot for your advertence!)

Mr. F. Meyer, Germany, Hamburg

OTL logfile created on: 28.06.2012 07:57:53 - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = F:\Download\OTL OldTimer's List-It (Trojaner Analyse)\20120628 v3.2.23.0
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

1023,48 Mb Total Physical Memory | 693,55 Mb Available Physical Memory | 67,76% Memory free
2,41 Gb Paging File | 2,07 Gb Available in Paging File | 86,19% Paging File free
Paging file location(s): f:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Programme
Drive C: | 15,42 Gb Total Space | 15,13 Gb Free Space | 98,17% Space Free | Partition Type: FAT32
Drive F: | 74,52 Gb Total Space | 4,70 Gb Free Space | 6,30% Space Free | Partition Type: NTFS

Computer Name: JULIA-OY8KH7RE5 | User Name: Julia | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.06.28 07:21:48 | 000,596,992 | ---- | M] (OldTimer Tools) -- F:\Download\OTL OldTimer's List-It (Trojaner Analyse)\20120628 v3.2.23.0\OTL.exe
PRC - [2012.05.13 23:31:46 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- F:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.13 23:31:44 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- F:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.05.13 23:31:44 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- F:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.13 23:31:44 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- F:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011.02.23 22:19:22 | 000,371,200 | ---- | M] (shbox.de) -- F:\Programme\FreePDF_XP\fpassist.exe
PRC - [2010.05.01 08:51:28 | 000,217,088 | ---- | M] (Teruten) -- F:\WINDOWS\system32\FsUsbExService.Exe
PRC - [2010.05.01 08:50:00 | 000,095,568 | ---- | M] (Devguru Co., Ltd.) -- F:\WINDOWS\system32\dgdersvc.exe
PRC - [2009.05.07 02:01:00 | 001,904,640 | R--- | M] (AVM Berlin) -- F:\Programme\avmwlanstick\WLanGUI.exe
PRC - [2009.05.07 02:01:00 | 000,368,640 | R--- | M] (AVM Berlin) -- F:\Programme\avmwlanstick\WLanNetService.exe
PRC - [2008.04.14 04:22:45 | 001,036,800 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\explorer.exe
PRC - [2001.02.23 10:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) -- F:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe


========== Modules (No Company Name) ==========

MOD - [2012.06.23 14:14:03 | 000,238,568 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\wpbt0.dll
MOD - [2012.05.13 23:31:46 | 000,398,288 | ---- | M] () -- F:\Programme\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2010.06.17 21:56:52 | 000,116,224 | ---- | M] () -- F:\WINDOWS\system32\redmonnt.dll
MOD - [2008.09.16 21:18:06 | 000,132,608 | ---- | M] () -- F:\Programme\WinRAR\RarExt.dll
MOD - [2001.10.28 16:42:30 | 000,116,224 | ---- | M] () -- F:\WINDOWS\system32\pdfcmnnt.dll


========== Win32 Services (SafeList) ==========

SRV - [2012.05.13 23:31:46 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- F:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.13 23:31:44 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- F:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.07 10:28:36 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- F:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2010.05.04 04:33:54 | 009,241,088 | ---- | M] () [On_Demand | Stopped] -- F:\Program Files\Samsung\Kies\WiselinkPro\WiselinkPro.exe -- (KiesAllShare)
SRV - [2010.05.01 08:51:28 | 000,217,088 | ---- | M] (Teruten) [Auto | Running] -- F:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2010.05.01 08:50:00 | 000,095,568 | ---- | M] (Devguru Co., Ltd.) [Auto | Running] -- F:\WINDOWS\system32\dgdersvc.exe -- (dgdersvc)
SRV - [2009.05.07 02:01:00 | 000,368,640 | R--- | M] (AVM Berlin) [Auto | Running] -- F:\Programme\avmwlanstick\WLanNetService.exe -- (AVM WLAN Connection Service)
SRV - [2008.11.11 09:38:06 | 000,620,544 | ---- | M] (Nokia.) [On_Demand | Stopped] -- F:\Programme\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2005.05.31 15:45:30 | 000,176,128 | ---- | M] () [Disabled | Stopped] -- F:\VIRUSfighter\Bin\Zanda.exe -- (Norman ZANDA)
SRV - [2005.01.12 10:57:56 | 000,143,360 | ---- | M] () [Disabled | Stopped] -- F:\VIRUSfighter\Bin\Njeeves.exe -- (Norman NJeeves)
SRV - [2004.10.22 03:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- F:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2001.02.23 10:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- F:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\zd1211Bu.sys -- (X-Micro WLAN 11g USB Adapter(X-Micro)) X-Micro WLAN 11g USB Adapter Driver(X-Micro)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\BRGSp50.sys -- (BRGSp50)
DRV - [2012.05.13 23:31:46 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.13 23:31:46 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- F:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011.09.16 16:08:07 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010.05.01 08:51:28 | 000,036,640 | ---- | M] () [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2010.05.01 08:50:00 | 000,018,136 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - [2010.04.27 04:25:20 | 000,123,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\sscemdm.sys -- (sscemdm)
DRV - [2010.04.27 04:25:20 | 000,100,352 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\ssceserd.sys -- (ssceserd) SAMSUNG Mobile Modem Diagnostic Serial Port V2 (WDM)
DRV - [2010.04.27 04:25:20 | 000,098,560 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\sscebus.sys -- (sscebus) SAMSUNG USB Composite Device V2 driver (WDM)
DRV - [2010.04.27 04:25:20 | 000,014,848 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\sscemdfl.sys -- (sscemdfl)
DRV - [2009.10.08 16:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.05.07 02:01:00 | 000,265,088 | R--- | M] (AVM GmbH) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\fwlanusb.sys -- (FWLANUSB)
DRV - [2009.05.07 02:01:00 | 000,004,352 | R--- | M] (AVM Berlin) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\avmeject.sys -- (avmeject)
DRV - [2008.04.13 20:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006.09.16 18:26:24 | 000,099,840 | ---- | M] (Protect Software GmbH) [Kernel | Auto | Running] -- F:\WINDOWS\system32\drivers\ACEDRV06.sys -- (ACEDRV06)
DRV - [2001.08.17 15:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001.08.17 13:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\nv4.sys -- (nv4)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...61&gct=&gc=1&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Prev Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Prev Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {C94E154B-1459-4A47-966B-4B843BEFC7DB} - F:\Programme\AskSearch\bin\DefaultSearch.dll ()
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{080FBDF6-B230-4e4d-A4E7-7C7A56D7BABC}: "URL" = http://searchservice...b&orig=IMC-IEDS
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.c...rm=1&toolbar=BT
IE - HKCU\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect...e=tb50winampie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: F:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: F:\Programme\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: F:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: F:\Programme\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: f:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2303: F:\Programme\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1465: F:\Programme\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: F:\Programme\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: F:\Programme\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veoh.com/VeohTVPlugin: File not found
FF - HKLM\Software\MozillaPlugins\@veoh.com/VeohWebPlayer: File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: F:\Programme\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: F:\Programme\Mozilla Firefox\components [2012.05.07 10:28:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: F:\Programme\Mozilla Firefox\plugins

[2012.04.09 17:00:51 | 000,000,000 | ---D | M] (No name found) -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Mozilla\Extensions
[2012.05.03 00:54:25 | 000,000,000 | ---D | M] (No name found) -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Mozilla\Firefox\Profiles\8usoib4h.default\extensions
[2012.06.04 19:14:27 | 000,000,000 | ---D | M] (No name found) -- F:\Programme\Mozilla Firefox\extensions
[2012.06.04 19:14:27 | 000,000,000 | ---D | M] (Java Console) -- F:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012.05.07 10:28:36 | 000,097,208 | ---- | M] (Mozilla Foundation) -- F:\Programme\mozilla firefox\components\browsercomps.dll
[2012.03.13 07:23:34 | 000,001,392 | ---- | M] () -- F:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.03.13 07:06:36 | 000,002,252 | ---- | M] () -- F:\Programme\mozilla firefox\searchplugins\bing.xml
[2012.03.13 07:23:34 | 000,001,153 | ---- | M] () -- F:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2012.03.13 07:23:34 | 000,006,805 | ---- | M] () -- F:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.03.13 07:23:34 | 000,001,178 | ---- | M] () -- F:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.03.13 07:23:34 | 000,001,105 | ---- | M] () -- F:\Programme\mozilla firefox\searchplugins\yahoo-de.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

O1 HOSTS File: ([2001.08.18 14:00:00 | 000,000,820 | ---- | M]) - F:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] F:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [AVMWlanClient] F:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [FreePDF Assistant] F:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] F:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] F:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] F:\WINDOWS\System32\nwiz.exe ()
O4 - HKCU..\Run: [KiesTrayAgent] File not found
O4 - HKCU..\Run: [updateMgr] F:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 1
O8 - Extra context menu item: &Windows Live Search - F:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx File not found
O8 - Extra context menu item: In neuer Registerkarte im Hintergrund öffnen - F:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: In neuer Registerkarte im Vordergrund öffnen - F:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1333984759695 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0557FF88-0DB2-4DA4-9DAA-E23A6DE17863}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - F:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - F:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - F:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - F:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (F:\WINDOWS\system32\userinit.exe) - F:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 () - http://www.gmxattach...u&frame=content
O24 - Desktop Components:1 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0644062e-27b2-11df-83fd-0011e206f5a5}\Shell\AutoRun\command - "" = J:\Menu.exe
O33 - MountPoints2\{2d4d43c4-df4b-11dd-816d-00138f12d10f}\Shell\AutoRun\command - "" = C:\Menu.exe
O33 - MountPoints2\{46f9352b-132a-11e0-85bc-00138f12d10f}\Shell\AutoRun\command - "" = C:\setup.exe
O33 - MountPoints2\{95a0a4ae-fa59-11e0-86e2-00138f12d10f}\Shell\AutoRun\command - "" = G:\RunClubSanDisk.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sprestrt)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012.06.26 23:38:14 | 000,000,000 | ---D | C] -- F:\Kaspersky Rescue Disk 10.0
[2012.06.24 13:56:17 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Identities
[2012.06.07 01:17:17 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\Julia\Eigene Dateien\download
[2012.05.29 11:00:00 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Buhl Data Service
[2012.05.29 10:59:53 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Buhl Data Service
[2012.05.29 10:58:56 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\Buhl
[2012.05.29 10:57:07 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Steuer 2011
[2012.05.29 10:54:56 | 000,000,000 | ---D | C] -- F:\Programme\Steuer 2011
[2012.05.29 10:54:22 | 000,000,000 | ---D | C] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Buhl Data Service GmbH
[2010.11.10 01:07:42 | 000,563,200 | ---- | C] (Marlem-Software) -- F:\Programme\Bildschi.exe
[2010.03.31 19:01:04 | 012,991,896 | ---- | C] (Opera Software ASA) -- F:\Programme\Opera_1051_int_Setup.exe
[2008.12.06 21:28:35 | 004,043,308 | ---- | C] (e-merge GmbH) -- F:\Programme\wace269d.exe
[2008.04.17 11:23:39 | 009,413,760 | ---- | C] (Nullsoft, Inc.) -- F:\Programme\winamp5531_full_emusic-7plus_de-de.exe
[4 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> ]
[11 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012.06.28 07:55:51 | 000,001,210 | ---- | M] () -- F:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-492894223-725345543-1003UA.job
[2012.06.27 03:39:19 | 000,013,646 | ---- | M] () -- F:\WINDOWS\System32\wpa.dbl
[2012.06.27 03:38:41 | 000,001,086 | ---- | M] () -- F:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012.06.27 03:38:21 | 000,043,573 | ---- | M] () -- F:\WINDOWS\System32\nvapps.xml
[2012.06.27 03:38:08 | 000,002,048 | --S- | M] () -- F:\WINDOWS\bootstat.dat
[2012.06.27 03:38:06 | 1073,270,784 | -HS- | M] () -- F:\hiberfil.sys
[2012.06.27 03:35:43 | 004,503,728 | ---- | M] () -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\0tbpw.pad
[2012.06.27 01:53:05 | 000,001,090 | ---- | M] () -- F:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012.06.27 01:19:00 | 000,000,246 | ---- | M] () -- F:\WINDOWS\tasks\Auf Updates für Windows Live Toolbar prüfen.job
[2012.06.26 22:55:00 | 000,001,158 | ---- | M] () -- F:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-492894223-725345543-1003Core.job
[2012.06.24 14:26:35 | 000,137,728 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012.06.23 14:15:28 | 000,000,664 | ---- | M] () -- F:\WINDOWS\System32\d3d9caps.dat
[2012.06.23 14:14:09 | 000,001,604 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Startmenü\Programme\Autostart\ctfmon.lnk
[2012.06.23 11:54:24 | 000,157,160 | ---- | M] () -- F:\WINDOWS\System32\FNTCACHE.DAT
[2012.06.23 00:50:06 | 000,459,250 | ---- | M] () -- F:\WINDOWS\System32\perfh007.dat
[2012.06.23 00:50:06 | 000,441,552 | ---- | M] () -- F:\WINDOWS\System32\perfh009.dat
[2012.06.23 00:50:06 | 000,084,754 | ---- | M] () -- F:\WINDOWS\System32\perfc007.dat
[2012.06.23 00:50:06 | 000,071,488 | ---- | M] () -- F:\WINDOWS\System32\perfc009.dat
[2012.06.23 00:42:49 | 000,001,374 | ---- | M] () -- F:\WINDOWS\imsins.BAK
[2012.06.18 09:19:35 | 000,011,117 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Eigene Dateien\Anschreiben Techniker 20120618.odt
[2012.06.17 18:03:40 | 000,002,364 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Desktop\Google Chrome.lnk
[2012.05.29 15:17:40 | 000,001,292 | ---- | M] () -- F:\WINDOWS\wiso.ini
[2012.05.29 10:58:11 | 000,001,546 | ---- | M] () -- F:\Dokumente und Einstellungen\All Users\Desktop\Steuer 2011.lnk
[4 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> ]
[11 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012.06.27 00:53:03 | 004,503,728 | ---- | C] () -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\0tbpw.pad
[2012.06.24 14:11:35 | 1073,270,784 | -HS- | C] () -- F:\hiberfil.sys
[2012.06.23 14:14:08 | 000,001,604 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Startmenü\Programme\Autostart\ctfmon.lnk
[2012.06.18 09:00:51 | 000,011,117 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Eigene Dateien\Anschreiben Techniker 20120618.odt
[2012.05.29 10:59:02 | 000,001,292 | ---- | C] () -- F:\WINDOWS\wiso.ini
[2012.05.29 10:58:11 | 000,001,546 | ---- | C] () -- F:\Dokumente und Einstellungen\All Users\Desktop\Steuer 2011.lnk
[2012.04.13 16:27:16 | 000,000,664 | ---- | C] () -- F:\WINDOWS\System32\d3d9caps.dat
[2012.04.10 01:17:48 | 000,116,224 | ---- | C] () -- F:\WINDOWS\System32\redmonnt.dll
[2012.04.10 01:17:48 | 000,045,056 | ---- | C] () -- F:\WINDOWS\System32\unredmon.exe
[2012.04.09 21:25:32 | 000,003,072 | ---- | C] () -- F:\WINDOWS\System32\iacenc.dll
[2011.10.19 21:59:01 | 000,110,592 | ---- | C] () -- F:\WINDOWS\System32\FsUsbExDevice.Dll
[2011.10.19 21:59:00 | 000,036,640 | ---- | C] () -- F:\WINDOWS\System32\FsUsbExDisk.Sys
[2011.10.19 21:25:58 | 000,002,528 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\$_hpcst$.hpc
[2011.09.11 20:32:29 | 096,593,169 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\semesterarbeit.cpr
[2011.07.16 23:03:50 | 196,566,948 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\wanderurlaub 2011.cpr
[2011.07.16 16:32:22 | 115,049,201 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\2012.cpr
[2011.06.25 11:45:42 | 115,049,201 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\27.06.2011.cpr
[2011.06.25 00:32:03 | 065,232,955 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Buch 26.6.cpr
[2011.06.23 23:05:55 | 126,448,143 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Letzes mal.cpr
[2011.06.23 23:04:56 | 126,448,037 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Fotobuch das letzte.cpr
[2011.06.22 21:02:17 | 096,053,353 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Fotobuch aktuell1.cpr
[2011.06.15 23:42:39 | 029,760,381 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\FOTOBUCH ROSSMANN.cpr
[2010.11.23 18:09:14 | 000,002,909 | ---- | C] () -- F:\Programme\tastatur.ini
[2010.11.10 01:07:54 | 000,000,107 | ---- | C] () -- F:\Programme\wörterbuch
[2010.03.03 14:52:09 | 002,925,160 | ---- | C] () -- F:\Programme\BitTorrent-6.4.exe
[2008.12.06 21:30:22 | 000,000,213 | ---- | C] () -- F:\Programme\WinACE_2.6_(Serial).zip
[2008.04.10 21:53:59 | 009,730,075 | ---- | C] () -- F:\Programme\vlc-0.8.6f-win32.exe
[2006.09.16 18:25:10 | 000,000,138 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2006.07.27 15:15:43 | 000,137,728 | ---- | C] () -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006.05.11 22:37:12 | 000,000,305 | ---- | C] () -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html

========== LOP Check ==========

[2012.05.29 15:06:26 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Buhl Data Service GmbH
[2011.10.30 08:56:34 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ClubSanDisk
[2012.04.14 11:17:15 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Driver Whiz
[2011.10.19 22:00:33 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PC Suite
[2011.10.19 21:26:14 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Samsung
[2011.04.10 00:51:46 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\tmp
[2012.04.14 11:17:45 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\UAB
[2010.03.04 01:18:01 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\BitTorrent
[2012.05.29 11:00:00 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Buhl Data Service
[2009.02.19 11:41:31 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\DNA
[2012.04.10 01:17:44 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\FreePDF
[2007.04.19 23:29:36 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\ICQ Toolbar
[2007.07.17 19:59:49 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\ICQLite
[2006.09.16 18:39:00 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\IMP
[2010.03.03 19:41:44 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Lindy
[2012.04.09 23:09:31 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\OpenOffice.org
[2011.10.21 14:09:04 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Opera
[2011.10.19 22:00:21 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\PC Suite
[2008.08.24 19:07:29 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\rhcaepj0e331
[2011.10.19 21:23:11 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\Samsung
[2006.04.22 20:50:43 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\The Labyrinth Plus! Edition
[2012.06.27 01:19:00 | 000,000,246 | ---- | M] () -- F:\WINDOWS\Tasks\Auf Updates für Windows Live Toolbar prüfen.job

========== Purity Check ==========



< End of report >

Attached Files

•  Scan of 30 Days old files OTL.Txt   65.76KB   118 downloads
•  Scan of 30 Days old files Extras.Txt   44.46KB   91 downloads

[Advertisements]

I expect we can fix it. I lived in Germany for 11 years so German is not a problem.

Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
MOD - [2012.06.23 14:14:03 | 000,238,568 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\wpbt0.dll
SRV - [2005.05.31 15:45:30 | 000,176,128 | ---- | M] () [Disabled | Stopped] -- F:\VIRUSfighter\Bin\Zanda.exe -- (Norman ZANDA)
SRV - [2005.01.12 10:57:56 | 000,143,360 | ---- | M] () [Disabled | Stopped] -- F:\VIRUSfighter\Bin\Njeeves.exe -- (Norman NJeeves)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\zd1211Bu.sys -- (X-Micro WLAN 11g USB Adapter(X-Micro)) X-Micro WLAN 11g USB Adapter Driver(X-Micro)
IE - HKCU\..\URLSearchHook: {C94E154B-1459-4A47-966B-4B843BEFC7DB} - F:\Programme\AskSearch\bin\DefaultSearch.dll ()
IE - HKCU\..\SearchScopes\{080FBDF6-B230-4e4d-A4E7-7C7A56D7BABC}: "URL" = http://searchservice...b&orig=IMC-IEDS
IE - HKCU\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.c...rm=1&toolbar=BT
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKCU..\Run: [KiesTrayAgent] File not found
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 File not found
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O33 - MountPoints2\{0644062e-27b2-11df-83fd-0011e206f5a5}\Shell\AutoRun\command - "" = J:\Menu.exe
O33 - MountPoints2\{2d4d43c4-df4b-11dd-816d-00138f12d10f}\Shell\AutoRun\command - "" = C:\Menu.exe
O33 - MountPoints2\{46f9352b-132a-11e0-85bc-00138f12d10f}\Shell\AutoRun\command - "" = C:\setup.exe
O33 - MountPoints2\{95a0a4ae-fa59-11e0-86e2-00138f12d10f}\Shell\AutoRun\command - "" = G:\RunClubSanDisk.exe
[2008.08.24 19:07:29 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\rhcaepj0e331

:files
F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\wpbt0.dll
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\*.exe
F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\*.dll
F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\*.exe
F:\WINDOWS\Temp\setup.exe
F:\WINDOWS\system32\svchost -k svchost.exe
netsh winsock reset catalog /c
netsh winsock show catalog /c
netsh int ip reset F:\reset.log /c
type F:\reset.log /c

:Commands
[EMPTYJAVA]
[EMPTYFLASH]
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Following programs may need to be downloaded on another computer and then moved to the sick one and run. Some may complain about not having internet access but they should all run. If one won't run then go on to the next.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work. The 10 minutes mentioned at the beginning is no longer valid. It may take an hour or more if the machine is really bogged down with viruses or has a lot of files.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan (Decline the Avast engine download unless the internet is working)
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Is it still showing the infection when you connect to the internet?

Ron

[RKinner]

I expect we can fix it. I lived in Germany for 11 years so German is not a problem.

Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
MOD - [2012.06.23 14:14:03 | 000,238,568 | ---- | M] () -- F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\wpbt0.dll
SRV - [2005.05.31 15:45:30 | 000,176,128 | ---- | M] () [Disabled | Stopped] -- F:\VIRUSfighter\Bin\Zanda.exe -- (Norman ZANDA)
SRV - [2005.01.12 10:57:56 | 000,143,360 | ---- | M] () [Disabled | Stopped] -- F:\VIRUSfighter\Bin\Njeeves.exe -- (Norman NJeeves)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\zd1211Bu.sys -- (X-Micro WLAN 11g USB Adapter(X-Micro)) X-Micro WLAN 11g USB Adapter Driver(X-Micro)
IE - HKCU\..\URLSearchHook: {C94E154B-1459-4A47-966B-4B843BEFC7DB} - F:\Programme\AskSearch\bin\DefaultSearch.dll ()
IE - HKCU\..\SearchScopes\{080FBDF6-B230-4e4d-A4E7-7C7A56D7BABC}: "URL" = http://searchservice...b&orig=IMC-IEDS
IE - HKCU\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.c...rm=1&toolbar=BT
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKCU..\Run: [KiesTrayAgent] File not found
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 File not found
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O33 - MountPoints2\{0644062e-27b2-11df-83fd-0011e206f5a5}\Shell\AutoRun\command - "" = J:\Menu.exe
O33 - MountPoints2\{2d4d43c4-df4b-11dd-816d-00138f12d10f}\Shell\AutoRun\command - "" = C:\Menu.exe
O33 - MountPoints2\{46f9352b-132a-11e0-85bc-00138f12d10f}\Shell\AutoRun\command - "" = C:\setup.exe
O33 - MountPoints2\{95a0a4ae-fa59-11e0-86e2-00138f12d10f}\Shell\AutoRun\command - "" = G:\RunClubSanDisk.exe
[2008.08.24 19:07:29 | 000,000,000 | ---D | M] -- F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\rhcaepj0e331

:files
F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\wpbt0.dll
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
F:\Dokumente und Einstellungen\Julia\Anwendungsdaten\*.exe
F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\*.dll
F:\Dokumente und Einstellungen\Julia\Lokale Einstellungen\Temp\*.exe
F:\WINDOWS\Temp\setup.exe
F:\WINDOWS\system32\svchost -k svchost.exe
netsh winsock reset catalog /c
netsh winsock show catalog /c
netsh int ip reset F:\reset.log /c
type F:\reset.log /c

:Commands
[EMPTYJAVA]
[EMPTYFLASH]
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Following programs may need to be downloaded on another computer and then moved to the sick one and run. Some may complain about not having internet access but they should all run. If one won't run then go on to the next.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work. The 10 minutes mentioned at the beginning is no longer valid. It may take an hour or more if the machine is really bogged down with viruses or has a lot of files.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan (Decline the Avast engine download unless the internet is working)
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Is it still showing the infection when you connect to the internet?

Ron

[fmeyer01]

Thank you very much for your help so far (German: Vielen Dank für deine Hilfe!).

Unfortunately I couldn't get through very far.

1. Firstly I made the mistake to use the OLTPENet CD at startup. The script didn't work in OLTPENet program (v 3.1.48.0) and was "Not Responding" anymore after 2 seconds.
2. Then I used OLT.exe (v 3.2.53.0), since I recognized that I have to start up the computer normally and not with the OLTPENet CD.

OTL.exe provided the error message:

Cannot create file F:\WINDOWS\System32\drivers\etc\hosts"

In the bootom line of OTL.exe program (v 3.2.53.0) I read for more than half an hour:

Resetting HOSTS file. DO NOT INTERRUPT.

Then I swiched off the computer - that invokes the sleep modus.
Since the taskmanager in this computer is permanently blocked currently, I cannot "End Task..." OLT.
(Ctrl-Alt-Del starts the taskmanager, but it ends immediately - seen for only half a second).

At startup RUNDLL displayed:

Fehler beim Laden von (Error loading of) F:\DOKUME~1\Julia\LOKALE~1\Temp\wpbt0.dll
Das angegebene Modul wurde nicht gefunden. (This module cannot be found).
OK

However, I looked it up, this file exists here:

F:\_OTL\MovedFiles\06292012_220056\F_Dokumente und Eionstellungen\Julia\Lokale Einstellungen\Temp\wpbt0.dll

I looked up F:\Windows\....\etc\hosts - it is there and looks normally, only 1 entry:
127.0.0.1 localhost

OTL created the log file (I attached it to this message):

F:\_OTL\MovedFiles\06292012_220056.log

In that folder OTL also created a sub-folder structure that contains mostly empty folders and sub-folders.

I also downloaded:

ComboFix.exe
tdsskiller.exe
aswMBR.exe
and
mbam-setup-1.61.0.1400.exe

but I did not do anything with them, yet.

What should I do first/next?
(Do you know about another geeks-to-go!-Thread that could help me finding out by myself how the help in this case works?)

Should I restart and try to create an empty etc/hosts file manually?
(Removing write protection or lookup why this doesn`t work?

Should I do another scan (not files of the last 30 Days but All files)?

(I remember that I deleted a trojan on that computer in April, 10, this year,
however i didn't really fix the registry at all. Only the HKLM_..._Run and HKCU_..._Run
and also deleted some russian files having a certain Date/Time, But the computer was
working fine afterwards. The trojan now here is another than in April).

Should I use another solution with my REATOGO-X-PE CD (with OLTPENet v3.1.48.0)?

Should I install anything from USB stick?
Or should I continue your steps even if OTL doesn't finish and didn't restart the Computer by itself?

I am very experienced in solving computer tasks (MS-DOS, Windows and Linux - however my Linux-life was 8 years ago).
So feel free to give me advices for expert tasks, if necessary.

I am happy that I got your answer so quickly and I could - if nedessary - do work at this problem the whole weekend.

Attached Files

•  06292012_220056.log   672bytes   74 downloads

[RKinner]

The hosts file reset is not really important and wasn't really needed. It's just a routine thing. Not sure why it failed. It usually works in XP without a problem. It's the next to last command before the reset so everything else probably worked OK.

I am guilty of removing the wpbt0.dll file. It's part of the infection. IF it is just causing an error then let it go for now and run the other scans. If it is causing a problem then I would suggest you first try creating another file using notepad to the same location as the old location for wpbt0.dll Open Notepad, then a few spaces and do File, Save As, to F:\DOKUME~1\Julia\LOKALE~1\Temp\ and give it the name: "wpbt0.dll" OK. (You need the quotes or it will add .txt to the name which is not what we want.) See if that corrects the problem. If you absolutely must then you can move the file back from OTL's storage space.

(Combofix is very good about removing what it calls orphans - registry entries that point to missing files - so odds are good that it will take care of the error for you.)

I could not find much on a ukash infection that only activates when the network is active so can't point you to anything else. I think this is a new version of the infection.

[fmeyer01]

I ran ComboFix.exe being lead from bleepingcomputer.com and then left the Computer for playing piano for a while.
After about 45 Minutes ComboFix didn't run anymore (The desktop was visible normally, however nothing to see of the ComboFix window) but there was an Error message.
ComboFix created a visible file also that contained only 3-5 lines.
ComboFix also created a strange Folder structure on the system drive F:\ that seems to be an (endless?) recapitulation of F:\.

Unfortunately something went wrong when I stored / wrote off / copied / moved / deleted the message and logfile visible on the screen from the sick computer to my stick, since the trash bin and copying processes didn't work properly, I believe. Unfortunately was my C:\ drive the USB-Stick itself (since the system drive is F:\) and I couldn'f find the deleted ComboFix.txt anywhere on the sick computer anymore.

So the ComboFix logfile and the error message are gone for me.

I also didn't read carefully ahead and changed the modified time 3 hours back (now I know the change was done by ComboFix). And just now 3 hours forth again. However the seconds will not be correct because of the delay during clock set.

I have only the windows error message attached.

I refuse to run ComboFix again since I am warned about that.

Is it hopeless now?
Can I find the missing logfile anywhere else?
Should I attach or post something else?

Thanks for your help so far.

Attached Files

•  20120630 12.22 Windows Error Message after ComboFix finish or crash.txt   325bytes   94 downloads

[RKinner]

Just try the other scans, when one doesn't work go on to the next.

The strange Folder structure is normal with Combofix. Combofix is smarter than I am so it would have used F: instead of C: It may also create a folder these days to store its logs. F:\Combofix\combofix.txt. The second time you run it it will move the last log to F:\Qoobox\ and give it a number like Combofix1.txt. It also makes a file F:|qoobox\ComboFix-quarantined-files.txt which can be useful. Sometimes Combofix will work if you boot into Safe Mode first. Other times we have to run it from the command line:

Start, Run, cmd, OK and type with an enter after the line:

"%userprofile%\Desktop\combofix.exe"  /killall

Above assumes you have Combofix on the desktop and you can not have MBAM installed. You must turn off the anti-virus when working with Combofix. Combofix works better if the Recovery Console is installed. This can be done manually if you don't have internet access. http://www.bleepingc...manual_recovery

You can run multiple times. We just like to know when there is a problem.

If you can't get Combofix to work try DDS:
Please download DDS from http://download.blee...om/sUBs/dds.com or http://download.blee...om/sUBs/dds.scr
and save it to your desktop.

* Disable any script blocking protection
* Double click dds.pif to run the tool.
* When done, two DDS.txt's will open.
* Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

[fmeyer01]

Thank you, your message relieved me, because rescue is still possible.

1. Started the sick PC in safe mode.
2. ComboFix installed the Recovery Console/"Wiederherstellungskonsole" (XP Pro SP2 German for Computer XP Prof 2002 SP3) - downloaded from Microsoft.
3. The 2nd try of the ComboFix scan ran through and created the log file attached.
4. TDSSKiller scanned in safe mode the first time without any request to reboot. (1st Logfile attached).
5. A second scan in safe mode of TDSSKiller didn't request reboot, too. (2nd Logfile attached, I think it contains the 1. logfile also).
6. aswMBR scanned quickly - the Fix button wasn't enabled afterwards. (Logfile attached).
7. For the scan of Malwarebytes you wrote: "... be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish."

(I wondered about this because network connections wake up the Ukash trojan!) However, I did this, restarted the safe mode with network drivers. The trojan did not appear (!) when I plugged in the Ehternet cable that is pernanently connected to the internet. But Malwarebytes couldn't get the update (PROGRAM_ERROR_UPDATING (0,0.Host not found)) even though there is DSL on the cable. But then I refused to set up a new connection in the network environment.
So Malwarebytes scanned without a previous update. (logfile attached)

8. In Malwarebytes program I didn't click "Remove Selected". The reason is, that I would like to get the original Ukash screen display for posting it to the German Forum bka-trojaner.de on the homepage. Do I have a chance to get it in a way? I also would like to get all information about the whole infection (Registry entries, trojan program files and knowledge of the program execution tasks if accessible.) Does the trojan use a hidden harddisk space for his needs?

I am happy for getting your help so far!

Attached Files

•  combofix 2nd run.log.txt   13.17KB   83 downloads
•  1. TDSSKiller.2.7.43.0_01.07.2012_02.03.11_log.txt   74.79KB   77 downloads
•  2. TDSSKiller.2.7.43.0_01.07.2012_02.03.11_log.txt   152.99KB   82 downloads
•  aswMBR.txt   681bytes   86 downloads
•  mbam-log-2012-07-01 (14-12-12).txt   2.6KB   56 downloads

Edited by fmeyer01, 01 July 2012 - 08:25 AM.

[RKinner]

F:\WINDOWS\system32\blphceepj0e331.scr

is one of the files that is causing the problem. Somehow it doesn't show up in our usual scans. Check the date and time on it and then do a search for all files with the same date and include hidden and system files and see if there are any more with the same time + or - 5 minutes. Also be a good idea to submit it http://www.virustotal.com and then copy and paste the results. Then Zip up the file and attach it to your next post so we can play with it and see what else it does.

We can also look in the registry for the two entries that MBAM found and see if they are calling any more files or have made any other changes that MBAM didn't catch.

From a command prompt:

reg  query  "HKCU\Control Panel\Desktop" /s  >>  \junk.txt

reg  query  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion  /f  rhcaepj0e331   >>  \junk.txt

Please attach F:\junk.txt to your next post.

[fmeyer01]

Remark:

The Zip file attached contains files of a trojan from 20120608, that I removed manually before.
I did this work successful but probably incompletely.
The file "20120608 deactivated registry Run keys.txt" contains my work to deactivate them in the registry.
Both are not part of our current case.

-.-

The file you mentioned, F:\WINDOWS\system32\blphceepj0e331.scr does not exist, unfortunately.
So I couldn't get information about the date of the infection.

Instead, I list all occurences of .scr files in "dir scr.txt" via

"dir F:\*.scr /s"

I asked my friend, he told me the infection was in June, 15th - 18th. But I couldn't find any files from these dates.

However F:\_OTL has a folder structure with this name that contains other empty folders:

F:\_OTL\MovedFiles\06292012_220056\F_Dokumente und Einstellungen\Julia\Anwendungsdaten\rhcaepj0e331

Currently I can use the sick PC normally (with internet access) something must have been deleted or deactivated anywhere. (I guess it was OTL or the second run of ComboFix?)
So are all evidences lost?
I really would like post them to virustotal - if I could - are they really gone or is this a tricky trojan case that loads from the internet?

Attached is junk.txt

Your given command

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion /f rhcaepj0e331 >> \junk.txt

didn't work with /f but I looked up /v that worked.

AVIRA Antivirus put something in it's quarantine folder, a listing is attached.

My friend asked me how long he has to wait for his computer. On the one hand, what should I do for this quickly? Or, on the other hand, how long would it last if searching for evidences. (I know, it's my part, but are you experienced estimating the time in other cases?)
If its lasts too long or if all evidences are lost my second interest would be, to learn more about trojan catching. (I know, where to find a training course at "geeks-to-go!". Can you estimate how long somehow experienced users need for the training? (I know that I ask you questions that you cannot answer precisely in days or hours, but you possibly know more about the time needed for this, than I).

I also know, that you give me your time or this work. I would respect your wishes, do finish this trojan case quickly or thoroughgoing.
Thank you very much for your help until now.

Attached Files

•  junk.txt   3.36KB   100 downloads
•  dir scr.txt   5.38KB   62 downloads
•  AVIRA Antivir quarantaene.txt   42.92KB   137 downloads
•  20120608 suspected program files (renamed).rar   205.8KB   76 downloads
•  20120608 deactivated registry Run keys.txt   555bytes   75 downloads

Edited by fmeyer01, 02 July 2012 - 09:31 AM.

[RKinner]

You used dir F:\*.scr /s instead of

cd \
dir /a /s *.scr

Without the /a it won't show hidden files.

To make sure a file doesn't exist you can try to make a directory of the same name:

mkdir  \WINDOWS\system32\blphceepj0e331.scr

I think we can finish this up in a day or two. Run MBAM and let it update then remove anything it finds.


Avira was finding a lot of .exe file in F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\

This is not a place where .exe files belong so make sure there aren't any left.

dir  /a  F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\*.exe

Also there were a lot in the System Restore so let's clean that out too:

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

(This just removes all but the latest System Restore Point)


I would run ESET's on-line scan to be sure you are clean:

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).

If ESET doesn't find anything then we can clean up:

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

You probably do not have the latest Java (Java™ 6 Update 29 or 7 update 1). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

As far as how long it takes to go though the G2G university I don't really know. I never went. I will ask in our internal forum and get back to you. Answer: About a year. A lot depends on how fast the student responds to each assignment but also how fast the instructors can get back to you. We are all volunteers with real lives outside G2G so sometimes there may be delays.

Ron