Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

notebook infested with TroyWare.Win32.Kryptik.ATA@

Started by schlups , Jan 19 2013 04:29 PM

  • Please log in to reply

#1
schlups
Posted 19 January 2013 - 04:29 PM

schlups

    New Member

  • Member
  • Pip
  • 1 posts
Dear geeks to go team

I recently ran the game Port Royal 2. As soon as i started to run the game after having installed it, my Comodo Internet Security Programm said it had detected the following malware:

[email protected]
E:\PR2.exe

It's nearly impossible that the Port Royale 2-DVD is infested itself because i already had it running some time ago and it ran just fine. It's the original game.

Strangely enough, immediately after running the game the exe-icon vanished from the game folder.
After that the installation wizard aked me to reinstall the game.
I did that with the same result.

Since i have no idea what happend to the computer i refer to your geekstogo-team hoping to get some advice with my nasty problem.

As i was instructed in your guide i'll post a copy of the OTL file log below.

Thank you very much in advance

kind regards

Daniel

--------------------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++ OTL-Log below +++++++++++++++++++++++++++++++++++++++
--------------------------------------------------------------------------------------------

OTL Extras logfile created on: 19.01.2013 11:51:15 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = D:\Dokumente und Einstellungen\danox\Eigene Dateien\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,97 Gb Total Physical Memory | 2,24 Gb Available Physical Memory | 75,36% Memory free
4,82 Gb Paging File | 4,00 Gb Available in Paging File | 82,91% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Programme
Drive C: | 34,18 Gb Total Space | 11,89 Gb Free Space | 34,79% Space Free | Partition Type: NTFS
Drive D: | 40,35 Gb Total Space | 16,51 Gb Free Space | 40,93% Space Free | Partition Type: NTFS
Drive E: | 647,06 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: DANOX-8B5606D54 | User Name: danox | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Dokumente und Einstellungen\danox\Eigene Dateien\Downloads\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Dokumente und Einstellungen\danox\Eigene Dateien\Downloads\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"D:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\WebKit2WebProcess.exe" = D:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"D:\Programme\Gemeinsame Dateien\Siemens\SQLANY\dbsrv9.exe" = D:\Programme\Gemeinsame Dateien\Siemens\SQLANY\dbsrv9.exe:*:Enabled:Adaptive Server Anywhere Network Server -- (iAnywhere Solutions, Inc.)
"D:\Programme\Gemeinsame Dateien\Siemens\SQLANY\dbeng9.exe" = D:\Programme\Gemeinsame Dateien\Siemens\SQLANY\dbeng9.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (iAnywhere Solutions, Inc.)
"D:\WINDOWS\system32\s7otbxsx.exe" = D:\WINDOWS\system32\s7otbxsx.exe:*:Enabled:SIEMENS STEP7 Block Administration -- (SIEMENS AG)
"D:\Programme\Siemens\Step7\S7INF\S7usiapx.exe" = D:\Programme\Siemens\Step7\S7INF\S7usiapx.exe:*:Enabled:SIEMENS STEP7 S7InfoBox -- (SIEMENS AG)
"D:\Programme\Siemens\Step7\S7BIN\S7tgtopx.exe" = D:\Programme\Siemens\Step7\S7BIN\S7tgtopx.exe:*:Enabled:SIEMENS STEP7 SIMATIC Manager -- (SIEMENS AG)
"D:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe" = D:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe:LocalSubNet:Enabled:Automation License Manager Service -- (SIEMENS AG)
"D:\Programme\ExpressFiles\ExpressFiles.exe" = D:\Programme\ExpressFiles\ExpressFiles.exe:*:Enabled:ExpressFiles
"D:\Programme\ExpressFiles\ExpressDL.exe" = D:\Programme\ExpressFiles\ExpressDL.exe:*:Enabled:ExpressFilesDL
"D:\Programme\Gemeinsame Dateien\Comodo\GeekBuddyRSP.exe" = D:\Programme\Gemeinsame Dateien\Comodo\GeekBuddyRSP.exe:127.0.0.1/255.255.255.255:Enabled:GeekBuddy RSP -- (Comodo Security Solutions, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0414F6AB-EAE7-44F8-8A32-5AD9629BC8EE}" = GeekBuddy
"{06AF0F82-E926-48A6-8C5F-ECB195DB2CB4}" = SIMATIC S7-PCT V2.3 Professional 2010 SR2
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{134A51EB-1BBB-4249-BAF5-494C3D186A06}" = PKZIP Server for Windows 12.40.0008
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = Dienstprogramm "ThinkPad UltraNav"
"{1CBF27F6-24A4-488D-940A-678F1C691C49}" = SIMATIC S7-PLCSIM V5.4 + SP5 + Upd2 Professional 2010 SR2
"{24E92E7A-6848-4747-A3EA-3AAC0576BE52}" = Lenovo Patch Utility
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 9
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{49D9EC38-D9F2-45EB-B0D2-BC0A16D10CF6}" = Intel® PROSet/Wireless WiFi-Software
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C552FD3-2CCD-4E00-AC64-0681DBB3F8B5}" = OpenOffice.org 3.4
"{4FF24C45-A4EE-4A99-B287-E3468EC41CBD}" = SIMATIC S7-GRAPH V5.3 + SP7 Professional 2010 SR2
"{5B1B0682-EEC6-4EDD-BAB0-3FEC2E55090D}" = SIMATIC S7-SCL V5.3 + SP6 Professional 2010 SR2
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B427E8E-F76D-4C8C-B155-7F24DF46DB67}" = SIMATIC STEP 7 V5.5 + SP2 Professional 2010 SR2
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{B4D73D48-D72C-483B-A128-B1601014064F}" = Brother HL-2030
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5DA59CF-2BB8-48D5-8E5B-17F2E0F0FEE4}" = System Requirements Lab for Intel
"{C93B1B46-1D00-4A31-9BBE-1AA0E620CD2F}" = Siemens Automation License Manager V5.1 + SP1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}" = COMODO Internet Security
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Bad Mojo" = Bad Mojo
"Comodo Dragon" = Comodo Dragon
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"FreeMat" = FreeMat
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"LENOVO.SMIIF" = Lenovo System Interface Driver
"LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility
"MathExperte Analysis 2 Version 1.42 Revision 7" = MathExperte Analysis 2 Version 1.42 Revision 7
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 16.0.2 (x86 de)" = Mozilla Firefox 16.0.2 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"OnScreenDisplay" = Anzeige am Bildschirm
"Power Management Driver" = IBM ThinkPad Power Management Driver
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel® Network Connections Drivers
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"VLC media player" = VLC media player 2.0.1
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WinAVR-20100110" = WinAVR 20100110 (remove only)
"WinRAR archiver" = WinRAR 4.11 (32-Bit)

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 31.10.2012 11:06:08 | Computer Name = DANOX-8B5606D54 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung AvrStudio.exe, Version 4.19.0.730, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 31.10.2012 11:11:16 | Computer Name = DANOX-8B5606D54 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung AVRStudio.exe, Version 4.19.0.730, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 31.10.2012 11:11:41 | Computer Name = DANOX-8B5606D54 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung AVRStudio.exe, Version 4.19.0.730, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Error - 31.10.2012 18:01:38 | Computer Name = DANOX-8B5606D54 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung expressfiles.exe, Version 2.0.0.0, fehlgeschlagenes
Modul ntdll.dll, Version 5.1.2600.6055, Fehleradresse 0x0000100b.

Error - 01.11.2012 04:08:33 | Computer Name = DANOX-8B5606D54 | Source = ESENT | ID = 486
Description = wuauclt (2240) Versuch, Datei "D:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb003A3.log"
nach "D:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" zu verschieben, ist
mit Systemfehler 183 (0x000000b7): "Eine Datei kann nicht erstellt werden, wenn
sie bereits vorhanden ist. " fehlgeschlagen. Fehler -1022 (0xfffffc02) beim Verschieben
von Dateien.

Error - 01.11.2012 04:08:33 | Computer Name = DANOX-8B5606D54 | Source = ESENT | ID = 485
Description = wuauclt (2240) Versuch, Datei "D:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log"
zu löschen, ist mit Systemfehler 32 (0x00000020): "Der Prozess kann nicht auf die
Datei zugreifen, da sie von einem anderen Prozess verwendet wird. " fehlgeschlagen.
Fehler -1032 (0xfffffbf8) beim Löschen von Dateien.

Error - 05.11.2012 07:18:41 | Computer Name = DANOX-8B5606D54 | Source = MsiInstaller | ID = 1013
Description = Produkt: Microsoft .NET Framework 2.0 Service Pack 2 -- Microsoft
.NET Framework 2.0 Service Pack 2 cannot be uninstalled because it will affect other
applications that are installed. For more information, see http://go.microsoft..../?LinkId=91126.

Error - 05.11.2012 07:31:49 | Computer Name = DANOX-8B5606D54 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung avrstudio.exe, Version 4.19.0.730, fehlgeschlagenes
Modul avrstudio.exe, Version 4.19.0.730, Fehleradresse 0x00010486.

Error - 05.11.2012 07:31:56 | Computer Name = DANOX-8B5606D54 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung avrstudio.exe, Version 4.19.0.730, fehlgeschlagenes
Modul avrstudio.exe, Version 4.19.0.730, Fehleradresse 0x00010486.

Error - 05.11.2012 07:56:33 | Computer Name = DANOX-8B5606D54 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung avrstudio.exe, Version 4.19.0.730, fehlgeschlagenes
Modul avrstudio.exe, Version 4.19.0.730, Fehleradresse 0x00010486.

[ System Events ]
Error - 11.01.2013 12:26:18 | Computer Name = DANOX-8B5606D54 | Source = Windows Update Agent | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework
3.0 SP2 unter Windows Server 2003 und Windows XP x86 (KB2756918)


< End of report >
  • 0

Advertisements

#2
RKinner
Posted 20 January 2013 - 06:00 PM

RKinner

    Malware Expert

  • Expert
  • 24,483 posts
  • MVP
You posted the Extras log and not the OTL log so it's hard to be sure. Comodo should have some sort of log that shows you what it found and where it found it but from what you said I think Comodo is getting a false positive on your game. Either turn Comodo off while running the game or switch to a different anti-virus unless you can tell Comodo to ignore certain files. You can also report a false positive to Comodo and wait for them to update their database.
http://forums.comodo...g-t44473.0.html

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP