Help - Search - Members - Calendar
Full Version: Blocked Update-Ability
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Iza
Apr 5 2009, 01:45 PM
At first I apologize for my english for I'm no nativspeaker nor verry firm.

I tried to follow the Instruction and downloaded and unzip the SysRestorePoint. But I can't start it.
    SysRestorePoint.exe - .NET Frameworke Initialization Error

    To run this application, yu first must install one of the following versions of the .NET Framework:
    v2.0.50727
    Contact your application publisher for instructions about obtaining the appropriate version of the .NET Framework.
But back to my problem Automatically update doesn't funktion, the Link from the Avira-FAQ Page to an manual Download doesn't funktion, downloading to another PC funtion but importing that Package from an USP-Stick ... right - it doesn't funtion *sigh*.

An automatically generated check from my hijackthis-logfile and removing from three files doesn't matter. My Antivir shown nothing and the (not updatet) Anniversary scans nothing.

I just post my yell for help with the hijack-logfile and hope someone have 'n good Idea or advice

Iza
PS. Bear with me, if you answer. Im also not so far from an luser.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:36:58, on 05.04.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programme\Stardock\CursorFX\CursorFX.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Programme\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: kunst des krieges - sunzi.lnk = C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4159 bytes
 O17 - HKLM\System\CCS\Services\Tcpip\..\{1D112137-60E9-40AB-BFE0-FB5CD8615204}: NameServer = 85.255.113.109 85.255.112.138 was removed - with no results
Rorschach112
Apr 5 2009, 04:34 PM
post the logs normally

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


Iza
Apr 5 2009, 05:48 PM
It seems that it automatically generatetd the log in my nativ language (german) or perhaps clicked @ one point a little to fast on a too attractiv option, I don't know. huh.gif If nessesary I can try to download and install it a second time on an english using basis. unsure.gif
    ComboFix 09-04-04.01 - 3107 2009-04-05 18:28:02.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.511.303 [GMT 2:00]
    ausgeführt von:: c:\dokumente und einstellungen\3107\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated)
    AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated)
    AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated)
    * Neuer Wiederherstellungspunkt wurde erstellt
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\dokumente und einstellungen\3107\Lokale Einstellungen\Anwendungsdaten\iuwuocc.dat
    c:\dokumente und einstellungen\3107\Lokale Einstellungen\Anwendungsdaten\iuwuocc_nav.dat
    c:\dokumente und einstellungen\3107\Lokale Einstellungen\Anwendungsdaten\iuwuocc_navps.dat
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\games.bmp
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\gamesA.bmp
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\screensaver.bmp
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\screensaverA.bmp
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\error.xml
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\related.xml
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\travel.xml
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\Travel.xml.backup
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\ProductMessagingConfig.xml
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\SimpleUpdateConfig.xml
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\TimerManagerConfig.xml
    c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
    c:\windows\system32\NCTQuickTimeFile.dll
    c:\windows\system32\NCTRMFile.dll
    c:\windows\system32\NCTVideoCoreM.dll
    c:\windows\system32\nvs2.inf

    .
    ((((((((((((((((((((((( Dateien erstellt von 2009-03-05 bis 2009-04-05 ))))))))))))))))))))))))))))))
    .

    2009-04-05 02:35 . 2009-04-05 02:35 <DIR> d-------- c:\programme\Trend Micro
    2009-04-04 23:52 . 2009-03-09 21:06 15,688 --a------ c:\windows\system32\lsdelete.exe
    2009-04-04 22:34 . 2009-04-04 22:34 <DIR> d-------- c:\programme\Lavasoft
    2009-04-04 22:34 . 2009-04-04 22:34 <DIR> d--h-c--- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-04-04 22:34 . 2009-03-09 21:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
    2009-03-31 20:59 . 2009-03-31 20:59 <DIR> d-------- c:\programme\Avira
    2009-03-31 20:59 . 2009-03-31 20:59 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
    2009-03-31 20:59 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-04 21:45 --------- d-----w c:\programme\StarOffice7
    2009-04-04 20:34 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
    2009-03-30 20:04 --------- d-----w c:\dokumente und einstellungen\3107\Anwendungsdaten\FileZilla
    2009-03-26 22:12 --------- d-----w c:\programme\Java
    2009-03-17 20:05 --------- d-----w c:\programme\FileZilla FTP Client
    2009-03-15 02:35 --------- d-----w c:\programme\No23 Recorder
    2009-03-15 02:10 --------- d-----w c:\programme\MP3 WAV Converter
    2009-03-12 01:13 --------- d-----w c:\programme\Winamp
    2009-03-09 22:18 --------- d-----w c:\programme\Opera
    2009-03-09 04:19 410,984 ----a-w c:\windows\system32\deploytk.dll
    2009-03-05 01:48 --------- d-----w c:\programme\a-squared Free
    2009-03-01 02:50 --------- d-----w c:\programme\XviD
    2009-03-01 02:15 --------- d-----w c:\programme\Apex
    2009-03-01 01:56 3,082 ----a-w c:\windows\system32\affv11300p4now.sys
    2009-03-01 01:56 --------- d-----w c:\programme\SuperAudiotool
    2009-02-25 10:31 --------- d-----w c:\dokumente und einstellungen\3107\Anwendungsdaten\Crayon Physics Deluxe
    2009-02-25 10:30 --------- d-----w c:\programme\Crayon Physics Deluxe Demo
    2009-02-18 18:29 --------- d-----w c:\programme\OpenOffice.org 3
    2009-02-18 18:29 --------- d-----w c:\programme\JRE
    2009-02-12 23:32 --------- d-----w c:\programme\Apple Software Update
    2009-02-12 23:26 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
    2004-03-11 20:54 1,546,528 ----a-w c:\programme\WindowsXP-KB824146-x86-DEU.exe
    2004-03-10 16:11 3,980,800 ----a-w c:\programme\avwinsfx.exe
    .

    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CursorFX"="c:\programme\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
    "Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-01-05 413696]
    "SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
    "avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "Ad-Watch"="c:\programme\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
    "nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32\nwiz.exe]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\windows\SOUNDMAN.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
    "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-05-02 49152]

    c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
    InterVideo WinCinema Manager.lnk - c:\programme\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-06-11 106496]
    kunst des krieges - sunzi.lnk - c:\programme\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-10-15 39792]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.xvid"= xvid.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-04 64160]
    R0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys [2008-12-16 13312]
    R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2007-03-03 11776]
    R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [2009-03-31 108289]
    S1 MUsbFltr;WayTechUSBFilterDriver; [x]
    S1 UsbFltr;WayTechUSBFilterDriver; [x]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programme\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
    .
    Inhalt des "geplante Tasks" Ordners

    2008-12-12 c:\windows\Tasks\1-Click Maintenance.job
    - c:\programme\TuneUp Utilities 2006\SystemOptimizer.exe []

    2009-04-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:06]
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -

    HKLM-Run-Adobe Photo Downloader - c:\programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    MSConfigStartUp-ICQ Lite - c:\programme\ICQLite\ICQLite.exe
    MSConfigStartUp-winshost - c:\windows\system32\winshost.exe


    .
    ------- Zusätzlicher Suchlauf -------
    .
    uStart Page = about:blank
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\dokumente und einstellungen\3107\Anwendungsdaten\Mozilla\Firefox\Profiles\neg7kq02.default\
    FF - prefs.js: browser.startup.homepage - file://localhost/C:/Dokumente%20und%20Einstellungen/3107/Eigene%20Dateien/Eigene%20Bilder/liebe.jpg
    FF - prefs.js: network.proxy.type - 2
    FF - plugin: c:\programme\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-05 18:29:22
    Windows 5.1.2600 Service Pack 2 NTFS

    Scanne versteckte Prozesse...

    Scanne versteckte Autostarteinträge...

    Scanne versteckte Dateien...

    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0

    **************************************************************************
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------

    [HKEY_USERS\S-1-5-21-1210029596-2658258179-1808879113-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------

    - - - - - - - > 'winlogon.exe'(1016)
    c:\windows\system32\MPRAPI.dll
    .
    Zeit der Fertigstellung: 2009-04-05 18:31:18
    ComboFix-quarantined-files.txt 2009-04-05 16:30:47

    Vor Suchlauf: 22 Verzeichnis(se), 45.616.099.328 Bytes frei
    Nach Suchlauf: 21 Verzeichnis(se), 47,122,649,088 Bytes frei

    WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    160 --- E O F --- 2008-10-18 20:09:55
thanks for your advice, up to this point. happy.gif Iza

Rorschach112
Apr 5 2009, 06:27 PM
please post the log normally
Iza
Apr 5 2009, 06:45 PM
Sorry I don't understand what you mean. I didn'n changed any letter, break or so on. I only take an other font-stile and used the list formating funktion to mark what is my text and what was the log. Did you mean that or what exactly did I wrong now? unsure.gif

If you meant that here the logfile in standart font. But like above I changed nothing on it:


ComboFix 09-04-04.01 - 3107 2009-04-05 18:28:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.511.303 [GMT 2:00]
ausgefhrt von:: c:\dokumente und einstellungen\3107\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated)
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Lschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\3107\Lokale Einstellungen\Anwendungsdaten\iuwuocc.dat
c:\dokumente und einstellungen\3107\Lokale Einstellungen\Anwendungsdaten\iuwuocc_nav.dat
c:\dokumente und einstellungen\3107\Lokale Einstellungen\Anwendungsdaten\iuwuocc_navps.dat
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\games.bmp
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\gamesA.bmp
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\screensaver.bmp
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\buttons\screensaverA.bmp
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\error.xml
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\related.xml
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\travel.xml
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\contexts\Travel.xml.backup
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\ProductMessagingConfig.xml
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\SimpleUpdateConfig.xml
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\TimerManagerConfig.xml
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
c:\windows\system32\NCTQuickTimeFile.dll
c:\windows\system32\NCTRMFile.dll
c:\windows\system32\NCTVideoCoreM.dll
c:\windows\system32\nvs2.inf

.
((((((((((((((((((((((( Dateien erstellt von 2009-03-05 bis 2009-04-05 ))))))))))))))))))))))))))))))
.

2009-04-05 02:35 . 2009-04-05 02:35 <DIR> d-------- c:\programme\Trend Micro
2009-04-04 23:52 . 2009-03-09 21:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-04-04 22:34 . 2009-04-04 22:34 <DIR> d-------- c:\programme\Lavasoft
2009-04-04 22:34 . 2009-04-04 22:34 <DIR> d--h-c--- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-04 22:34 . 2009-03-09 21:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-31 20:59 . 2009-03-31 20:59 <DIR> d-------- c:\programme\Avira
2009-03-31 20:59 . 2009-03-31 20:59 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-03-31 20:59 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 21:45 --------- d-----w c:\programme\StarOffice7
2009-04-04 20:34 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2009-03-30 20:04 --------- d-----w c:\dokumente und einstellungen\3107\Anwendungsdaten\FileZilla
2009-03-26 22:12 --------- d-----w c:\programme\Java
2009-03-17 20:05 --------- d-----w c:\programme\FileZilla FTP Client
2009-03-15 02:35 --------- d-----w c:\programme\No23 Recorder
2009-03-15 02:10 --------- d-----w c:\programme\MP3 WAV Converter
2009-03-12 01:13 --------- d-----w c:\programme\Winamp
2009-03-09 22:18 --------- d-----w c:\programme\Opera
2009-03-09 04:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 01:48 --------- d-----w c:\programme\a-squared Free
2009-03-01 02:50 --------- d-----w c:\programme\XviD
2009-03-01 02:15 --------- d-----w c:\programme\Apex
2009-03-01 01:56 3,082 ----a-w c:\windows\system32\affv11300p4now.sys
2009-03-01 01:56 --------- d-----w c:\programme\SuperAudiotool
2009-02-25 10:31 --------- d-----w c:\dokumente und einstellungen\3107\Anwendungsdaten\Crayon Physics Deluxe
2009-02-25 10:30 --------- d-----w c:\programme\Crayon Physics Deluxe Demo
2009-02-18 18:29 --------- d-----w c:\programme\OpenOffice.org 3
2009-02-18 18:29 --------- d-----w c:\programme\JRE
2009-02-12 23:32 --------- d-----w c:\programme\Apple Software Update
2009-02-12 23:26 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
2004-03-11 20:54 1,546,528 ----a-w c:\programme\WindowsXP-KB824146-x86-DEU.exe
2004-03-10 16:11 3,980,800 ----a-w c:\programme\avwinsfx.exe
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrge & legitime Standardeintrge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorFX"="c:\programme\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ad-Watch"="c:\programme\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-05-02 49152]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
InterVideo WinCinema Manager.lnk - c:\programme\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-06-11 106496]
kunst des krieges - sunzi.lnk - c:\programme\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-04 64160]
R0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys [2008-12-16 13312]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2007-03-03 11776]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [2009-03-31 108289]
S1 MUsbFltr;WayTechUSBFilterDriver; [x]
S1 UsbFltr;WayTechUSBFilterDriver; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programme\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
.
Inhalt des "geplante Tasks" Ordners

2008-12-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\programme\TuneUp Utilities 2006\SystemOptimizer.exe []

2009-04-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:06]
.
- - - - Entfernte verwaiste Registrierungseintrge - - - -

HKLM-Run-Adobe Photo Downloader - c:\programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-ICQ Lite - c:\programme\ICQLite\ICQLite.exe
MSConfigStartUp-winshost - c:\windows\system32\winshost.exe


.
------- Zustzlicher Suchlauf -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\dokumente und einstellungen\3107\Anwendungsdaten\Mozilla\Firefox\Profiles\neg7kq02.default\
FF - prefs.js: browser.startup.homepage - file://localhost/C:/Dokumente%20und%20Einstellungen/3107/Eigene%20Dateien/Eigene%20Bilder/liebe.jpg
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\programme\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 18:29:22
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteintrge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1210029596-2658258179-1808879113-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\MPRAPI.dll
.
Zeit der Fertigstellung: 2009-04-05 18:31:18
ComboFix-quarantined-files.txt 2009-04-05 16:30:47

Vor Suchlauf: 22 Verzeichnis(se), 45.616.099.328 Bytes frei
Nach Suchlauf: 21 Verzeichnis(se), 47,122,649,088 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

160 --- E O F --- 2008-10-18 20:09:55
Rorschach112
Apr 5 2009, 09:29 PM
thats what I meant, don't mess with the font

Please download Navilog1 by IL-MAFIOSO:
http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe
(*Alternate download location Here)

* Save it to your Desktop.
* Double-click on Navilog1.exe to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the Navilog1 shortcut on your Desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)



Iza
Apr 5 2009, 11:05 PM
Hopefully right now ...?

Search Navipromo version 3.7.6 began on 05.04.2009 at 23:51:49,45

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from C:\Programme\navilog1

Updated on 14.03.2009 at 18h00 by IL-MAFIOSO

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.06GHz )
BIOS : Version 1.00
USER : 3107 ( Administrator )
BOOT : Normal boot

Antivirus : AntiVir PersonalEdition Classic Virenschutz 0.0.0.0 (Activated)


C:\ (Local Disk) - NTFS - Total:149 Go (Free:43 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)
F:\ (CD or DVD)
G:\ (USB)
H:\ (USB)
I:\ (USB)
J:\ (USB)


Search done in normal mode


*** Search folders in "C:\WINDOWS" ***


*** Search folders in "C:\Programme" ***


*** Search folders in "C:\Dokumente und Einstellungen\All Users\startm~1\progra~1" ***


*** Search folders in "C:\Dokumente und Einstellungen\All Users\startm~1" ***


*** Search folders in "c:\dokume~1\alluse~1\anwend~1" ***


*** Search folders in "C:\Dokumente und Einstellungen\3107\anwend~1" ***


*** Search folders in "C:\DOKUME~1\ADMINI~1\anwend~1" ***


*** Search folders in "C:\DOKUME~1\Gast\anwend~1" ***


*** Search folders in "C:\Dokumente und Einstellungen\3107\lokale~1\anwend~1" ***


*** Search folders in "C:\DOKUME~1\ADMINI~1\lokale~1\anwend~1" ***


*** Search folders in "C:\DOKUME~1\Gast\lokale~1\anwend~1" ***


*** Search folders in "C:\Dokumente und Einstellungen\3107\startm~1\progra~1" ***


*** Search folders in "C:\DOKUME~1\ADMINI~1\startm~1\progra~1" ***


*** Search folders in "C:\DOKUME~1\Gast\startm~1\progra~1" ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in "C:\WINDOWS\system32" *

* Scan in "C:\Dokumente und Einstellungen\3107\lokale~1\anwend~1" *

* Scan in "C:\DOKUME~1\ADMINI~1\lokale~1\anwend~1" *

* Scan in "C:\DOKUME~1\Gast\lokale~1\anwend~1" *



*** Search files ***



*** Search specific Registry keys ***
!! Following keys are not certainly all infected !!


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In "C:\WINDOWS\system32" :


* In "C:\Dokumente und Einstellungen\3107\lokale~1\anwend~1" :


* In "C:\DOKUME~1\ADMINI~1\lokale~1\anwend~1" :


* In "C:\DOKUME~1\Gast\lokale~1\anwend~1" :


3)Certificates Search :

Egroup certificate not found !
Electronic-Group certificate found !
Montorgueil certificate not found !
OOO-Favorit certificate found !
Sunny-Day-Design-Ltd certificate not found !

4)Search others known folders and files :



*** Search completed on 06.04.2009 at 0:01:32,37 ***
Rorschach112
Apr 6 2009, 12:26 AM
hello

* Double-click on the Navilog1 shortcut icon from your Desktop to run it.
* Press E for English from the language Menu.
* Type 2 in the next Menu and press Enter.
* The tool will then advise you that it will restart your computer.
* Close all open windows and save personnal documents, if any are open.
* If your computer doesn't restart automatically, restart it manually.
* Choose your usual session.
* Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
* A new document will be produced.
* Please copy/paste the contents of this report in your next reply.
* Your Desktop will now appear.

Note : In the event you lose your Desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)



Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum in the Comments Or Further Info: box
  • Copy and paste the link to this thread in the Topic Where File Was Requested: box
  • Browse for this filename:
    C:\Qoobox\Quarantine\c\windows\system32\NCTQuickTimeFile.dll.vir
    C:\Qoobox\Quarantine\c\windows\system32\NCTRMFile.dll.vir
    C:\Qoobox\Quarantine\c\windows\system32\NCTVideoCoreM.dll.vir
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Iza
Apr 6 2009, 01:11 AM
The three files are sucsessfully submitted, like you wanted, the log follow below and I go to sleep for now.

Navipromo Removal version 3.7.6 started on 06.04.2009 at 1:47:16,56

Fix running from C:\Programme\navilog1

Updated on 14.03.2009 at 18h00 by IL-MAFIOSO

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.06GHz )
BIOS : Version 1.00
USER : 3107 ( Administrator )
BOOT : Normal boot

Antivirus : AntiVir PersonalEdition Classic Virenschutz 0.0.0.0 (Activated)


C:\ (Local Disk) - NTFS - Total:149 Go (Free:43 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)
F:\ (CD or DVD)
G:\ (USB)
H:\ (USB)
I:\ (USB)
J:\ (USB)


Automatic removal
with Catchme and GNS results


Cleanning stage done on Reboot


*** fsbl1.txt not found ***
(Check that Catchme found nothing in Search Mode)


*** Deleting with Backups GenericNaviSearch results ***

* Deletion in "C:\WINDOWS\System32" *


* Deletion in "C:\Dokumente und Einstellungen\3107\lokale~1\anwend~1" *


* Deletion in "C:\DOKUME~1\ADMINI~1\lokale~1\anwend~1" *

* Deletion in "C:\DOKUME~1\Gast\lokale~1\anwend~1" *


*** Deleting folders in "C:\WINDOWS" ***


*** Deleting folders in "C:\Programme" ***


*** Deleting folders in "C:\Dokumente und Einstellungen\All Users\startm~1\progra~1" ***


*** Deleting folders in "C:\Dokumente und Einstellungen\All Users\startm~1" ***


*** Deleting folders in "c:\dokume~1\alluse~1\anwend~1" ***


*** Deleting folders in "C:\Dokumente und Einstellungen\3107\anwend~1" ***


*** Deleting folders in "C:\DOKUME~1\ADMINI~1\anwend~1" ***


*** Deleting folders in "C:\DOKUME~1\Gast\anwend~1" ***


*** Deleting folders in "C:\Dokumente und Einstellungen\3107\lokale~1\anwend~1" ***


*** Deleting folders in "C:\DOKUME~1\ADMINI~1\lokale~1\anwend~1" ***


*** Deleting folders in "C:\DOKUME~1\Gast\lokale~1\anwend~1" ***


*** Deleting folders in "C:\Dokumente und Einstellungen\3107\startm~1\progra~1" ***


*** Deleting folders in "C:\DOKUME~1\ADMINI~1\startm~1\progra~1" ***


*** Deleting folders in "C:\DOKUME~1\Gast\startm~1\progra~1" ***



*** Deleting files ***


*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Dokumente und Einstellungen\3107\lokale~1\Temp done !

*** Complementary Search ***
(Search specific files)

1)Deletion with backups new Instant Access files:

2)Heuristic search and deletion with backups :


* In "C:\WINDOWS\system32" *


* In "C:\Dokumente und Einstellungen\3107\lokale~1\anwend~1" *


* In "C:\DOKUME~1\ADMINI~1\lokale~1\anwend~1" *


* In "C:\DOKUME~1\Gast\lokale~1\anwend~1" *


*** Copy Registry to Safebackup folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned


*** Certificates ***

Egroup Certificate not found !
Electronic-Group Certificate deleted !
Montorgueil Certificate not found !
OOO-Favorit Certificate deleted !
Sunny-Day-Design-Ltd Certificate not found !

*** Search others known folders and files ***



*** Cleaning stage complete on 06.04.2009 at 1:51:42,09 ***


Rorschach112
Apr 6 2009, 12:55 PM
thanks

Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Iza
Apr 6 2009, 06:51 PM
Right so? unsure.gif

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/06 19:23
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDB22000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A93000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC99A000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\AVWSC.EXE-24612965.pf
Status: Size mismatch (API: 33804, Raw: 35668)

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\3Fragezeichen
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Beispielmusik.lnk
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Das leere Haus - ein SherlockHolmesKriminalroman von Sir Art.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\desktop.ini
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Die Begegnung mit der Mörder-Mumie.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 12-09-06
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Library.itl
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music Library.xml
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Previous iTunes Libraries
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\sentinel
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-051 - Titel 1.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-052 - Titel 2.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-053 - Titel 3.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-054 - Titel 4.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-055 - Titel 5.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-056 - Titel 6.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-057 - Titel 7.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-058 - Titel 8.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-059 - Titel 9.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\10 - Titel 10.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\11 - Titel 11.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\12 - Titel 12.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\13 - Titel 13.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\14 - Titel 14.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\15 - Titel 15.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\16 - Titel 16.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\17 - Titel 17.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\18 - Titel 18.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\19 - Titel 19.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\20 - Titel 20.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\21 - Titel 21.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\22 - Titel 22.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\23 - Titel 23.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 07-12-05\24 - Titel 24.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 12-09-061 - Track 1.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 12-09-062 - Track 2.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-051 - Titel 1.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-052 - Titel 2.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-053 - Titel 3.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-054 - Titel 4.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-055 - Titel 5.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-056 - Titel 6.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-057 - Titel 7.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-058 - Titel 8.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-059 - Titel 9.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\10 - Titel 10.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\11 - Titel 11.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\12 - Titel 12.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\13 - Titel 13.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\14 - Titel 14.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\15 - Titel 15.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05\16 - Titel 16.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)1 - Titel 1.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)2 - Titel 2.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)3 - Titel 3.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)4 - Titel 4.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)5 - Titel 5.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)6 - Titel 6.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)7 - Titel 7.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)8 - Titel 8.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)9 - Titel 9.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\10 - Titel 10.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\11 - Titel 11.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\12 - Titel 12.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\13 - Titel 13.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\14 - Titel 14.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\15 - Titel 15.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\16 - Titel 16.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\Ohne Titel - 21-11-05 (1)\17 - Titel 17.mp3
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\David Byrne
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Ludwig van Beethoven, composer. Seattle
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Marc Seales, composer. New Stories. Erni
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Previous iTunes Libraries\iTunes Library 2008-02-29.itl
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Previous iTunes Libraries\iTunes Library 2008-09-05.itl
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Previous iTunes Libraries\iTunes Library 2009-01-21.itl
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\David Byrne\Look Into The Eyeball
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Ludwig van Beethoven, composer. Seattle\Unbekanntes Album
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Marc Seales, composer. New Stories. Erni\Speakin' Out
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF52
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF55
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\12
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\15
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\David Byrne\Look Into The Eyeball1 Like Humans Do (radio edit).m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Ludwig van Beethoven, composer. Seattle\Unbekanntes Album1 Symphony No. 9 (Scherzo).m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Marc Seales, composer. New Stories. Erni\Speakin' Out1 _Highway Blues_.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album1 Titel 01.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album2 Titel 02.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album3 Titel 03.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album4 Titel 04.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album5 Titel 05.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album6 06 Titel 6.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album6 06 Titel 6_Fallin' Rain 1.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\iTunes Music\Unbekannter Interpret\Unbekanntes Album6 06 Titel 6_Fallin' Rain.m4a
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF52\14
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF55\13
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\127
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\12\13
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\15\13
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF52\147
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF55\137
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\127\12
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\12\137
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\3107\Eigene Dateien\akustisches ..\iTunes\Album Artwork\Local\F6DF9DC8288BFFF5\15\137
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8c65eee

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8c65ee4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8c65ef3

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8c65efd

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8c65f02

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8c65ed0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8c65ed5

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8c65f0c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8c65f07

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8c65ef8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8c65edf

Stealth Objects
-------------------
Object: Hidden Code [Driver: , IRP_MJ_CREATE]
Process: System Address: 0xe198c880 Size: -

Object: Hidden Code [Driver: , IRP_MJ_CLOSE]
Process: System Address: 0xe198c880 Size: -

Object: Hidden Code [Driver: , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe198c880 Size: -

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe149e1c8 Size: -

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe149e1c8 Size: -

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe149e1c8 Size: -

That was all. I mean - it's complete. biggrin.gif
Rorschach112
Apr 6 2009, 07:22 PM
hello

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Iza
Apr 6 2009, 10:05 PM
Hello smile.gif

Err huh.gif
It didn't work!

ATF <-- done

MBAB <-- Download Okay but the Updated failed. For the second try I disabeld the firewall for roundabout 5 seconds with the same result: Update is failed. Make sure you are connected to the Internet and youre firewall is set to allow Malewarebytes' Antimaleware
to accsess the internet Therafter I let it run without any update for I had no other chance. Result below:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

06.04.2009 22:20:26
mbam-log-2009-04-06 (22-20-26).txt

Scan type: Quick Scan
Objects scanned: 72053
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1d112137-60e9-40ab-bfe0-fb5cd8615204}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109 85.255.112.138 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1d112137-60e9-40ab-bfe0-fb5cd8615204}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109 85.255.112.138 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\'.ico (Malware.Trace) -> Quarantined and deleted successfully.

Thereafter I visitad the Kaspersky website. The Update faild twice a time, so I can't run that Program.

<www.kaspersky.com>

Update has failed. Program has failed to start. Close the Kaspersky
Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7
database. With the latest database updates. you can find new
viruses and other threats. Please go online to use Kaspersky Online
Scanner 7. (ERROR: Failed to connect to update source)

The second time similar but ending with (Error: Updater logic error related to download process)
Rorschach112
Apr 7 2009, 04:41 PM
hello

It sounds like a case of Zlob/DNSchanger that change the router's DNS settings. Please download Malwarebytes' Anti-Malware from Here or Here

Next disconnect your system from the internet, and your router, then…

Double Click mbam-setup.exe to install the application.
  • Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

===============================================

Please post the Malwarebytes log and let me know how things are running now :thumbsup:



Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.
    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left unneutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.
Rorschach112
Apr 10 2009, 11:23 PM
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.