Computer Hope

Software => Computer viruses and spyware => Topic started by: tilman_berlin on August 13, 2012, 04:04:54 PM

Title: ZeuS
Post by: tilman_berlin on August 13, 2012, 04:04:54 PM

Hi!

I received an email from my email provider (web.de, Germany) that said my password had been spied out by a virus called "Zeus". My computer is probably infected with this virus, they say. I'm a bit nervous now, because I use this computer for all my banking and professional correspondence. I already changed all my passwords using a second computer.

I ran Microsoft Security Essentials and nothing was found.
I'm running Windows 7 Professional Service Pack 1.
I followed all the steps in the "read this first..." thread. I pasted the logs below.

Thank you very much for your help!

Tilman
(Berlin, Germany)

UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/13/2012 at 07:02 PM

Application Version : 5.5.1012

Core Rules Database Version : 9044
Trace Rules Database Version: 6856

Scan type : Complete Scan
Total Scan Time : 01:44:50

Operating System Information
Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 592
Memory threats detected : 0
Registry items scanned : 65251
Registry threats detected : 0
File items scanned : 219600
File threats detected : 0

MBAM:
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.13.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: USER-THINK [administrator]

Protection: Enabled

13.08.2012 19:23:05
mbam-log-2012-08-13 (19-23-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200726
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by user at 23:45:46 on 2012-08-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.16339.12341 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvwmi64.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvwmi64.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Lenovo\Lenovo Preferred Pro USB Fingerprint Keyboard Hotkey Driver\AccessL.exe
C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe
C:\Users\user\AppData\Roaming\Ruxi\imihu.exe
C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
C:\Program Files (x86)\Symantec\VIP Access Client\VIPUIManager.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)\audacity.exe
c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\agcp.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\notepad.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
uStart Page = hxxp://www.google.de/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Symantec VIP Access Add-On: {c63cd127-a1cb-4d49-a4f7-d6f88a917be6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [<NO NAME>]
uRun: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe -tray
uRun: [AdobeBridge]
uRun: [imihu.exe] C:\Users\user\AppData\Roaming\Ruxi\imihu.exe
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: An vorhandenes PDF anfügen - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in Adobe PDF konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A6616B31-4860-41E2-98E3-CA7649AF172F} - file:///E:/launch.ocx
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{D37FCF5A-F204-42F3-9313-2550FA5E0AF5} : DhcpNameServer = 192.168.178.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{326E768D-4182-46FD-9C16-1449A49795F4}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{AE7CD045-E861-484f-8273-0445EE161910}
{C63CD127-A1CB-4D49-A4F7-D6F88A917BE6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{F4971EE7-DAA0-4053-9964-665D8EE6A077}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [(Standard)]
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\strrh2wf.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-12 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-9-30 13336]
R2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-24 212944]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-13 655944]
R2 NVWMI;NVIDIA WMI Provider;C:\Windows\system32\nvwmi64.exe --> C:\Windows\system32\nvwmi64.exe [?]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-9-30 2656280]
R2 VIPAppService;VIPAppService;C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2012-2-13 84080]
R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;C:\Windows\system32\Drivers\tascusb2.sys --> C:\Windows\system32\Drivers\tascusb2.sys [?]
R3 TASCAM_US144_MK2_MIDI;TASCAM US-144 mk2 WDM MIDI Device;C:\Windows\system32\drivers\tscusb2m.sys --> C:\Windows\system32\drivers\tscusb2m.sys [?]
R3 TASCAM_US144_MK2_WDM;TASCAM US-144 mk2 WDM;C:\Windows\system32\drivers\tscusb2a.sys --> C:\Windows\system32\drivers\tscusb2a.sys [?]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys --> C:\Windows\system32\DRIVERS\Tvti2c.sys [?]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-19 138576]
S2 gupdate;Google Update-Dienst (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-30 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-5-6 1038088]
S3 gupdatem;Google Update-Dienst (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-30 136176]
S3 IntcDAud;Intel(R) Display-Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-26 113120]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft-Netzwerkinspektion;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-08-13 17:34:27   --------   d-----w-   C:\Program Files (x86)\Oracle
2012-08-13 17:34:09   772544   ----a-w-   C:\Windows\SysWow64\npDeployJava1.dll
2012-08-13 17:05:59   --------   d-----w-   C:\Users\user\AppData\Roaming\Malwarebytes
2012-08-13 17:05:25   --------   d-----w-   C:\ProgramData\Malwarebytes
2012-08-13 17:05:24   24904   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2012-08-13 17:05:24   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-13 15:14:53   --------   d-----w-   C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com
2012-08-13 15:14:31   --------   d-----w-   C:\ProgramData\SUPERAntiSpyware.com
2012-08-13 15:14:31   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2012-08-13 15:05:53   --------   d-----w-   C:\Program Files\CCleaner
2012-08-13 11:39:04   69000   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A9A64820-5E20-44BA-A681-F3DE0C808C39}\offreg.dll
2012-08-13 11:38:20   9133488   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A9A64820-5E20-44BA-A681-F3DE0C808C39}\mpengine.dll
2012-08-12 15:06:07   9133488   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-28 14:46:57   --------   d-----w-   C:\Users\user\AppData\Roaming\Ruxi
2012-07-28 14:46:57   --------   d-----w-   C:\Users\user\AppData\Roaming\Fevia
2012-07-17 00:03:58   3148800   ----a-w-   C:\Windows\System32\win32k.sys
2012-07-17 00:03:03   294912   ----a-w-   C:\Windows\System32\browserchoice.exe
2012-07-16 18:17:11   927800   ------w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B716B79-DB4D-4C3A-B538-B5517B336687}\gapaengine.dll
.
==================== Find3M ====================
.
2012-08-02 21:51:20   70344   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-02 21:51:20   426184   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-05 20:06:20   687544   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
2012-06-06 06:06:16   2004480   ----a-w-   C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16   1881600   ----a-w-   C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54   1133568   ----a-w-   C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52   1390080   ----a-w-   C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52   1236992   ----a-w-   C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06   805376   ----a-w-   C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31   2622464   ----a-w-   C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08   99840   ----a-w-   C:\Windows\System32\wudriver.dll
2012-06-02 13:19:42   186752   ----a-w-   C:\Windows\System32\wuwebv.dll
2012-06-02 13:15:12   36864   ----a-w-   C:\Windows\System32\wuapp.exe
2012-06-02 12:12:17   2311680   ----a-w-   C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28   1392128   ----a-w-   C:\Windows\System32\wininet.dll
2012-06-02 12:04:50   1494528   ----a-w-   C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40   173056   ----a-w-   C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08   2382848   ----a-w-   C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25   1800192   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08   1129472   ----a-w-   C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03   1427968   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33   142848   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52   2382848   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:50:10   458704   ----a-w-   C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16   95600   ----a-w-   C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16   151920   ----a-w-   C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31   340992   ----a-w-   C:\Windows\System32\schannel.dll
2012-06-02 05:44:21   307200   ----a-w-   C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42   22016   ----a-w-   C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39   225280   ----a-w-   C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10   219136   ----a-w-   C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09   96768   ----a-w-   C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 23:46:03,35 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15.11.2011 10:15:22
System Uptime: 13.08.2012 07:22:38 (16 hours ago)
.
Motherboard: LENOVO | |
Processor: Intel(R) Xeon(R) CPU E31245 @ 3.30GHz | CPU 1 | 1584/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 1364 GiB total, 983,652 GiB free.
E: is CDROM ()
Q: is FIXED (NTFS) - 29 GiB total, 21,26 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP95: 24.07.2012 11:07:51 - Windows Update
RP96: 28.07.2012 10:18:48 - Windows Update
RP97: 31.07.2012 15:55:25 - Windows Update
RP98: 04.08.2012 17:30:08 - Windows Update
RP99: 11.08.2012 16:11:44 - Windows Update
RP100: 13.08.2012 19:33:27 - Installed Java(TM) 7 Update 5
RP101: 13.08.2012 19:34:14 - JavaFX 2.1.1 wird installiert
.
==== Installed Programs ======================
.
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9.5.1 - CPSID_83708
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Design Standard
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader X (10.1.3) - Deutsch
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Amazon MP3-Downloader 1.0.15
Audacity 1.3.14 (Unicode)
Burn.Now 4.5
CamStudio OSS Desktop Recorder
CDBurnerXP
Connect
Corel Burn.Now Lenovo Edition
Corel DVD MovieFactory 7
Corel DVD MovieFactory Lenovo Edition
Corel WinDVD
Create Recovery Media
D3DX10
Direct DiscRecorder
DivX-Setup
Dropbox
DVDStyler v2.1
eLicenser Control
ElsterFormular
Google Chrome
Google Update Helper
Intel(R) Control Center
Intel(R) Identity Protection Technology 1.1.2.0
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Java Auto Updater
Java(TM) 6 Update 31
Java(TM) 7 Update 5
JavaFX 2.1.1
Junk Mail filter update
kuler
LAME v3.98.3 for Audacity
Lenovo Preferred Pro USB Fingerprint Keyboard Hotkey Driver
Lenovo Registration
Lenovo User Guide
Lenovo Welcome
Malwarebytes Anti-Malware version 1.62.0.1300
Mesh Runtime
Message Center Plus
Microsoft Office 2010
Microsoft Office Klick-und-Los 2010
Microsoft Office Starter 2010 - Deutsch
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC100_CRT_SP1_x86
Mozilla Firefox 14.0.1 (x86 de)
Mozilla Maintenance Service
MSVC80_x86_v2
MSVC90_x86
MSVCRT
MSVCRT Redists
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia Suite
OpenOffice.org 3.4
PC Connectivity Solution
PDF Settings CS4
Photoshop Camera Raw
PocoMail 4.8 (Build 4400)
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Renesas Electronics USB 3.0 Host Controller Driver
Samsung Easy Printer Manager
Samsung ML-331x Series
Samsung Printer Live Update
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Skype™ 5.6
Steinberg Cubase LE 5
Steinberg HALionOne
Steinberg HALionOne Essential Set
Suite Shared Configuration CS4
System Requirements Lab for Intel
System Update
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VC80CRTRedist - 8.0.50727.6195
Vegas Pro 11.0
VIP Access
VLC media player 2.0.1
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotogalerie
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX control for remote connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== End Of File ===========================

Title: Re: ZeuS
Post by: SuperDave on August 13, 2012, 04:51:28 PM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
If you didn't click on any links in the email you're probably not infected. This is a common ruse they use. They tell you that your computer is compromised and to click on a link in the email to get help. Bingo! You're infected as soon as you click on the link.

Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Title: Re: ZeuS
Post by: tilman_berlin on August 14, 2012, 08:43:16 AM

Hi Dave,

thank you for your help and advice.
I re-enabled Microsoft Security Essentials after Combofix was done. I hope this was alright.
Sorry for the German parts in the log. ComboFix did not give me an opportunity to select the language.

This is the ComboFix log:

ComboFix 12-08-13.01 - user 14.08.2012 16:25:15.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.16339.13810 [GMT 2:00]
ausgeführt von:: c:\users\user\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\user\AppData\Local\TempDIR
c:\users\user\AppData\Local\TempDIR\BetterInstaller.exe
c:\users\user\AppData\Roaming\Ruxi
c:\users\user\AppData\Roaming\Ruxi\imihu.exe
Q:\Autorun.inf
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-07-14 bis 2012-08-14 ))))))))))))))))))))))))))))))
.
.
2012-08-13 17:36 . 2012-08-13 17:36   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-08-13 17:34 . 2012-08-13 17:34   --------   d-----w-   c:\program files (x86)\Oracle
2012-08-13 17:34 . 2012-07-05 20:06   772544   ----a-w-   c:\windows\SysWow64\npDeployJava1.dll
2012-08-13 17:05 . 2012-08-13 17:05   --------   d-----w-   c:\users\user\AppData\Roaming\Malwarebytes
2012-08-13 17:05 . 2012-08-13 17:05   --------   d-----w-   c:\programdata\Malwarebytes
2012-08-13 17:05 . 2012-08-13 17:05   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-13 17:05 . 2012-07-03 11:46   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-08-13 15:14 . 2012-08-13 15:14   --------   d-----w-   c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
2012-08-13 15:14 . 2012-08-13 15:14   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-08-13 15:14 . 2012-08-13 15:14   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-08-13 15:05 . 2012-08-13 15:05   --------   d-----w-   c:\program files\CCleaner
2012-08-13 11:38 . 2012-06-29 10:04   9133488   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9A64820-5E20-44BA-A681-F3DE0C808C39}\mpengine.dll
2012-08-12 15:06 . 2012-06-29 10:04   9133488   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-28 14:46 . 2012-08-14 14:21   --------   d-----w-   c:\users\user\AppData\Roaming\Fevia
2012-07-17 00:03 . 2012-06-12 03:08   3148800   ----a-w-   c:\windows\system32\win32k.sys
2012-07-17 00:03 . 2010-02-23 08:16   294912   ----a-w-   c:\windows\system32\browserchoice.exe
2012-07-16 23:59 . 2012-06-02 12:12   2311680   ----a-w-   c:\windows\system32\jscript9.dll
2012-07-16 18:17 . 2012-02-17 13:52   927800   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3B716B79-DB4D-4C3A-B538-B5517B336687}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 21:51 . 2012-04-04 08:34   426184   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-02 21:51 . 2011-11-29 19:16   70344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-17 00:00 . 2011-11-29 18:18   59701280   ----a-w-   c:\windows\system32\MRT.exe
2012-07-05 20:06 . 2012-01-30 17:04   687544   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-06-02 22:19 . 2012-06-21 08:01   38424   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 08:02   2428952   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 08:02   57880   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 08:02   44056   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 08:01   701976   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 08:02   2622464   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 08:01   99840   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 08:01   186752   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-21 08:01   36864   ----a-w-   c:\windows\system32\wuapp.exe
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   94208   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   94208   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   94208   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 19979400]
"NokiaSuite.exe"="c:\program files (x86)\Nokia\Nokia Suite\NokiaSuite.exe" [2012-01-10 1083264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2010-12-03 112152]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160]
"Lenovo Registration"="c:\program files (x86)\Lenovo Registration\LenovoReg.exe" [2011-07-13 4351712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2012-05-06 611712]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-02 250056]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-05-06 1038088]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 136176]
R3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]
S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-23 212944]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi64.exe [2012-04-27 825152]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2010-12-23 11576]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-03 2656280]
S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2012-02-13 84080]
S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2011-07-20 342704]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-04-27 83080]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-04-27 184968]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-12-01 250984]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2011-04-28 419160]
S3 TASCAM_US144_MK2_MIDI;TASCAM US-144 mk2 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2011-04-28 31576]
S3 TASCAM_US144_MK2_WDM;TASCAM US-144 mk2 WDM;c:\windows\system32\drivers\tscusb2a.sys [2011-04-28 53080]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-09-24 41536]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
Inhalt des "geplante Tasks" Ordners
.
2012-08-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 21:51]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 01:26]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 01:26]
.
2012-08-14 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:06]
.
2012-08-14 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:06]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   97792   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   97792   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   97792   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17   97792   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALTOOLS"="c:\program files (x86)\Lenovo\Lenovo Preferred Pro USB Fingerprint Keyboard Hotkey Driver\" [X]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-09 11663976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-12 168216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-12 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-12 416024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"ALTOOLS1"="c:\program files (x86)\Lenovo\Lenovo Preferred Pro USB Fingerprint Keyboard Hotkey Driver\AccessL.exe" [2009-07-27 60928]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-04-27 1694016]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2010-11-26 437248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: An vorhandenes PDF anfügen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
TCP: DhcpNameServer = 192.168.178.1
DPF: {A6616B31-4860-41E2-98E3-CA7649AF172F} - file:///E:/launch.ocx
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\strrh2wf.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKCU-Run-imihu.exe - c:\users\user\AppData\Roaming\Ruxi\imihu.exe
Toolbar-Locked - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Lenovo\System Update\SUService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-08-14 16:33:38 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-08-14 14:33
.
Vor Suchlauf: 13 Verzeichnis(se), 1.057.019.858.944 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 1.056.891.863.040 Bytes frei
.
- - End Of File - - AB26129B1CD9EFEFB7D7AB9E86453599

Title: Re: ZeuS
Post by: SuperDave on August 14, 2012, 05:37:07 PM

Please download aswMBR.exe (http://public.avast.com/%7Egmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Scan.jpg)

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png)

On completion of the scan click save log, save it to your desktop and post in your next reply
*********************************************************
Please download Rooter (http://eric71.geekstogo.com/tools/Rooter.exe) and Save it to your desktop.

Double click it to start the tool.Vista and Windows7 run as administrator.
Click Scan.
Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

Title: Re: ZeuS
Post by: tilman_berlin on August 15, 2012, 02:51:01 AM

Hi Dave,

here are the logs:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-15 10:10:39
-----------------------------
10:10:39.642 OS Version: Windows x64 6.1.7601 Service Pack 1
10:10:39.642 Number of processors: 8 586 0x2A07
10:10:39.643 ComputerName: USER-THINK UserName: user
10:10:40.577 Initialize success
10:12:29.159 AVAST engine defs: 12081500
10:12:45.245 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:12:45.246 Disk 0 Vendor: Intel___ 1.0. Size: 1430797MB BusType: 8
10:12:45.266 Disk 0 MBR read successfully
10:12:45.268 Disk 0 MBR scan
10:12:45.270 Disk 0 unknown MBR code
10:12:45.276 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 3593 MB offset 2048
10:12:45.295 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1397201 MB offset 7360512
10:12:45.334 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 30002 MB offset 2868828160
10:12:45.409 Disk 0 scanning C:\Windows\system32\drivers
10:13:06.749 Service scanning
10:13:32.665 Modules scanning
10:13:32.673 Disk 0 trace - called modules:
10:13:32.690 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
10:13:32.697 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800f626790]
10:13:32.702 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800da49050]
10:13:35.498 AVAST engine scan C:\Windows
10:13:45.614 AVAST engine scan C:\Windows\system32
10:18:20.325 AVAST engine scan C:\Windows\system32\drivers
10:18:42.324 AVAST engine scan C:\Users\user
10:39:10.615 AVAST engine scan C:\ProgramData
10:42:56.399 Scan finished successfully
10:48:11.355 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
10:48:11.360 The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows 7 . (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.0.8112.16421
Mozilla Firefox 14.0.1 (de)
.
C:\ [Fixed-NTFS] .. ( Total:1364 Go - Free:984 Go )
E:\ [CD_Rom]
Q:\ [Fixed-NTFS] .. ( Total:29 Go - Free:21 Go )
R:\ [Fixed-NTFS] .. ( Total:0 Go - Free:0 Go )
.
Scan : 10:48.52
Path : C:\Users\user\Downloads\Rooter.exe
User : user ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (364)
Locked csrss.exe (520)
Locked wininit.exe (620)
Locked csrss.exe (648)
Locked services.exe (684)
Locked lsass.exe (708)
Locked lsm.exe (716)
Locked winlogon.exe (752)
Locked svchost.exe (868)
Locked nvvsvc.exe (932)
Locked nvwmi64.exe (956)
Locked svchost.exe (996)
Locked MsMpEng.exe (384)
Locked svchost.exe (416)
Locked svchost.exe (404)
Locked svchost.exe (1048)
Locked svchost.exe (1308)
Locked svchost.exe (1472)
Locked spoolsv.exe (1648)
Locked svchost.exe (1676)
Locked SASCore64.exe (1760)
Locked armsvc.exe (1788)
Locked NvXDSync.exe (1872)
Locked nvvsvc.exe (1884)
Locked nvwmi64.exe (1892)
______ ????????? (2044)
______ ????????? (1380)
______ ????????? (1460)
Locked jhi_service.exe (1580)
Locked PsiService_2.exe (2180)
Locked sftvsa.exe (2544)
Locked svchost.exe (2572)
Locked ULCDRSvr.exe (2660)
Locked WLIDSVC.EXE (2788)
Locked sftlist.exe (2836)
Locked WLIDSVCM.EXE (3044)
______ ????????? (3304)
______ ????????? (3364)
______ ????????? (3448)
______ ????????? (3500)
Locked CVHSVC.EXE (3700)
Locked SearchIndexer.exe (3828)
Locked svchost.exe (4084)
______ C:\Program Files (x86)\Skype\Phone\Skype.exe (3388)
Locked wmpnetwk.exe (3868)
______ C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe (1556)
Locked svchost.exe (1796)
______ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (4264)
______ C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (4332)
Locked svchost.exe (4492)
______ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe (4552)
______ C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe (4620)
______ C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (4684)
______ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (4708)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (4740)
Locked dllhost.exe (3228)
Locked ServiceLayer.exe (2460)
Locked NclUSBSrv64.exe (5196)
______ C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe (5960)
______ ????????? (5032)
Locked LMS.exe (4696)
Locked UNS.exe (4800)
Locked IAStorDataMgrSvc.exe (3892)
Locked mbamservice.exe (3996)
Locked SUService.exe (1324)
Locked VIPAppService.exe (4816)
Locked svchost.exe (5708)
______ ????????? (5092)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (3420)
______ ????????? (6132)
______ C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe (5872)
Locked SearchProtocolHost.exe (1568)
Locked SearchFilterHost.exe (2800)
______ C:\Users\user\Downloads\Rooter.exe (4772)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:3767533568)
\Device\Harddisk0\Partition2 (Start_Offset:3768582144 | Length:1465071435776)
\Device\Harddisk0\Partition3 (Start_Offset:1468840017920 | Length:31459377152)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\SystemToolsDailyTest.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\Users\user\AppData\Roaming\Pocomail\Attach\keygen.zip
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 10:48.53
.
C:\Rooter$\Rooter_1.txt - (15/08/2012 | 10:48.53).c

Title: Re: ZeuS
Post by: tilman_berlin on August 15, 2012, 10:39:23 AM

Sorry, I just realised I didn't run rooter as administrator. So here is the rooter log again:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 . (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.0.8112.16421
Mozilla Firefox 14.0.1 (de)
.
C:\ [Fixed-NTFS] .. ( Total:1364 Go - Free:982 Go )
E:\ [CD_Rom]
Q:\ [Fixed-NTFS] .. ( Total:29 Go - Free:21 Go )
R:\ [Fixed-NTFS] .. ( Total:0 Go - Free:0 Go )
.
Scan : 18:38.41
Path : C:\Users\user\Downloads\Rooter.exe
User : user ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ???K?????? (364)
______ ???K?????? (520)
______ ???K?????? (620)
______ ???K?????? (648)
______ ???K?????? (684)
______ ???K?????? (708)
______ ???K?????? (716)
______ ???K?????? (752)
______ ???K?????? (868)
______ ???K?????? (932)
______ ???K?????? (956)
______ ???K?????? (996)
______ ???K?????? (384)
______ ???K?????? (416)
______ ???K?????? (404)
______ ???K?????? (1048)
______ ???K?????? (1308)
______ ???K?????? (1472)
______ ???K?????? (1648)
______ ???K?????? (1676)
______ ???K?????? (1760)
______ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (1788)
______ ???K?????? (1872)
______ ???K?????? (1884)
______ ???K?????? (1892)
______ ???K?????? (2044)
______ ???K?????? (1380)
______ ???K?????? (1460)
______ C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe (1580)
______ C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe (2180)
______ C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (2544)
______ ???K?????? (2572)
______ C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (2660)
______ ???K?????? (2788)
______ C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (2836)
______ ???K?????? (3044)
______ ???K?????? (3304)
______ ???K?????? (3364)
______ ???K?????? (3448)
______ ???K?????? (3500)
______ C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (3700)
______ ???K?????? (3828)
______ ???K?????? (4084)
______ C:\Program Files (x86)\Skype\Phone\Skype.exe (3388)
______ ???K?????? (3868)
______ C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe (1556)
______ ???K?????? (1796)
______ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (4264)
______ C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (4332)
______ ???K?????? (4492)
______ C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe (4552)
______ C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe (4620)
______ C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (4684)
______ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (4708)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (4740)
______ ???K?????? (3228)
______ C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe (2460)
______ ???K?????? (5196)
______ C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe (5960)
______ ???K?????? (5032)
______ C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (4696)
______ C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (4800)
______ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (3892)
______ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (3996)
______ C:\Program Files (x86)\Lenovo\System Update\SUService.exe (1324)
______ C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe (4816)
______ ???K?????? (5708)
______ ???K?????? (5092)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (3420)
______ ???K?????? (6132)
______ C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe (5872)
______ C:\Program Files (x86)\Pocomail4\Poco.exe (1316)
______ C:\Program Files (x86)\Symantec\VIP Access Client\VIPUIManager.exe (2860)
______ ???K?????? (5088)
Locked audiodg.exe (5592)
______ C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)\audacity.exe (4584)
______ C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe (7648)
______ C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe (7912)
______ ???K?????? (5620)
______ C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (5444)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe (7992)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe (1300)
______ ???K?????? (3628)
______ ???K?????? (1968)
______ C:\Users\user\Downloads\Rooter.exe (7508)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:3767533568)
\Device\Harddisk0\Partition2 (Start_Offset:3768582144 | Length:1465071435776)
\Device\Harddisk0\Partition3 (Start_Offset:1468840017920 | Length:31459377152)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\SystemToolsDailyTest.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\Users\user\AppData\Roaming\Pocomail\Attach\keygen.zip
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 18:38.43
.
C:\Rooter$\Rooter_2.txt - (15/08/2012 | 18:38.43).c

Title: Re: ZeuS
Post by: SuperDave on August 15, 2012, 04:39:48 PM

We need to fix the infection found with aswMBR now

Double click aswMBR.exe to run it like before
Once the scan finishes click Fix to remove the infection as illustrated below

(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Fix.jpg)

Once the scan finishes click Save log to save the log to your Desktop

(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png)
Copy and paste the contents of aswMBR.txt back here for review

Title: Re: ZeuS
Post by: tilman_berlin on August 15, 2012, 05:13:34 PM

Hi Dave,

aswMBR does not allow me to press the "Fix" button. The button is grey. I can click "FixMBR". What shall I do?

This is the log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-16 00:49:42
-----------------------------
00:49:42.898 OS Version: Windows x64 6.1.7601 Service Pack 1
00:49:42.898 Number of processors: 8 586 0x2A07
00:49:42.899 ComputerName: USER-THINK UserName: user
00:49:44.301 Initialize success
00:49:47.793 AVAST engine defs: 12081500
00:50:03.647 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:50:03.648 Disk 0 Vendor: Intel___ 1.0. Size: 1430797MB BusType: 8
00:50:03.709 Disk 0 MBR read successfully
00:50:03.711 Disk 0 MBR scan
00:50:03.713 Disk 0 unknown MBR code
00:50:03.739 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 3593 MB offset 2048
00:50:03.757 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1397201 MB offset 7360512
00:50:03.814 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 30002 MB offset 2868828160
00:50:03.912 Disk 0 scanning C:\Windows\system32\drivers
00:50:32.455 Service scanning
00:50:56.616 Modules scanning
00:50:56.624 Disk 0 trace - called modules:
00:50:56.647 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
00:50:56.653 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800f626790]
00:50:56.659 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800da49050]
00:50:58.299 AVAST engine scan C:\Windows
00:51:21.704 AVAST engine scan C:\Windows\system32
00:55:38.478 AVAST engine scan C:\Windows\system32\drivers
00:56:04.784 AVAST engine scan C:\Users\user
01:07:37.660 AVAST engine scan C:\ProgramData
01:10:04.912 Scan finished successfully
01:11:26.898 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
01:11:26.902 The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"

Title: Re: ZeuS
Post by: SuperDave on August 15, 2012, 06:29:55 PM

It could be that there's nothing wrong with the MBR.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe)
Link 2 (http://ad13.geekstogo.com/MBRCheck.exe)
Link 3 (http://www.kernelmode.info/MBRCheck.exe)

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

Title: Re: ZeuS
Post by: tilman_berlin on August 21, 2012, 09:59:28 AM

Hi Dave,

this is the MBRCHeck.exe log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows 7 Professional
Windows Information:      Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer:   LENOVO
BIOS Manufacturer:      LENOVO
System Manufacturer:      LENOVO
System Product Name:      782442G
Logical Drives Mask:      0x00030014

Kernel Drivers (total 198):
0x03409000 \SystemRoot\system32\ntoskrnl.exe
0x039F1000 \SystemRoot\system32\hal.dll
0x00BA3000 \SystemRoot\system32\kdcom.dll
0x00C80000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CCF000 \SystemRoot\system32\PSHED.dll
0x00CE3000 \SystemRoot\system32\CLFS.SYS
0x00EE4000 \SystemRoot\system32\CI.dll
0x00E00000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EA4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA4000 \SystemRoot\system32\drivers\ACPI.sys
0x00EB3000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00EBC000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D41000 \SystemRoot\system32\drivers\pci.sys
0x00EC6000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D74000 \SystemRoot\System32\drivers\partmgr.sys
0x00ED3000 \SystemRoot\system32\drivers\compbatt.sys
0x00D89000 \SystemRoot\system32\drivers\BATTC.SYS
0x00D95000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00C5C000 \SystemRoot\System32\drivers\mountmgr.sys
0x0104D000 \SystemRoot\system32\drivers\iaStor.sys
0x011A1000 \SystemRoot\system32\drivers\amdxata.sys
0x011AC000 \SystemRoot\system32\drivers\fltmgr.sys
0x01000000 \SystemRoot\system32\drivers\fileinfo.sys
0x01014000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x01253000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01483000 \SystemRoot\System32\Drivers\msrpc.sys
0x014E1000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014FC000 \SystemRoot\System32\Drivers\cng.sys
0x0156E000 \SystemRoot\System32\drivers\pcw.sys
0x0157F000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01643000 \SystemRoot\system32\drivers\ndis.sys
0x01736000 \SystemRoot\system32\drivers\NETIO.SYS
0x01796000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x018D7000 \SystemRoot\System32\drivers\tcpip.sys
0x01ADA000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01B24000 \SystemRoot\system32\drivers\vmstorfl.sys
0x01B34000 \SystemRoot\system32\drivers\volsnap.sys
0x01B80000 \SystemRoot\System32\Drivers\spldr.sys
0x01B88000 \SystemRoot\System32\drivers\rdyboost.sys
0x01BC2000 \SystemRoot\System32\Drivers\mup.sys
0x01BD4000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01800000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0183A000 \SystemRoot\system32\drivers\disk.sys
0x01850000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x03FB9000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03FE3000 \SystemRoot\System32\Drivers\Null.SYS
0x03FEC000 \SystemRoot\System32\Drivers\Beep.SYS
0x03E00000 \SystemRoot\System32\drivers\vga.sys
0x03E0E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03E33000 \SystemRoot\System32\drivers\watchdog.sys
0x03E43000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03FF3000 \SystemRoot\system32\drivers\rdpencdd.sys
0x0188E000 \SystemRoot\system32\drivers\rdprefmp.sys
0x01897000 \SystemRoot\System32\Drivers\Msfs.SYS
0x018A2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x018B3000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01BDD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04456000 \SystemRoot\system32\drivers\afd.sys
0x044DF000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04524000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x0452F000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04538000 \SystemRoot\system32\DRIVERS\pacer.sys
0x0455E000 \SystemRoot\system32\DRIVERS\netbios.sys
0x0456D000 \SystemRoot\system32\DRIVERS\serial.sys
0x0458A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x045A5000 \SystemRoot\system32\DRIVERS\termdd.sys
0x045B9000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x045C3000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x04400000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x045CD000 \SystemRoot\system32\drivers\nsiproxy.sys
0x045D9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x045E4000 \SystemRoot\System32\drivers\discache.sys
0x01400000 \SystemRoot\system32\drivers\csc.sys
0x017C0000 \SystemRoot\System32\Drivers\dfsc.sys
0x01BEA000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x01600000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0F21F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FFFA000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x046A7000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0479B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04600000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04624000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x04635000 \SystemRoot\system32\DRIVERS\serenum.sys
0x04641000 \SystemRoot\system32\DRIVERS\e1c62x64.sys
0x047E1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x01589000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x01200000 \SystemRoot\system32\DRIVERS\nusb3xhc.sys
0x047F2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04698000 \SystemRoot\system32\drivers\tpm.sys
0x047F4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x0F200000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x01626000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x017DE000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x00DAA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x045F3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x00DCE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x015DF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x01230000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04A14000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04A2E000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x04A39000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04A48000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04A57000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0x04A65000 \SystemRoot\system32\DRIVERS\psadd.sys
0x04A73000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04A75000 \SystemRoot\system32\DRIVERS\ks.sys
0x04AB8000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04ACA000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04B24000 \SystemRoot\system32\DRIVERS\nusb3hub.sys
0x04B3C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04B51000 \SystemRoot\system32\drivers\nvhda64v.sys
0x04B83000 \SystemRoot\system32\drivers\portcls.sys
0x04BC0000 \SystemRoot\system32\drivers\drmk.sys
0x04BE2000 \SystemRoot\system32\drivers\ksthunk.sys
0x05065000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x052F1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x052FF000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x05318000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05321000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0532F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x0533C000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03E4C000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x0534A000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x0535D000 \SystemRoot\System32\Drivers\RtsUStor.sys
0x054F9000 \SystemRoot\System32\Drivers\tascusb2.sys
0x05563000 \SystemRoot\system32\drivers\tscusb2m.sys
0x0556F000 \SystemRoot\system32\drivers\tscusb2a.sys
0x000D0000 \SystemRoot\System32\win32k.sys
0x05580000 \SystemRoot\System32\drivers\Dxapi.sys
0x0558C000 \SystemRoot\system32\DRIVERS\monitor.sys
0x004C0000 \SystemRoot\System32\TSDDD.dll
0x006A0000 \SystemRoot\System32\cdd.dll
0x0559A000 \SystemRoot\system32\drivers\luafv.sys
0x055BD000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x055C8000 \SystemRoot\system32\drivers\WudfPf.sys
0x00830000 \SystemRoot\System32\ATMFD.DLL
0x055E9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x05400000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x05418000 \SystemRoot\system32\drivers\HTTP.sys
0x0539D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x054E1000 \SystemRoot\System32\drivers\mpsdrv.sys
0x053BB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x05000000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07600000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07624000 \SystemRoot\System32\Drivers\adfs.SYS
0x0763C000 \SystemRoot\system32\drivers\peauth.sys
0x076E2000 \SystemRoot\System32\Drivers\secdrv.SYS
0x076ED000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x077AE000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x07C0E000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07C3F000 \??\C:\Windows\system32\Drivers\SSPORT.sys
0x07C47000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07C59000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07CC2000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x07CCD000 \SystemRoot\System32\DRIVERS\srv.sys
0x07D65000 \??\C:\Windows\system32\drivers\mbam.sys
0x07DE0000 \??\C:\Users\user\AppData\Local\Temp\aswMBR.sys
0x77970000 \Windows\System32\ntdll.dll
0x48140000 \Windows\System32\smss.exe
0xFFC90000 \Windows\System32\apisetschema.dll
0xFF5A0000 \Windows\System32\autochk.exe
0xFFBA0000 \Windows\System32\oleaut32.dll
0xFFB00000 \Windows\System32\clbcatq.dll
0xFFAF0000 \Windows\System32\nsi.dll
0xFFA50000 \Windows\System32\msvcrt.dll
0x77810000 \Windows\System32\wininet.dll
0x776F0000 \Windows\System32\kernel32.dll
0xFF9D0000 \Windows\System32\difxapi.dll
0xFF9B0000 \Windows\System32\sechost.dll
0x775A0000 \Windows\System32\urlmon.dll
0xFEC20000 \Windows\System32\shell32.dll
0xFEC00000 \Windows\System32\imagehlp.dll
0xFE9F0000 \Windows\System32\ole32.dll
0x77B40000 \Windows\System32\psapi.dll
0x77B30000 \Windows\System32\normaliz.dll
0xFE970000 \Windows\System32\shlwapi.dll
0xFE960000 \Windows\System32\lpk.dll
0xFE850000 \Windows\System32\msctf.dll
0xFE7B0000 \Windows\System32\comdlg32.dll
0x774A0000 \Windows\System32\user32.dll
0xFE780000 \Windows\System32\imm32.dll
0xFE650000 \Windows\System32\rpcrt4.dll
0x77290000 \Windows\System32\iertutil.dll
0xFE470000 \Windows\System32\setupapi.dll
0xFE3A0000 \Windows\System32\usp10.dll
0xFE340000 \Windows\System32\Wldap32.dll
0xFE2F0000 \Windows\System32\ws2_32.dll
0xFE280000 \Windows\System32\gdi32.dll
0xFE1A0000 \Windows\System32\advapi32.dll
0xFE030000 \Windows\System32\crypt32.dll
0xFDFF0000 \Windows\System32\wintrust.dll
0xFDFB0000 \Windows\System32\cfgmgr32.dll
0xFDF10000 \Windows\System32\comctl32.dll
0xFDEA0000 \Windows\System32\KernelBase.dll
0xFDE80000 \Windows\System32\devobj.dll
0xFDE70000 \Windows\System32\msasn1.dll
0x76D40000 \Windows\SysWOW64\normaliz.dll

Processes (total 82):
0 System Idle Process
4 System
364 C:\Windows\System32\smss.exe
556 csrss.exe
632 C:\Windows\System32\wininit.exe
656 csrss.exe
696 C:\Windows\System32\winlogon.exe
740 C:\Windows\System32\services.exe
756 C:\Windows\System32\lsass.exe
764 C:\Windows\System32\lsm.exe
864 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\nvvsvc.exe
948 C:\Windows\System32\nvwmi64.exe
988 C:\Windows\System32\svchost.exe
344 C:\Program Files\Microsoft Security Client\MsMpEng.exe
640 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1056 C:\Windows\System32\svchost.exe
1444 C:\Windows\System32\svchost.exe
1588 C:\Windows\System32\svchost.exe
1716 C:\Windows\System32\spoolsv.exe
1744 C:\Windows\System32\svchost.exe
1824 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
1052 C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
1428 C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
2220 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
2256 C:\Windows\System32\svchost.exe
2288 C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2312 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2408 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
2468 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2568 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3140 C:\Windows\System32\svchost.exe
3268 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
3280 C:\Windows\System32\nvvsvc.exe
3288 C:\Windows\System32\nvwmi64.exe
3620 C:\Windows\System32\taskhost.exe
3652 C:\Windows\System32\dwm.exe
3720 C:\Windows\explorer.exe
3852 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3900 C:\Program Files\Microsoft Security Client\msseces.exe
3244 C:\Program Files (x86)\Lenovo\Lenovo Preferred Pro USB Fingerprint Keyboard Hotkey Driver\AccessL.exe
3536 C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
3580 C:\Program Files (x86)\Skype\Phone\Skype.exe
3584 C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe
3684 C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
3812 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
1948 C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
3936 C:\Config.Msi\2efa7.rbf
2536 C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
1100 C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
1212 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
404 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4344 C:\Windows\System32\svchost.exe
4832 C:\Program Files\Windows Media Player\wmpnetwk.exe
3484 C:\Windows\System32\svchost.exe
416 C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
4080 C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
5540 C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
6020 dllhost.exe
5464 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
5520 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
5548 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
5784 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
5960 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3848 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
4092 C:\Program Files (x86)\Lenovo\System Update\SUService.exe
6116 C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
5228 C:\Windows\System32\taskeng.exe
6200 C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
6560 C:\Windows\System32\svchost.exe
3972 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
4172 C:\Windows\System32\audiodg.exe
4004 MpCmdRun.exe
7448 C:\Windows\System32\SearchIndexer.exe
6296 C:\Windows\System32\SearchProtocolHost.exe
3844 C:\Windows\System32\SearchFilterHost.exe
7244 C:\Windows\System32\SearchProtocolHost.exe
5452 dllhost.exe
2624 dllhost.exe
6768 C:\Users\user\Desktop\MBRCheck.exe
3312 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`e0a00000 (NTFS)
\\.\Q: --> \\.\PhysicalDrive0 at offset 0x00000155`fdb00000 (NTFS)
\\.\R: --> error 5

PhysicalDrive0 Model Number:

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 8C5A19F3F46C47E1D5B89C5FF38F29281E03AD6 E

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Title: Re: ZeuS
Post by: SuperDave on August 21, 2012, 04:37:47 PM

Please Boot to the System Recovery Options (http://www.sevenforums.com/tutorials/668-system-recovery-options.html)
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.

Title: Re: ZeuS
Post by: tilman_berlin on August 22, 2012, 02:37:32 AM

Done! It only took two seconds for each command.
How do I know that I really got rid of Zeus?
By the way: my bank blocked my online banking access because the trojan "zeus2" seems to have tried to mess with it.

Once again: thanks for your help,

Tilman

Title: Re: ZeuS
Post by: SuperDave on August 22, 2012, 01:11:09 PM

Quote

By the way: my bank blocked my online banking access because the trojan "zeus2" seems to have tried to mess with it.

You really should change your banking passwords.

Quote

How do I know that I really got rid of Zeus?

Please run MBRCheck again and post the log. We still have a few more scans to do to ensure that your computer is clean.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.

•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Title: Re: ZeuS
Post by: tilman_berlin on August 22, 2012, 02:01:50 PM

Here's the MBRCheck log again. ESET will follow.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows 7 Professional
Windows Information:      Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer:   LENOVO
BIOS Manufacturer:      LENOVO
System Manufacturer:      LENOVO
System Product Name:      782442G
Logical Drives Mask:      0x00030014

Kernel Drivers (total 197):
0x0345A000 \SystemRoot\system32\ntoskrnl.exe
0x03411000 \SystemRoot\system32\hal.dll
0x00BB1000 \SystemRoot\system32\kdcom.dll
0x00C3B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C8A000 \SystemRoot\system32\PSHED.dll
0x00C9E000 \SystemRoot\system32\CLFS.SYS
0x00CFC000 \SystemRoot\system32\CI.dll
0x00E3E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EE2000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00EF1000 \SystemRoot\system32\drivers\ACPI.sys
0x00F48000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00F51000 \SystemRoot\system32\drivers\msisadrv.sys
0x00F5B000 \SystemRoot\system32\drivers\pci.sys
0x00F8E000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00F9B000 \SystemRoot\System32\drivers\partmgr.sys
0x00FB0000 \SystemRoot\system32\drivers\compbatt.sys
0x00FB9000 \SystemRoot\system32\drivers\BATTC.SYS
0x00FC5000 \SystemRoot\system32\drivers\volmgr.sys
0x010F8000 \SystemRoot\System32\drivers\volmgrx.sys
0x01154000 \SystemRoot\System32\drivers\mountmgr.sys
0x01286000 \SystemRoot\system32\drivers\iaStor.sys
0x013DA000 \SystemRoot\system32\drivers\amdxata.sys
0x01200000 \SystemRoot\system32\drivers\fltmgr.sys
0x0124C000 \SystemRoot\system32\drivers\fileinfo.sys
0x0116E000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x01445000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01000000 \SystemRoot\System32\Drivers\msrpc.sys
0x01400000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0105E000 \SystemRoot\System32\Drivers\cng.sys
0x0141B000 \SystemRoot\System32\drivers\pcw.sys
0x0142C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0164D000 \SystemRoot\system32\drivers\ndis.sys
0x01740000 \SystemRoot\system32\drivers\NETIO.SYS
0x017A0000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01836000 \SystemRoot\System32\drivers\tcpip.sys
0x01A39000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01A83000 \SystemRoot\system32\drivers\vmstorfl.sys
0x01A93000 \SystemRoot\system32\drivers\volsnap.sys
0x01ADF000 \SystemRoot\System32\Drivers\spldr.sys
0x01AE7000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B21000 \SystemRoot\System32\Drivers\mup.sys
0x01B33000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01B3C000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01B76000 \SystemRoot\system32\drivers\disk.sys
0x01B8C000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x03FD6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03E00000 \SystemRoot\System32\Drivers\Null.SYS
0x03E09000 \SystemRoot\System32\Drivers\Beep.SYS
0x03E10000 \SystemRoot\System32\drivers\vga.sys
0x03E1E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03E43000 \SystemRoot\System32\drivers\watchdog.sys
0x03E53000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03E5C000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03E65000 \SystemRoot\system32\drivers\rdprefmp.sys
0x01BCA000 \SystemRoot\System32\Drivers\Msfs.SYS
0x01BD5000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01800000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01822000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02E01000 \SystemRoot\system32\drivers\afd.sys
0x02E8A000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02ECF000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x02EDA000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02EE3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02F09000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02F18000 \SystemRoot\system32\DRIVERS\serial.sys
0x02F35000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02F50000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02F64000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x02F6E000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x02F78000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02FC9000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02FD5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02FE0000 \SystemRoot\System32\drivers\discache.sys
0x0444F000 \SystemRoot\system32\drivers\csc.sys
0x044D2000 \SystemRoot\System32\Drivers\dfsc.sys
0x044F0000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04501000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0F215000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FFF0000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x0468A000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0477E000 \SystemRoot\System32\drivers\dxgmms1.sys
0x047C4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x047E8000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x04600000 \SystemRoot\system32\DRIVERS\serenum.sys
0x0460C000 \SystemRoot\system32\DRIVERS\e1c62x64.sys
0x04663000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04527000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0457D000 \SystemRoot\system32\DRIVERS\nusb3xhc.sys
0x04674000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04676000 \SystemRoot\system32\drivers\tpm.sys
0x0FFF2000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x045AD000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F200000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x045C3000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x045D9000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04400000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0440C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x017CA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x01600000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x01BE6000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0443B000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x02FEF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x01621000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x01630000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0x0163E000 \SystemRoot\system32\DRIVERS\psadd.sys
0x04685000 \SystemRoot\system32\DRIVERS\swenum.sys
0x011A3000 \SystemRoot\system32\DRIVERS\ks.sys
0x017E5000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04C57000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04CB1000 \SystemRoot\system32\DRIVERS\nusb3hub.sys
0x04CC9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04CDE000 \SystemRoot\system32\drivers\nvhda64v.sys
0x04D10000 \SystemRoot\system32\drivers\portcls.sys
0x04D4D000 \SystemRoot\system32\drivers\drmk.sys
0x04D6F000 \SystemRoot\system32\drivers\ksthunk.sys
0x052C6000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x05552000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03E6E000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x05560000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x000B0000 \SystemRoot\System32\win32k.sys
0x05573000 \SystemRoot\System32\drivers\Dxapi.sys
0x0557F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x0558D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x055A6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x055AF000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x055BD000 \SystemRoot\system32\DRIVERS\monitor.sys
0x055CB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x05200000 \SystemRoot\System32\Drivers\RtsUStor.sys
0x05240000 \SystemRoot\System32\Drivers\tascusb2.sys
0x052AA000 \SystemRoot\system32\drivers\tscusb2m.sys
0x055D8000 \SystemRoot\system32\drivers\tscusb2a.sys
0x00510000 \SystemRoot\System32\TSDDD.dll
0x00760000 \SystemRoot\System32\cdd.dll
0x008C0000 \SystemRoot\System32\ATMFD.DLL
0x04D75000 \SystemRoot\system32\drivers\luafv.sys
0x055E9000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x04D98000 \SystemRoot\system32\drivers\WudfPf.sys
0x04DB9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x04DCE000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x0B2F5000 \SystemRoot\system32\drivers\HTTP.sys
0x0B3BE000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0B3DC000 \SystemRoot\System32\drivers\mpsdrv.sys
0x0B200000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0B22D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0B27B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0B29F000 \SystemRoot\System32\Drivers\adfs.SYS
0x0BADA000 \SystemRoot\system32\drivers\peauth.sys
0x0BB80000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0BA00000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x0BB8B000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x0B2B7000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x0BBD8000 \??\C:\Windows\system32\Drivers\SSPORT.sys
0x0BBE0000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0D036000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0D09F000 \SystemRoot\System32\DRIVERS\srv.sys
0x0D137000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x0D142000 \??\C:\Windows\system32\drivers\mbam.sys
0x772D0000 \Windows\System32\ntdll.dll
0x47710000 \Windows\System32\smss.exe
0xFF5F0000 \Windows\System32\apisetschema.dll
0xFF810000 \Windows\System32\autochk.exe
0xFF5D0000 \Windows\System32\lpk.dll
0xFF3C0000 \Windows\System32\ole32.dll
0xFF3B0000 \Windows\System32\nsi.dll
0xFF2A0000 \Windows\System32\msctf.dll
0x774A0000 \Windows\System32\normaliz.dll
0xFF170000 \Windows\System32\rpcrt4.dll
0xFF090000 \Windows\System32\advapi32.dll
0x771D0000 \Windows\System32\user32.dll
0xFEFB0000 \Windows\System32\oleaut32.dll
0xFEF90000 \Windows\System32\sechost.dll
0xFEF30000 \Windows\System32\Wldap32.dll
0xFE1A0000 \Windows\System32\shell32.dll
0xFE100000 \Windows\System32\clbcatq.dll
0xFE060000 \Windows\System32\msvcrt.dll
0xFDFE0000 \Windows\System32\difxapi.dll
0x77070000 \Windows\System32\wininet.dll
0x76F50000 \Windows\System32\kernel32.dll
0xFDF60000 \Windows\System32\shlwapi.dll
0xFDEC0000 \Windows\System32\comdlg32.dll
0x76D40000 \Windows\System32\iertutil.dll
0xFDE50000 \Windows\System32\gdi32.dll
0xFDE20000 \Windows\System32\imm32.dll
0xFDD50000 \Windows\System32\usp10.dll
0xFDD30000 \Windows\System32\imagehlp.dll
0xFDCE0000 \Windows\System32\ws2_32.dll
0xFDB00000 \Windows\System32\setupapi.dll
0x77490000 \Windows\System32\psapi.dll
0x76BF0000 \Windows\System32\urlmon.dll
0xFDA60000 \Windows\System32\comctl32.dll
0xFDA20000 \Windows\System32\cfgmgr32.dll
0xFD9E0000 \Windows\System32\wintrust.dll
0xFD970000 \Windows\System32\KernelBase.dll
0xFD800000 \Windows\System32\crypt32.dll
0xFD7E0000 \Windows\System32\devobj.dll
0xFD7D0000 \Windows\System32\msasn1.dll
0x750B0000 \Windows\SysWOW64\normaliz.dll

Processes (total 85):
0 System Idle Process
4 System
360 C:\Windows\System32\smss.exe
520 csrss.exe
636 C:\Windows\System32\wininit.exe
644 csrss.exe
680 C:\Windows\System32\winlogon.exe
740 C:\Windows\System32\services.exe
748 C:\Windows\System32\lsass.exe
760 C:\Windows\System32\lsm.exe
848 C:\Windows\System32\svchost.exe
916 C:\Windows\System32\nvvsvc.exe
940 C:\Windows\System32\nvwmi64.exe
984 C:\Windows\System32\svchost.exe
372 C:\Program Files\Microsoft Security Client\MsMpEng.exe
628 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
1032 C:\Windows\System32\svchost.exe
1156 C:\Windows\System32\svchost.exe
1284 C:\Windows\System32\svchost.exe
1428 C:\Windows\System32\spoolsv.exe
1508 C:\Windows\System32\svchost.exe
1560 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1576 C:\Windows\System32\nvvsvc.exe
1584 C:\Windows\System32\nvwmi64.exe
1692 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
1748 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1936 C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
2020 C:\Windows\System32\taskhost.exe
1808 C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
1816 C:\Windows\System32\dwm.exe
1780 C:\Windows\explorer.exe
2576 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
2636 C:\Windows\System32\svchost.exe
2712 C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2776 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2872 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
2948 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3116 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3156 C:\Program Files\Microsoft Security Client\msseces.exe
3304 C:\Program Files (x86)\Lenovo\Lenovo Preferred Pro USB Fingerprint Keyboard Hotkey Driver\AccessL.exe
3464 C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
3480 C:\Program Files (x86)\Skype\Phone\Skype.exe
3520 C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe
3560 C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
3788 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
3852 C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
3888 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
3896 C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
3984 C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
3992 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
4028 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4052 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
2552 C:\Windows\System32\SearchIndexer.exe
4128 C:\Windows\System32\svchost.exe
4224 C:\Windows\System32\svchost.exe
4472 C:\Program Files\Windows Media Player\wmpnetwk.exe
4368 C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
4920 C:\Windows\System32\svchost.exe
5476 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
5560 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
5540 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
6048 dllhost.exe
5796 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
2464 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
5300 C:\Program Files (x86)\Lenovo\System Update\SUService.exe
3732 C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
1340 C:\Windows\System32\taskeng.exe
5464 C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
4744 C:\Windows\System32\svchost.exe
4728 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
3108 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE
1108 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
3680 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
4564 C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)\audacity.exe
1208 C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
5248 C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
7036 C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
4760 C:\Windows\System32\audiodg.exe
6520 C:\Windows\System32\SearchProtocolHost.exe
5412 C:\Windows\System32\SearchFilterHost.exe
4916 dllhost.exe
6584 dllhost.exe
5512 C:\Users\user\Desktop\MBRCheck.exe
6208 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`e0a00000 (NTFS)
\\.\Q: --> \\.\PhysicalDrive0 at offset 0x00000155`fdb00000 (NTFS)
\\.\R: --> error 5

PhysicalDrive0 Model Number: qø€ÿÿá€zú€ÿÿ|8Eø€ÿÿ-°qø€ÿÿ

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB7 9

Done!

Title: Re: ZeuS
Post by: tilman_berlin on August 22, 2012, 04:47:27 PM

Hi Dave,

here's the list of threats:

C:\Qoobox\Quarantine\C\Users\user\AppData\Local\TempDIR\BetterInstaller.exe.vir   a variant of Win32/Somoto.A application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\user\AppData\Roaming\Ruxi\imihu.exe.vir   Win32/Spy.Zbot.YW trojan   cleaned by deleting - quarantined

and the log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=12d9b84ca762934793a03468bfe5d8a4
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-22 10:23:04
# local_time=2012-08-23 12:23:04 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 21723254 97295920 0 0
# compatibility_mode=8192 67108863 100 0 196 196 0 0
# scanned=211954
# found=2
# cleaned=2
# scan_time=8114
C:\Qoobox\Quarantine\C\Users\user\AppData\Local\TempDIR\BetterInstaller.exe.vir   a variant of Win32/Somoto.A application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Qoobox\Quarantine\C\Users\user\AppData\Roaming\Ruxi\imihu.exe.vir   Win32/Spy.Zbot.YW trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

Title: Re: ZeuS
Post by: SuperDave on August 23, 2012, 04:29:41 PM

That looks good. Please tell me how your computer is working before we cleanup.

Title: Re: ZeuS
Post by: tilman_berlin on August 24, 2012, 05:46:42 PM

As far as I can tell, everything works as before. I didn't notice any irregularity.

Title: Re: ZeuS
Post by: SuperDave on August 25, 2012, 04:27:49 PM

Ok. We can do some cleanup.

Download this program and run it Uninstall ComboFix (http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE) .It will remove ComboFix for you

************************************************
To set a new Restore Point.

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.
Click the Start button , click Control Panel, click System and Maintenance, and then click System.
In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.
This will give you a new, clean Restore Point.
********************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*********************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)

Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Title: Re: ZeuS
Post by: tilman_berlin on August 26, 2012, 09:58:56 AM

Done! Thanks for your help, Dave.

I only have one more minor thing:
- Secunia Software Inspector keeps telling me that my Java and Adobe Flash Player are not up-to-date, although I downloaded the newest versions and restarted the computer. Furthermore, the update programs Secunia offers (right below "Update instructions") seem not to work. When I open them nothing happens. I got the newest versions now from the official Java- and Flash Player-websites. Still Secunia says, they are not up-todate

- can I be sure that what we removed from my computer was really ZeuS? Can I use my computer for banking and the like without concern?

Thank you again for your help. You already saved my digital sit-upons twice!

Tilman

Title: Re: ZeuS
Post by: SuperDave on August 26, 2012, 06:25:14 PM

Quote

Secunia Software Inspector keeps telling me that my Java and Adobe Flash Player are not up-to-date, although I downloaded the newest versions and restarted the computer. Furthermore, the update programs Secunia offers (right below "Update instructions") seem not to work. When I open them nothing happens. I got the newest versions now from the official Java- and Flash Player-websites. Still Secunia says, they are not up-todate.

There could be parts of a previous version left which would prompt those messages. It is most important to keep your Windows OS and Java up-to-date. I did notice that you have this on your computer: C:\Users\user\AppData\Roaming\Pocomail\Attach\keygen.zip
==> Cracks & Keygens <== Crackware is illegal and certainly very dangerous for the safety of your computer.

Quote

can I be sure that what we removed from my computer was really ZeuS? Can I use my computer for banking and the like without concern?

There were some infections that affected your MBR (Master Boot Record). If you want to use this computer for banking I would strongly suggest a third-party firewall. I can be cumbersome at first to use but it will give added protection.

Firewalls protect against hackers and malicious intruders.

Remember only install ONE firewall

1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.