Computer Hope
Software => Computer viruses and spyware => Topic started by: saxophon on November 29, 2009, 04:12:39 PM
-
Dear Computerhope,
very glad that i found you and hope you can help me as I'm not very used to solve problems like this.
So, two or three days ago my firefox started to break down all the time. I updated it to version 3.5.5 but still the same. So i run Antivir and it found a trojan and deleted it. Then when I booted the computer, I received a warning saying something like "required module pqrs.tmo cannot be loaded". So apparently this malware has left some traces.
I followed all the steps of your great malware removal procedure. The tools did find some things but firefox still breaks down sometimes. Furthermore it is not possible to install Zone Alarm again (I removed it because I had Kaspersky in the meantime and they didn't fit together so I removed ZoneAlarm - quiet stupid I guess). When I try to install it, it says "Could not load the DLL library".
And then it is also not possible anymore to bring the computer into the idle state (?). I don't know if it has to do something with the trojans?!
So, I have a three years old Toshiba Satellite M70-354 with Windows XP home edition version 5.1 Servicepack 3.
And here are my three logs:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/29/2009 at 10:25 PM
Application Version : 4.31.1000
Core Rules Database Version : 4318
Trace Rules Database Version: 2177
Scan type : Complete Scan
Total Scan Time : 02:06:34
Memory items scanned : 566
Memory threats detected : 0
Registry items scanned : 6001
Registry threats detected : 0
File items scanned : 92804
File threats detected : 10
Adware.Tracking Cookie
C:\Dokumente und Einstellungen\Daniela\Cookies\[email protected][1].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\daniela@webmasterplan[2].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\daniela@doubleclick[1].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\[email protected][2].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\[email protected][1].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\daniela@myroitracking[1].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\[email protected][2].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\[email protected][1].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\daniela@specificclick[1].txt
C:\Dokumente und Einstellungen\Daniela\Cookies\daniela@atdmt[2].txt
Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3259
Windows 5.1.2600 Service Pack 3
29.11.2009 23:03:25
mbam-log-2009-11-29 (23-03-25).txt
Scan-Methode: Quick-Scan
Durchsuchte Objekte: 112942
Laufzeit: 7 minute(s), 49 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 6
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\WINDOWS\system32\bgfemgixf.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:31:21, on 29.11.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Apoint2K\Apoint.exe
C:\Programme\TOSHIBA\E-KEY\CeEKey.exe
C:\Programme\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programme\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Web.de Firefox\adminsvcff.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\AskBarDis\bar\bin\AskService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Alice\signup\AliceCnn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\sniper.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar1.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programme\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Programme\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Programme\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Programme\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Tvs] C:\Programme\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Programme\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: eBay - {D7783732-69C6-4A28-BE53-618CC4609617} - C:\Programme\Internet Explorer\Signup\ToshibaGotoEbay.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.de
O16 - DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} - http://www.navigram.com/engine/v911/Navigram.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BC56476-AF49-4D08-B306-571658B00340}: NameServer = 62.109.123.7 213.191.92.86
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: WEB.DE Firefox Update (AdminSVCff) - hablamax - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Web.de Firefox\adminsvcff.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Programme\AskBarDis\bar\bin\AskService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 9278 bytes
I hope you can help me with this. Thanks already!
Best, Daniela
-
Hello saxophon and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1.I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2.The fixes are specific to your problem and should only be used for this issue on this machine.
3.If you don't know or understand something, please don't hesitate to ask.
4.Please DO NOT run any other tools or scans whilst I am helping you.
5.It is important that you reply to this thread. Do not start a new topic.
6.Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7.Absence of symptoms does not mean that everything is clear.
The logs look good. Just a bit of housecleaning to do.
ASKbar: This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.
Add or Remove Programs
1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for any programs such as ASKbar and uninstall them.
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
-
Dear SD,
thanks for your quick reply and all the information.
I tried to find the ASKbar in the Control Panel in order to uninstall it but there was no icon for it. I found a file in my C:\Programme called "AskBarDis" where i found also a file called "unins000". Should I do it this way in order to uninstall the AskBar?
Then I removed the Windows Messenger following your instructions and did also the Hijackthis Scan where I could fix everything you mentioned except the two 09 Windows Messenger things (probably removed already before with the other tool?).
I attach also the log of the Hijackscan I did after all this.
Please let me know what I should do next. And then, there is still the problem with the idle/ibernate state which would be really nice to solve.
Thanks adn all the best,
Daniela
[Saving space, attachment deleted by admin]
-
Hello saxophon. You won't find an icon for ASKBar in the control panel but it is probably under Add/Remove programs. If it is not there, try this:
Delete An Uninstall Entry
•Start HijackThis
•Click on the Open the Misc Tools section
•Click on the Open Uninstall Manager button.
•Highlight the entry you want to remove.
ASKBar
•Click Delete this entry
Please let me know if you were able to find and remove it.
-
Hi SD,
of course I didn't try to find it directly in the control panel but in the add/remove (in my german windows version it's called "software" file in the "Systemsteuerung") but there is nothing.
Also in the HijackThis Uninstall Manager I can't find anything. Just, as I wrote before, under C:\Programme\AskBarDis there is something.
So, what do we do now ???
Thanx again!
-
Hi saxophon. Let's try this:
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Hi SD,
so I followed all your instructions but Combifix didn't work without some problems. First it told me that Antivir is still active although i disabled it as descirbed in your link. Then it told me something like that there is no recovery panel (Wiederherstellungkonsole) on my computer and tried to download something but it didn't work.
Anyway here are the tow logs.
Thanks!
[Saving space, attachment deleted by admin]
-
Can you please translate this for me?
Infizierte Kopie von c:\windows\system32\DRIVERS\atapi.sys wurde gefunden und desinfiziert
Kopie von - Kitty ate it :p wurde wiederhergestellt
-
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and desinfected
copy of - Kitty ate it :P was recovered
-
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
DDS::
File::
Folder::
c:\programme\AskBarDis
Registry::
Driver::
ASKService
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
Hi SD,
here is the new combofix log.
Best,
Daniela
[Saving space, attachment deleted by admin]
-
Danke, Daniela. One more scan.
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the << Back button then click Finish.
In your next reply please include the ESET Online Scan Log
and another HJT log.
-
Hi SD,
here the two new logs. While ESET was doing the scan Antivir found a new trojan, which ist now in quarantine. It's called TR/Trash. Gen Trojan and was located in C:\System volume Information
By the way, obviously the trojan found my old credit card infos (I didn't use it for more than 2 months) and tried to book flights on easyjet. fortunately my bank informed me directly and blocked the card. But where did they get all these information (on 30.11. and 1.12. they tried to book the flights)? I haven't saved it on my computer and as I said didn't useit for several weeks! I'M a quiet worried now what will happen next...
Please advise me what to do to stop this!!!
THANKS
[Saving space, attachment deleted by admin]
-
Danke, saxophon. This is something that was unexpected and it is bad news. See below.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall? (http://www.dslreports.com/faq/10063)
We have attempted to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
As you can see this is quite serious. Please ensure that you read everything especially about backing up your important data.
Please let me know what you are going to do. At the moment, your computer appears to be clean. I had this happen to me on my laptop and I now only use it for surfing.
-
Good news saxophon. I spoke with my mentor and felt that your computer was no longer at risk. Therefore, a re-format would be totally up to you. You should however, look after your credit cards and have them changed as well as your passwords.
-
Hello SD,
thanks for your replys. I'm a bit confused now because your two psots are so complete contrary. Of course I will again change my passwords and look after my credit cards but are you really sure that my pc is safe now? Maybe I should do a re-format?
And can you explain me where the trojans found my credit card information? somewhere in the browser? although I used ccleaner quiet regularly? I really would like to know better how i can avoid that it happens again.
Thanx,
Daniela
-
Hello saxophon. As soon as I saw the information about a backdoor trojan in your ESET scan I issued the warning. Afterwards, I spoke to my mentor and he assures me that your computer is safe. Having a good firewall that blocks out-going traffic is one major way of stopping information from your computer getting out. Is it possible that someone was able to steal the information from you credit card in the real world.(outside of your computer.) This article will help explain how they work at stealing information.
Read this article: Danger: Remote Access Trojans. (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)