Author Topic: application can not be executed - xy is infected - trojan horse (Read 17924 times)

ekluever · « **on:** July 07, 2010, 01:14:50 PM »

Hello there
I had a serious problem with seemingly a trojan horse,which didn't let me open anything as everything was supposedly infected, also all kinds of antivirus programs.
Finally I succeeded in doing a scan with Superantispyware by first using rkill.com and then exeHelper.com
Then I did a quick scan with Malwarebytes.
Ultimately I did a scan with Trend Micro Hijack.
I am now able to open Outlook again, etc. and the messages telling me to purchase protection seized.
I'll attach the logs, to make sure that everything is okay with your help and advice!
I also freshly downloaded Avira Antivir Personal - but it won't update. At the same time Windows Defender is now active, as the Security Center still says virus protection (by Antivir) is out of date.
I furthermore downloaded PC Tools Firewall, but also the Windows Firewall is active - I am not sure whether to switch anything off.
Many thanks for any help you can provide on the finishing off of the trojan horse and current/double firewalls and virus protection!
Elisa

[recovering disk space - old attachment deleted by admin]

ekluever · « **Reply #1 on:** July 07, 2010, 01:19:26 PM »

I'm sorry, I just read the post saying we should not attach logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2010 at 05:30 PM

Application Version : 4.40.1002

Core Rules Database Version : 5134
Trace Rules Database Version: 2946

Scan type : Complete Scan
Total Scan Time : 02:31:59

Memory items scanned : 550
Memory threats detected : 0
Registry items scanned : 7728
Registry threats detected : 3
File items scanned : 185244
File threats detected : 37

Adware.Flash Tracking Cookie
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\SERVING-SYS.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\BC.YOUPORN.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\STATIC.YOUPORN.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\IA.MEDIA-IMDB.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\MEDIA.ENTERTONEMENT.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\EC.ATDMT.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\SPE.ATDMT.COM
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\M1.2MDN.NET
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\M1.EMEA.2MDN.NET
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\S0.2MDN.NET
   C:\Users\Elisa\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NDUZ5RBG\SECURE-US.IMRWORLDWIDE.COM

Rogue.AntivirusSoft
   HKU\S-1-5-21-2443503019-3500141324-4188383778-1000\Software\avsoft

Malware.Trace
   C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
   C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
   HKU\S-1-5-21-2443503019-3500141324-4188383778-1000\SOFTWARE\XML
   HKU\S-1-5-21-2443503019-3500141324-4188383778-1000\SOFTWARE\AVSUITE

Trojan.Agent/Gen-FraudLoad
   C:\USERS\ELISA\APPDATA\LOCAL\TEMP\ERMS.EXE
   C:\Windows\Prefetch\ERMS.EXE-DF23FA25.pf

Trojan.Agent/Gen-Small[Parvat]
   C:\USERS\ELISA\APPDATA\LOCAL\TEMP\MSRXACONEW.EXE
   C:\Windows\Prefetch\MSRXACONEW.EXE-D5D62C85.pf

Trojan.Agent/Gen-NET
   C:\USERS\ELISA\APPDATA\LOCAL\VIRTUALSTORE\WINDOWS\SYSTEM32\NET.NET

Adware.Tracking Cookie
   bc.youporn.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   cdn2.themis-media.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   cdn5.specificclick.net [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   cloud.video.unrulymedia.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   ec.atdmt.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   gw.callingbanners.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   ia.media-imdb.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   m1.2mdn.net [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   m1.emea.2mdn.net [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   media.entertonement.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   media.restaurant-bookings.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   media.scanscout.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   media01.kyte.tv [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   s0.2mdn.net [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   secure-us.imrworldwide.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   serving-sys.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   spe.atdmt.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   static.youporn.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RBG ]
   www.emitourtracker.com [ C:\Users\Elisa\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NDUZ5RB

_______________________________________ ___________________________________

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4289

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

7/7/2010 6:03:05 PM
mbam-log-2010-07-07 (18-03-05).txt

Scan type: Quick scan
Objects scanned: 142531
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\UBC5AB1IDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oskpmnnf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewabqaf7kl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Elisa\AppData\Local\yipovrvjr\eqltluotssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Roaming\2b01e43f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\system32\Drivers\igcmc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\omsxenwcar.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\rgdrebd.exe (Trojan.Insain) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\drebjsrc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\emwfggn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\vlln.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\Kzv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Elisa\downloads\setup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Users\Elisa\AppData\Local\Temp\Kzx.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

_______________________________________ _______________________________________ _

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:00 PM, on 7/7/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

--
End of file - 5240 bytes

Sorry about that error with attaching first...

SuperDave · « **Reply #2 on:** July 07, 2010, 05:58:11 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Quote

I furthermore downloaded PC Tools Firewall, but also the Windows Firewall is active - I am not sure whether to switch anything off.

Please turn one of them off. You should only run one firewall.

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.

==============================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

=======================================

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

ekluever · « **Reply #3 on:** July 08, 2010, 05:34:58 AM »

Dear Dave
Thank you soooo much!
Yes, I had tried to remove Ask before - but hadn't succeeded... This time I hope I have, even though I just did the steps through the Control Panel, as in the Program List nothing was to be found.
At first I couldn't do the HijackThis Fix because it repeatedly said the program was running already and wouldn't let me open it. After restarting the computer, however, it worked.
I'll copy and paste the ComboFix log:

ComboFix 10-07-07.02 - Elisa 07/08/2010 11:55:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1169 [GMT 1:00]
Running from: c:\users\Elisa\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-07 20:21 . 2010-07-07 20:22   --------   d-----w-   c:\users\Elisa\AppData\Roaming\PCToolsFirewallPlus
2010-07-07 19:03 . 2010-01-12 08:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-07-07 19:03 . 2010-01-07 10:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2010-07-07 19:03 . 2010-01-07 10:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2010-07-07 19:03 . 2010-01-13 07:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2010-07-07 19:02 . 2010-07-07 20:22   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2010-07-07 17:30 . 2010-07-07 17:30   --------   d-----w-   c:\users\Elisa\AppData\Roaming\Avira
2010-07-07 17:24 . 2010-07-07 17:24   --------   d-----w-   c:\programdata\Avira
2010-07-07 17:24 . 2010-07-07 17:24   --------   d-----w-   c:\program files\Avira
2010-07-07 17:24 . 2010-03-01 09:05   124784   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-07-07 17:24 . 2010-02-16 13:24   60936   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-07-07 17:24 . 2009-05-11 11:49   51992   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2010-07-07 17:24 . 2009-05-11 11:49   17016   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2010-07-07 17:07 . 2010-07-07 17:07   --------   d-----w-   c:\program files\Trend Micro
2010-07-07 12:29 . 2010-07-07 12:29   63488   ----a-w-   c:\users\Elisa\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-07 12:29 . 2010-07-07 12:29   52224   ----a-w-   c:\users\Elisa\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-07 12:29 . 2010-07-07 12:29   117760   ----a-w-   c:\users\Elisa\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-07 12:29 . 2010-07-07 12:29   --------   d-----w-   c:\users\Elisa\AppData\Roaming\SUPERAntiSpyware.com
2010-07-07 12:29 . 2010-07-07 12:29   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-07-07 10:35 . 2010-03-17 10:35   309248   ----a-w-   c:\users\Elisa\AppData\Roaming\Mozilla\Firefox\Profiles\zsj0t91x.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
2010-07-07 10:11 . 2010-07-07 10:11   --------   d-----w-   c:\users\Elisa\AppData\Roaming\Malwarebytes
2010-07-07 10:11 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-07 10:11 . 2010-07-07 16:51   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-07 10:11 . 2010-07-07 10:11   --------   d-----w-   c:\programdata\Malwarebytes
2010-07-07 10:11 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-07 00:19 . 2010-02-05 08:18   100136   ----a-w-   c:\windows\system32\drivers\pctwfpfilter.sys
2010-07-07 00:19 . 2010-02-05 08:17   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-07-07 00:19 . 2010-03-29 09:06   218592   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-07-07 00:19 . 2009-11-23 12:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-07 00:19 . 2010-04-08 13:29   63360   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
2010-07-07 00:19 . 2010-07-07 19:03   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-07-07 00:19 . 2010-07-07 00:19   --------   d-----w-   c:\program files\Spyware Doctor
2010-07-07 00:19 . 2010-07-07 00:19   --------   d-----w-   c:\users\Elisa\AppData\Roaming\PC Tools
2010-07-07 00:19 . 2010-07-07 00:19   --------   d-----w-   c:\programdata\PC Tools
2010-07-06 20:52 . 2010-07-07 17:03   --------   d-----w-   c:\users\Elisa\AppData\Local\yipovrvjr
2010-07-06 20:52 . 2010-07-07 18:51   --------   d-----w-   c:\users\Elisa\AppData\Roaming\4BE28AF70D98635D906A7947BA597FBF
2010-06-30 15:54 . 2010-06-30 15:59   --------   d-----w-   c:\users\Elisa\AppData\Local\Microsoft Games
2010-06-23 08:24 . 2009-11-08 09:55   99176   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2010-06-23 08:24 . 2009-11-08 09:55   49472   ----a-w-   c:\windows\system32\netfxperf.dll
2010-06-23 08:24 . 2009-11-08 09:55   297808   ----a-w-   c:\windows\system32\mscoree.dll
2010-06-23 08:24 . 2009-11-08 09:55   295264   ----a-w-   c:\windows\system32\PresentationHost.exe
2010-06-23 08:24 . 2009-11-08 09:55   1130824   ----a-w-   c:\windows\system32\dfshim.dll
2010-06-23 08:05 . 2010-04-16 16:43   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-06-23 08:05 . 2010-04-16 14:39   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-21 20:09 . 2010-06-21 20:09   --------   d-----w-   c:\program files\7-Zip
2010-06-15 12:37 . 2010-06-15 12:37   --------   d-----w-   c:\users\Default\AppData\Roaming\Trusteer
2010-06-08 18:40 . 2009-09-04 16:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2010-06-08 18:40 . 2006-09-28 15:05   2414360   ----a-w-   c:\windows\system32\d3dx9_31.dll
2010-06-08 18:39 . 2010-06-08 18:39   --------   d-----w-   c:\program files\Winamp Detect
2010-06-08 18:39 . 2010-06-22 23:05   --------   d-----w-   c:\users\Elisa\AppData\Roaming\Winamp
2010-06-08 18:39 . 2010-06-08 19:43   --------   d-----w-   c:\program files\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 10:22 . 2009-09-29 23:13   --------   d-----w-   c:\users\Elisa\AppData\Roaming\Skype
2010-07-08 09:39 . 2009-09-29 23:14   --------   d-----w-   c:\users\Elisa\AppData\Roaming\skypePM
2010-07-07 10:58 . 2009-09-29 13:17   680   ----a-w-   c:\users\Elisa\AppData\Local\d3d9caps.dat
2010-06-20 12:30 . 2009-09-29 13:37   --------   d-----w-   c:\users\Elisa\AppData\Roaming\vlc
2010-06-11 10:02 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-09 18:49 . 2010-06-09 18:49   --------   d-----w-   c:\programdata\WindowsSearch
2010-06-08 18:39 . 2009-10-18 10:41   --------   d-----w-   c:\program files\Common Files\PX Storage Engine
2010-06-07 17:07 . 2010-06-07 17:07   434176   ----a-w-   c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-03 02:41 . 2010-06-03 02:41   3600384   ----a-w-   c:\windows\system32\GPhotos.scr
2010-05-26 17:06 . 2010-06-09 18:49   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 18:49   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-03 08:05   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-04 19:15 . 2010-06-09 18:49   834048   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-09 18:49   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-05-01 14:13 . 2010-06-09 18:49   2037248   ----a-w-   c:\windows\system32\win32k.sys
2010-04-23 23:16 . 2010-04-23 23:16   0   ----a-w-   c:\users\Elisa\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-04-23 23:12 . 2010-04-23 23:12   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-04-23 14:13 . 2010-05-25 18:59   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-04-16 16:43 . 2010-06-23 08:05   173056   ----a-w-   c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 08:05   458752   ----a-w-   c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 08:05   542720   ----a-w-   c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 08:05   2159616   ----a-w-   c:\windows\AppPatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-23 149280]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-05-25 37888]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8c,17,d4,44,62,51,ca,01

R3 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-07 59240]
R3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-07 166632]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-09-29 721904]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]
S1 SASDIFSV;SASDIFSV;c:\users\Elisa\Desktop\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\users\Elisa\Desktop\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-06-07 840936]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816]
S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216]

--- Other Services/Drivers In Memory ---

*Deregistered* - igcmc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ     FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{982BEE4D-B0F2-4903-9506-A2914121ECE0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Elisa\AppData\Roaming\Mozilla\Firefox\Profiles\zsj0t91x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Elisa\AppData\Roaming\Mozilla\Firefox\Profiles\zsj0t91x.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\igcmc]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-08 12:04:58
ComboFix-quarantined-files.txt 2010-07-08 11:04

Pre-Run: 51,518,025,728 bytes free
Post-Run: 58,767,671,296 bytes free

- - End Of File - - 3AA2539EAD85F3013441B540F3D8ADE5

Afterwards, when turning the firewall back on, interestingly the update of AntiVir finally worked. so now windows leaves me alone with security-warnings...
Many, many thanks,
Elisa

ekluever · « **Reply #4 on:** July 08, 2010, 07:40:47 AM »

oh, somehow skype was just now constantly turning itself off - no idea whether that is related, as it didn't work at all, before i followed the guidelines and did all the scans with the different programs mentioned here...

SuperDave · « **Reply #5 on:** July 08, 2010, 11:51:16 AM »

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

ekluever · « **Reply #6 on:** July 09, 2010, 03:55:49 AM »

hello dave
i ran the eset scan, but during the scan my computer went out of battery and thus turned itself off. when i plugged it in again, it seemingly resumed the scan where it had been interrupted. i couldn't click 'list of found threats' however, as the result is, that no threats have been found...
what do you say?
shall i repeat the scan with the computer plugged in all the time?
thanks a lot,
elisa

ps: what also happened a couple of times now, is that when starting the computer it says it has some problem, whether i want to start it in safemode or regular, or two other versions, and if i don't choose anything, it'll resume as regular. the first times i used to chose the 'normal' button (i can't remember what exactly it said) and it returned after a while to the same view - mentioning it had a problem, and whether i wanted to start the system in one of the four options. when i just didn't klick anything, but let it resume in the regular way after waiting for a couple of seconds, then it would finally start normally.

SuperDave · « **Reply #7 on:** July 09, 2010, 05:43:55 AM »

Let's try another scanner.

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

Double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, just let it cure whatever it finds...

o Now, go to Settings >> Change Settings
o Go to Actions tab >> under Objects section, change the settings to below
Infected objects - Cure
Incurable objects - Report
Suspicious objects - Report
o Don't change any other settings

Start the scan again. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

ekluever · « **Reply #8 on:** July 09, 2010, 01:36:42 PM »

Hello Dave
It didn't work-when i click on the link the server can't be found.
In the mean time, I had turned my laptop off again, and this time had the troubles with starting it many times.
It repeatedly says Windows failed start and recent hardware or software change might be the cause, and whether I'd like to start it in 3 different versions of safemode, in the last configuration or start normally...
and when I enter the 'start normally' or when it does so after a few seconds passing by, by itself, it just loads a bit and ends up saying the exact same thing - until after 4 or 5 attempts it finally does load...
Also I now noticed, that in the small search field to the upper right, where i set google as my default search machine, ask.com still is an option, and removed it from there. I don't know if that means, however, that it could still be elsewhere or whether it's been the last souvenir.
sorry, i feel really bad at explaining this.
thanks a lot for all the help!

SuperDave · « **Reply #9 on:** July 09, 2010, 03:00:08 PM »

Could you please try running the ESET scan again?

ekluever · « **Reply #10 on:** July 09, 2010, 10:37:44 PM »

i just started the eset scanner again - but in the meantime windows defender alerted me it had found PWS:Win32/Daurso.A
as it asked me to either remove or ignore it, i klicked the remove button...
i'll keep you posted and thanks again!

ekluever · « **Reply #11 on:** July 09, 2010, 10:48:04 PM »

oh, and thereby i noticed that not only antivir but also windows defender is running - shall i turn windows defender off, or even uninstall it maybe?
(I like having not too many programs, and antivir was recommended by this site, whereas the defender wasn't- or is the 'two is too many' thing only true for firewalls?)

SuperDave · « **Reply #12 on:** July 10, 2010, 05:33:32 PM »

One Anti-Virus, one firewall and you can run a few anti-malware programs (more about this later ) if you wish. Windows Defender is ok to run alongside your AV.

ekluever · « **Reply #13 on:** July 11, 2010, 12:47:07 PM »

hello dave
finally i managed to run the complete scan (i had the time and the computer didn't shut itself off):

this is the list of threats:
C:\Windows\temp\37716533.tmp   a variant of Win32/Kryptik.FKM trojan
C:\Windows\temp\a879b485.tmp   a variant of Win32/Kryptik.FKM trojan

and this is the (hopefully right - since i had run the scan before and the results were different then) log:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d1385694d1dc1f45a007e809a130e85c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-09 01:48:51
# local_time=2010-07-09 02:48:51 (+0000, GMT Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 149069 149069 0 0
# compatibility_mode=1797 16775165 100 94 2018 37761018 80461 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 69082 116204253 0 0
# compatibility_mode=8192 67108863 100 0 143 143 0 0
# scanned=172418
# found=0
# cleaned=0
# scan_time=11806
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d1385694d1dc1f45a007e809a130e85c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-11 06:31:24
# local_time=2010-07-11 07:31:24 (+0000, GMT Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 345811 345811 0 0
# compatibility_mode=1797 16775165 100 94 198760 37957760 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 265824 116400995 0 0
# compatibility_mode=8192 67108863 100 0 196885 196885 0 0
# scanned=172573
# found=2
# cleaned=0
# scan_time=4816
C:\Windows\temp\37716533.tmp   a variant of Win32/Kryptik.FKM trojan   00000000000000000000000000000000   I
C:\Windows\temp\a879b485.tmp   a variant of Win32/Kryptik.FKM trojan   00000000000000000000000000000000   I

many thanks,
elisa

SuperDave · « **Reply #14 on:** July 11, 2010, 06:14:32 PM »

Just another scan to make sure, if you don't mind.

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

Double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, just let it cure whatever it finds...

o Now, go to Settings >> Change Settings
o Go to Actions tab >> under Objects section, change the settings to below
Infected objects - Cure
Incurable objects - Report
Suspicious objects - Report
o Don't change any other settings

Start the scan again. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

ekluever · « **Reply #15 on:** July 12, 2010, 01:48:41 AM »

with web cure it same thing as last time: i could not open the page - server not found...
and what about the two threats that were found by eset this time? since i pressed merely the 'scan archives' button and not the 'remove found threats'-one?
thanks again

ekluever · « **Reply #16 on:** July 12, 2010, 03:54:17 PM »

i just had windows defender finding that PWS:Win32/Daurso.A again-and i removed it again....
i really hope we will ultimately solve this.
many thanks for all the help up until now!
e

SuperDave · « **Reply #17 on:** July 12, 2010, 05:40:47 PM »

Quote

and what about the two threats that were found by eset this time? since i pressed merely the 'scan archives' button and not the 'remove found threats'-one?

Run the ESET scan again and, this time remove them please.

ekluever · « **Reply #18 on:** July 13, 2010, 04:37:29 PM »

this time i removed the threats (which amounted to 5 now...) and these are the results:

C:\Windows\temp\37716533.tmp   a variant of Win32/Kryptik.FKM trojan   cleaned by deleting - quarantined
C:\Windows\temp\5f9d0076.tmp   a variant of Win32/Kryptik.FKM trojan   cleaned by deleting - quarantined
C:\Windows\temp\8d556260.tmp   a variant of Win32/Kryptik.FKM trojan   cleaned by deleting - quarantined
C:\Windows\temp\a879b485.tmp   a variant of Win32/Kryptik.FKM trojan   cleaned by deleting - quarantined
C:\Windows\temp\d7db9f3.tmp   a variant of Win32/Kryptik.FKM trojan   cleaned by deleting - quarantined

web Cureit still does not work however...

ekluever · « **Reply #19 on:** July 13, 2010, 04:41:29 PM »

i don't know if it would work if i just didn't use the link you posted but would download it from here http://www.freedrweb.com/cureit/?lng=en -> is this the right thing?
many thanks!

SuperDave · « **Reply #20 on:** July 13, 2010, 05:18:13 PM »

Quote from: ekluever on July 13, 2010, 04:41:29 PM

i don't know if it would work if i just didn't use the link you posted but would download it from here http://www.freedrweb.com/cureit/?lng=en -> is this the right thing?
many thanks!

Yes, that's correct. We don't normally send users to websites; by clicking on the link you should get a download message.

ekluever · « **Reply #21 on:** July 14, 2010, 02:24:24 PM »

hello dave, i ran the dr.web cure it quick scan (while i was gone to work) and when i returned it said it didn't find any threats. in the meantime my friend said however, that i should have cut my internet connection, while doing the scan.
i did not do the complete scan - cause i wasn't sure since it hadn't found anything in the first place.
what do you recommend next?
thanks,
elisa

ps: yes, i know, usually clicking your links always directly opened the download window, just this one tried to open a new tab and then said it couldn't find the server...

SuperDave · « **Reply #22 on:** July 14, 2010, 07:06:04 PM »

Elisa, could you please give it a few days and then come back and tell how everything is working. If it's ok by then, we'll do some cleanup.

ekluever · « **Reply #23 on:** July 15, 2010, 02:21:19 AM »

hello dave
malicious software removal tool today alerted me and said it found a Trojan:WinNT/Bubnix.gen!A which it partially removed.
what keeps happening unfortunately, is that it won't properly start, it'll say a problem has been detected and windows has been shut down to prevent damage to your computer acpi.sys
then it'll restart, come to the site i described before, where you can choose one of five start-options. the normal starting is the highlighted choice which will be chosen automatically after 30 sec.
this cycle will be gone through a couple of times, until eventually, with the automatic choice it'll start normally...
i just wanted to describe this problem again.
other than that, it seems to be working fine.
i'll shut it down now and then run a complete antivir scan, as this is whast was suggested after finding the above mentioned file...
else, i'll follow your advice and call back in a couple of days.
many thanks!
elisa

ekluever · « **Reply #24 on:** July 15, 2010, 03:47:39 AM »

oh, and something was found when i started another antivr-scan just now, i'll paste the log:

Avira AntiVir Personal
Report file date: Thursday, July 15, 2010 09:27

Scanning for 2346510 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ELISA-PC

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 12:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 12:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 18:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 16:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 11:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 11:09:48
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 11:09:54
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 11:09:54
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 11:09:54
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 11:09:54
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 11:09:54
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 11:09:54
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 11:09:54
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 11:09:55
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 11:09:55
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 11:09:56
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 11:09:56
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 11:09:57
VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 11:09:57
VBASE019.VDF : 7.10.8.220 134656 Bytes 6/29/2010 11:09:58
VBASE020.VDF : 7.10.8.252 171520 Bytes 7/4/2010 11:09:58
VBASE021.VDF : 7.10.9.19 131072 Bytes 7/6/2010 11:09:59
VBASE022.VDF : 7.10.9.36 297472 Bytes 7/7/2010 11:09:59
VBASE023.VDF : 7.10.9.60 150016 Bytes 7/11/2010 08:02:27
VBASE024.VDF : 7.10.9.79 113152 Bytes 7/13/2010 08:02:27
VBASE025.VDF : 7.10.9.80 2048 Bytes 7/13/2010 08:02:27
VBASE026.VDF : 7.10.9.81 2048 Bytes 7/13/2010 08:02:27
VBASE027.VDF : 7.10.9.82 2048 Bytes 7/13/2010 08:02:27
VBASE028.VDF : 7.10.9.83 2048 Bytes 7/13/2010 08:02:28
VBASE029.VDF : 7.10.9.84 2048 Bytes 7/13/2010 08:02:28
VBASE030.VDF : 7.10.9.85 2048 Bytes 7/13/2010 08:02:28
VBASE031.VDF : 7.10.9.90 95744 Bytes 7/14/2010 08:02:30
Engineversion : 8.2.4.10
AEVDF.DLL : 8.1.2.0 106868 Bytes 7/8/2010 11:10:09
AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 7/8/2010 11:10:09
AESCN.DLL : 8.1.6.1 127347 Bytes 7/8/2010 11:10:08
AESBX.DLL : 8.1.3.1 254324 Bytes 7/8/2010 11:10:10
AERDL.DLL : 8.1.4.6 541043 Bytes 7/8/2010 11:10:08
AEPACK.DLL : 8.2.2.5 430453 Bytes 7/8/2010 11:10:08
AEOFFICE.DLL : 8.1.1.6 201081 Bytes 7/8/2010 11:10:07
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 7/8/2010 11:10:07
AEHELP.DLL : 8.1.11.6 242038 Bytes 7/8/2010 11:10:04
AEGEN.DLL : 8.1.3.13 381300 Bytes 7/8/2010 11:10:04
AEEMU.DLL : 8.1.2.0 393588 Bytes 7/8/2010 11:10:03
AECORE.DLL : 8.1.15.3 192886 Bytes 7/8/2010 11:10:02
AEBB.DLL : 8.1.1.0 53618 Bytes 7/8/2010 11:10:00
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 12:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 16:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 12:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 12:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 12:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 09:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 13:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 14:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, July 15, 2010 09:27

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'winamp.exe' - '190' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '79' Module(s) have been scanned
Scan process 'SkypeNames.exe' - '25' Module(s) have been scanned
Scan process 'skypePM.exe' - '67' Module(s) have been scanned
Scan process 'Skype.exe' - '123' Module(s) have been scanned
Scan process 'firefox.exe' - '118' Module(s) have been scanned
Scan process 'mobsync.exe' - '38' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '30' Module(s) have been scanned
Scan process 'FirewallGUI.exe' - '48' Module(s) have been scanned
Scan process 'avgnt.exe' - '54' Module(s) have been scanned
Scan process 'pctsTray.exe' - '59' Module(s) have been scanned
Scan process 'winampa.exe' - '21' Module(s) have been scanned
Scan process 'jusched.exe' - '24' Module(s) have been scanned
Scan process 'OEM02Mon.exe' - '34' Module(s) have been scanned
Scan process 'igfxpers.exe' - '26' Module(s) have been scanned
Scan process 'hkcmd.exe' - '26' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '43' Module(s) have been scanned
Scan process 'MSASCui.exe' - '40' Module(s) have been scanned
Scan process 'taskeng.exe' - '47' Module(s) have been scanned
Scan process 'RapportService.exe' - '72' Module(s) have been scanned
Scan process 'Explorer.EXE' - '160' Module(s) have been scanned
Scan process 'taskeng.exe' - '82' Module(s) have been scanned
Scan process 'Dwm.exe' - '29' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '33' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '60' Module(s) have been scanned
Scan process 'svchost.exe' - '9' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'pctsAuxs.exe' - '26' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'IoctlSvc.exe' - '21' Module(s) have been scanned
Scan process 'FWService.exe' - '61' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'svchost.exe' - '62' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'spoolsv.exe' - '85' Module(s) have been scanned
Scan process 'svchost.exe' - '91' Module(s) have been scanned
Scan process 'svchost.exe' - '86' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '153' Module(s) have been scanned
Scan process 'svchost.exe' - '115' Module(s) have been scanned
Scan process 'svchost.exe' - '66' Module(s) have been scanned
Scan process 'RapportMgmtService.exe' - '68' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'winlogon.exe' - '30' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '350' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\Program Files\7-Zip\Uninstall.exe
[WARNING] Insufficient memory. The file was not scanned.
C:\Users\Elisa\Downloads\7z465.exe
[WARNING] Insufficient memory. The file was not scanned.
C:\Windows\System32\drivers\igcmc.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
Begin scan in 'D:\' <Laptop-Datenfestplatte>

Beginning disinfection:
C:\Windows\System32\drivers\igcmc.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '48757dfe.qua'.

End of the scan: Thursday, July 15, 2010 10:46
Used time: 1:14:10 Hour(s)

The scan has been done completely.

17360 Scanned directories
274560 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
274559 Files not concerned
1061 Archives were scanned
2 Warnings
1 Notes
462110 Objects were scanned with rootkit scan
0 Hidden objects were found

cheers

SuperDave · « **Reply #25 on:** July 15, 2010, 06:43:10 PM »

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

ekluever · « **Reply #26 on:** July 16, 2010, 08:09:18 AM »

dear dave
everything went a bit different from the description, i wasn't asked whether i wanted to perform any scan, so i just checked whether the boxes were all checked/unchecked and then started the scan, which seemed to have finished but again i didn't receive any notice.
here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-16 15:01:42
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Elisa\AppData\Local\Temp\uglcapoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0xA82F5752]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0xA82F5388]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0xA82F5440]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0xA82F5482]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0xA82F5530]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0xA82F5DD8]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0xA82F5E64]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0xA82F5EF4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0xA82F5580]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0xA82F55C2]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0xA82F5606]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0xA82F5648]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0xA82F568A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0xA82F56CC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0xA82F579A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRequestWaitReplyPort [0xA82F570E]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0xA82F57DC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0xA82F5824]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0xA82F58B4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0xA82F5866]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0xA82F5958]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0xA82F599A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0xA82F59DC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0xA82F5A2A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0xA82F5F96]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0xA82F5D68]

INT 0x62 ? 854F6BF8
INT 0x72 ? 854F6BF8
INT 0x72 ? 854F6BF8
INT 0x72 ? 854F6BF8
INT 0x82 ? 854F6BF8
INT 0x82 ? 854F6BF8
INT 0x82 ? 854F6BF8
INT 0x82 ? 854F6BF8
INT 0xA2 ? 84606BF8
INT 0xB2 ? 84606BF8
INT 0xB2 ? 84606BF8
INT 0xB2 ? 84606BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 131 81AEE894 4 Bytes [52, 57, 2F, A8]
.text ntkrnlpa.exe!KeSetEvent + 13D 81AEE8A0 4 Bytes [88, 53, 2F, A8]
.text ntkrnlpa.exe!KeSetEvent + 191 81AEE8F4 4 Bytes [40, 54, 2F, A8]
.text ntkrnlpa.exe!KeSetEvent + 1C1 81AEE924 4 Bytes [82, 54, 2F, A8]
.text ntkrnlpa.exe!KeSetEvent + 1D9 81AEE93C 4 Bytes [30, 55, 2F, A8]
.text ...
? System32\Drivers\spxo.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8C5A341B 5 Bytes JMP 854F61D8
.text au8ydgj3.SYS 8BA35000 22 Bytes [82, 63, A1, 81, 6C, 62, A1, ...]
.text au8ydgj3.SYS 8BA35017 181 Bytes [00, 32, B7, 79, 80, 3D, B5, ...]
.text au8ydgj3.SYS 8BA350CE 10 Bytes [00, 00, 00, 00, 00, 00, 02, ...]
.text au8ydgj3.SYS 8BA350DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text au8ydgj3.SYS 8BA350E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
.text ...
? \ArcName\multi(0)disk(0)rdisk(0)partition(1)\Windows\system32\drivers\PctWfpFilter.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] ntdll.dll!KiUserApcDispatcher 77855D18 5 Bytes JMP 00414A50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] USER32.dll!InSendMessageEx + 3B1 76FAE6B0 6 Bytes JMP 0044C7F0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] WS2_32.dll!getaddrinfo 77A2418A 5 Bytes JMP 71640022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] WS2_32.dll!gethostbyname 77A362D4 5 Bytes JMP 71670022
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] ntdll.dll!LdrLoadDll 77819390 5 Bytes JMP 00B013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] ntdll.dll!KiUserApcDispatcher 77855D18 5 Bytes JMP 02187B40 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] kernel32.dll!SetUnhandledExceptionFilter 76E4A84F 6 Bytes PUSH 71510022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] USER32.dll!DdeInitializeW 76FA7921 6 Bytes PUSH 714E0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] USER32.dll!RegisterClassExW 76FADA30 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] USER32.dll!GetMessageW 76FBFEF7 6 Bytes PUSH 71480022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] USER32.dll!TranslateMessage 76FC01AD 6 Bytes PUSH 71410022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] USER32.dll!GetClipboardData 76FE715A 6 Bytes PUSH 714B0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] GDI32.dll!BitBlt 76F070A6 6 Bytes PUSH 71540022; RET
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] ntdll.dll!KiUserApcDispatcher 77855D18 5 Bytes JMP 00438CE0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] WS2_32.dll!getaddrinfo 77A2418A 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] WS2_32.dll!gethostbyname 77A362D4 5 Bytes JMP 716E0022
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3848] kernel32.dll!CreateThread + 1A 76E6C928 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806916D6] \SystemRoot\System32\Drivers\spxo.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80691042] \SystemRoot\System32\Drivers\spxo.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80691800] \SystemRoot\System32\Drivers\spxo.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806910C0] \SystemRoot\System32\Drivers\spxo.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069113E] \SystemRoot\System32\Drivers\spxo.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A0E9C] \SystemRoot\System32\Drivers\spxo.sys
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortWritePortUchar] 838BA5AF
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 100D8BA5
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8BA580
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\au8ydgj3.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1104] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 71670000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\GDI32.dll [USER32.dll!GetWindowRect] 71450000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\ole32.dll [USER32.dll!GetWindowRect] 71450000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetWindowRect] 71450000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3200] @ C:\Windows\system32\WININET.dll [USER32.dll!GetWindowRect] 71450000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3328] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[3848] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[3848] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8460C1F8
Device \Driver\volmgr \Device\VolMgrControl 846081F8
Device \Driver\usbuhci \Device\USBPDO-0 854F31F8
Device \Driver\sptd \Device\1136032336 spxo.sys
Device \Driver\usbuhci \Device\USBPDO-1 854F31F8
Device \Driver\usbehci \Device\USBPDO-2 854E41F8
Device \Driver\usbuhci \Device\USBPDO-3 854F31F8
Device \Driver\usbuhci \Device\USBPDO-4 854F31F8

AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys

Device \Driver\usbuhci \Device\USBPDO-5 854F31F8
Device \Driver\usbehci \Device\USBPDO-6 854E41F8
Device \Driver\volmgr \Device\HarddiskVolume1 846081F8
Device \Driver\PCI_PNP0319 \Device\00000058 spxo.sys
Device \Driver\volmgr \Device\HarddiskVolume2 846081F8
Device \Driver\cdrom \Device\CdRom0 8551E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8460A1F8
Device \Driver\atapi \Device\Ide\IdePort0 8460A1F8
Device \Driver\atapi \Device\Ide\IdePort1 8460A1F8
Device \Driver\atapi \Device\Ide\IdePort2 8460A1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 8460B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 8460B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 8460A1F8
Device \Driver\cdrom \Device\CdRom1 8551E1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{D1957ABD-6FAC-430A-98F1-B0F3C259C5C7} 85B68500
Device \Driver\netbt \Device\NetBt_Wins_Export 85B68500
Device \Driver\Smb \Device\NetbiosSmb 85C3F1F8
Device \Driver\iScsiPrt \Device\RaidPort0 855771F8
Device \Driver\usbuhci \Device\USBFDO-0 854F31F8
Device \Driver\usbuhci \Device\USBFDO-1 854F31F8
Device \Driver\netbt \Device\NetBT_Tcpip_{0C10FA32-146C-4B41-A940-8A06AA1733CB} 85B68500
Device \Driver\usbehci \Device\USBFDO-2 854E41F8
Device \Driver\usbuhci \Device\USBFDO-3 854F31F8
Device \Driver\usbuhci \Device\USBFDO-4 854F31F8
Device \Driver\usbuhci \Device\USBFDO-5 854F31F8
Device \Driver\usbehci \Device\USBFDO-6 854E41F8
Device \Driver\au8ydgj3 \Device\Scsi\au8ydgj31Port4Path0Target0Lun0 855621F8
Device \Driver\au8ydgj3 \Device\Scsi\au8ydgj31 855621F8
Device \FileSystem\cdfs \Cdfs 855111F8

---- EOF - GMER 1.0.15 ----

many thanks!

SuperDave · « **Reply #27 on:** July 16, 2010, 05:46:49 PM »

Quote

malicious software removal tool today alerted me and said it found a Trojan:WinNT/Bubnix.gen!A which it partially removed.

What do you mean by "partially removed"?

Do you have your OS CD/DVD?

If so,

1/ Click the Start button.

2/ From the Start Menu, Click All programs followed by Accessories.

3/ In the Accessories menu, Right Click on the Command Prompt option.

4/ From the drop down menu that appears, Click on the Run as administrator option.

5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6/ In the Command Prompt window, type: sfc /scannow and then press Enter.

7/ A message will appear stating that the system scan will begin.

8/ Be patient because the scan may take some time.

9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.

10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.

11/ After the scan has completed, Close the command prompt window.

ekluever · « **Reply #28 on:** January 30, 2011, 03:57:50 PM »

Dear Dave
I just wanted to thank you for all your help!!!
You definitely got it working again and then I was really busy for a few days and always planning to eventually do all the last things you suggested and never got round to it.
In the meantime my laptop entirely broke, but I just wanna thank you for all your efforts. I felt really lucky that there was a forum like this and someone out there who understood all these logs...
Thank you!!!

SuperDave · « **Reply #29 on:** January 30, 2011, 07:19:39 PM »

You're welcome. I will lock this thread. If you need it opened for any reason, please pm me.

Computer Hope Forum

News:

Author Topic: application can not be executed - xy is infected - trojan horse (Read 17924 times)

ekluever

ekluever

SuperDave

ekluever

ekluever

SuperDave

ekluever

SuperDave

ekluever

SuperDave

ekluever

ekluever

SuperDave

ekluever

SuperDave

ekluever

ekluever

SuperDave

ekluever

ekluever

SuperDave

ekluever

SuperDave

ekluever

ekluever

SuperDave

ekluever

SuperDave

ekluever

SuperDave