PDA

View Full Version : Problem with trojan TDSS (and more?)



Sabine
2008-11-12, 12:05
Hi everyone,

I really hope somebody can help me with the problem I'm having. Here's a little background, in case this helps.
About 2 weeks ago I discovered a pop on my desktop sayign "your computer is infected". I did not click on it, because I thought it was some malware infection. I ran scans with several malware and virus scanners and detected quite a few things: (I'm not sure if this helps, but I took some notes) beep.sys, karna.dat, exacttoolbar.dll, ctbv2.dll and in a later scan I found a few things with the name TDSS, as e.g. tdsscfum.dll, tdsspaxt.sys. I managed to remove all of these with my anti-malware programs, but yesterday I found a trojan and a rookit again. tdssrhym.dll and tdssoiqh.dll. I removed them with counterspy.

So now I am worried that my computer is still infected, I read through this very helpful forum and ran a scan with tdssdump (if i remember correctly) and this is the log result.


HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv
NextInstance REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000
Service REG_SZ TDSSserv
Legacy REG_DWORD 1 (0x1)
ConfigFlags REG_DWORD 0 (0x0)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc REG_SZ TDSSserv
Capabilities REG_DWORD 0 (0x0)

I did this before I read the general instructions of the forum. I then installed hijackthis as suggested in the instructions and disabled teatimer. here is my log result

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:28, on 31.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programme\CounterSpy\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\CounterSpy\SBAMTray.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\LTSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Programme\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\quick time 7.4 für drei tv\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Programme\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChkMail] èn‹
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ5\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ5\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.t-online.at
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D4B7ACF-DAF1-4975-8A75-5E13D6DE715D}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: OLE Module - {203B1C4D9-BC71-8916-38AD-9DEA5D213614} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAMME\NORMAN VIRUS CONTROL\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Programme\CounterSpy\SBAMSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOKUME~1/SABINE~1/LOKALE~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - http://www.thesunsetresort.com/images/gallery_images/Resort%20Beach%20Hamock%20Large.jpg

--
End of file - 7658 bytes

I'm definteily not a computer expert and really worried that my computer is not safe. Thus I really really hope somebody can help me here. I would really appreciate it!

oh, like a week ago I ran a kaspersky online scan and it detected "not-a.virus: Adware.Win32.Sahat.g - I tried to install the kaspersky trial version, but it wouldn't let me, because it said there are still parts of AVG on my computer, which I could not find and thus not run kaspersky trial version.

Thank you so much!

Blade81
2008-11-13, 09:12
Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Sabine
2008-11-13, 11:35
Hi Blade!

Thank you so much for helping me!

So far I've just downloaded combofix and the xp recovery console.
however, this is when my first problem arises.

I tried to drag the microsoft file on top of the combofix exe file and I don't get the result as shown in the combofix manual. Instead I get a security warning, if I really would like to install this software. It looks exactly like the window that opens when installing combofix, as shown in the manual.

In 1 sentence: When I drag the microsoft file (in english or german) on the combofix.exe file I get a security warning if I really want to install the software named combofix.exe.

According to the manual I shouldn't get this warning, but instead combofix should install the recovery consol automatically.

I didn't want to do anthing wrong, so I thought I'd double check with you.

What do I do now?
Is the security warning a step to install the recovery tool and I can continue? Or is the recovery tool really not being installed?

1 more question: Have you so far seen something suspicious in my logfile and should I be worried if I transmitted my credit card details (to secure a booking) before I detected/removed the tdss trojan and rootkit and thus contact my credit card company to avoid troubles? Even if nothing suspicious occured when working with my laptop (no higher internet transfer data or suspicious programs trying to acces the internet)?


Thank you! I truly appreciate your help!

Blade81
2008-11-13, 12:10
Hi

Yes, let ComboFix run.


Have you so far seen something suspicious in my logfile and should I be worried if I transmitted my credit card details (to secure a booking) before I detected/removed the tdss trojan and rootkit and thus contact my credit card company to avoid troubles?
No thus far.

Sabine
2008-11-13, 23:36
hi blade!

thanks for your quick reply.
the combofix scan worked out perfectly fine.
it seems it found 4 tdss files, here's the combofix log

ComboFix 08-11-11.01 - Sabine F 2008-11-13 21:29:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.49.1031.18.40 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Sabine F\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Sabine F\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\Cache\buts.bin
c:\windows\system32\Cache\chart 1.bmp
c:\windows\system32\Cache\ding.bmp
c:\windows\system32\Cache\document.bmp
c:\windows\system32\Cache\msg.bin
c:\windows\system32\Cache\web app.bmp
c:\windows\system32\TDSSbubx.log
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSosvd.dat

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv.sys)


((((((((((((((((((((((( Dateien erstellt von 2008-10-13 bis 2008-11-13 ))))))))))))))))))))))))))))))
.

2008-10-31 10:19 . 2008-10-31 10:19 <DIR> d-------- c:\programme\Trend Micro
2008-10-31 09:28 . 2008-11-13 21:50 493,600 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-10-31 09:28 . 2008-11-13 21:38 6,764 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-10-31 09:20 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-10-31 09:19 . 2008-10-31 09:21 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-10-31 09:19 . 2008-10-31 09:24 <DIR> d-------- c:\programme\ZoneAlarm
2008-10-31 09:19 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-10-31 09:19 . 2008-11-13 21:41 352,918 --a------ c:\windows\system32\vsconfig.xml
2008-10-31 05:42 . 2008-10-31 05:42 <DIR> dr------- c:\dokumente und einstellungen\NetworkService\Favoriten
2008-10-30 18:09 . 2008-10-30 18:09 <DIR> d-------- c:\dokumente und einstellungen\Sabine F\My ShyFiles
2008-10-30 17:38 . 2008-10-31 09:06 <DIR> d-------- c:\programme\ShyFly Encoder for Email
2008-10-30 07:14 . 2008-10-30 07:14 <DIR> d-------- c:\windows\system32\de-de
2008-10-27 18:41 . 2008-10-27 18:41 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\InterVideo
2008-10-23 21:36 . 2008-10-31 20:10 <DIR> d-------- c:\programme\Avast4
2008-10-23 10:54 . 2008-10-23 10:54 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab Setup Files
2008-10-23 02:21 . 2008-08-13 09:03 68,912 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-10-23 02:21 . 2008-08-13 09:03 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-10-18 01:12 . 2008-10-31 09:44 <DIR> d-------- c:\programme\Spybot - Search & Destroy
2008-10-18 00:39 . 2008-10-18 00:39 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-10-18 00:39 . 2008-10-31 09:24 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-10-18 00:31 . 2008-10-18 00:31 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-10-17 19:34 . 2008-10-17 19:34 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Sunbelt
2008-10-17 19:21 . 2008-10-17 19:21 <DIR> d-------- c:\dokumente und einstellungen\Sabine F\Anwendungsdaten\Sunbelt
2008-10-17 19:20 . 2008-10-17 19:20 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Sunbelt
2008-10-17 19:19 . 2008-10-18 00:28 <DIR> d-------- c:\programme\CounterSpy
2008-10-17 19:07 . 2008-10-18 00:27 <DIR> d-------- c:\programme\CCleaner
2008-10-17 15:50 . 2008-10-23 22:06 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-10-17 15:50 . 2008-10-17 15:50 <DIR> d-------- c:\dokumente und einstellungen\Sabine F\Anwendungsdaten\Malwarebytes
2008-10-17 15:50 . 2008-10-17 15:50 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-17 15:50 . 2008-10-22 15:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 15:50 . 2008-10-22 15:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-17 12:25 . 2008-10-17 12:25 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\HappyFoto
2008-10-17 12:24 . 2002-11-25 12:58 <DIR> d-------- c:\dokumente und einstellungen\Administrator\WINDOWS
2008-10-17 12:24 . 2002-09-17 04:46 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Vorlagen
2008-10-17 12:24 . 2002-09-17 05:39 <DIR> dr------- c:\dokumente und einstellungen\Administrator\Startmenü
2008-10-17 12:24 . 2002-09-17 05:39 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Netzwerkumgebung
2008-10-17 12:24 . 2008-11-13 21:34 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Lokale Einstellungen
2008-10-17 12:24 . 2002-09-17 04:59 <DIR> dr------- c:\dokumente und einstellungen\Administrator\Favoriten
2008-10-17 12:24 . 2002-11-25 12:58 <DIR> dr------- c:\dokumente und einstellungen\Administrator\Eigene Dateien
2008-10-17 12:24 . 2002-09-17 05:39 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Druckumgebung
2008-10-17 12:24 . 2002-11-25 12:58 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\InterTrust
2008-10-17 12:24 . 2008-10-27 18:41 <DIR> dr-h----- c:\dokumente und einstellungen\Administrator\Anwendungsdaten
2008-10-17 12:24 . 2008-10-17 12:24 <DIR> d-------- c:\dokumente und einstellungen\Administrator
2008-10-16 21:31 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-10-16 21:31 . 2008-04-17 12:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-10-16 21:30 . 2008-10-16 21:30 <DIR> d-------- c:\programme\iPod
2008-10-16 21:30 . 2008-10-16 21:31 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 21:29 . 2008-10-16 21:29 <DIR> d-------- c:\programme\Bonjour
2008-10-16 21:28 . 2008-10-16 21:28 <DIR> d-------- c:\programme\Apple Software Update
2008-10-16 21:27 . 2008-10-01 12:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-10-15 23:26 . 2008-10-16 21:27 <DIR> d-------- c:\programme\Gemeinsame Dateien\Apple
2008-10-15 23:25 . 2008-10-15 23:37 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
2008-10-15 22:51 . 2008-10-16 21:31 <DIR> d-------- c:\programme\itunes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 08:42 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-10-30 12:48 --------- d-----w c:\dokumente und einstellungen\Sabine F\Anwendungsdaten\Skype
2008-10-27 17:51 --------- d-----w c:\dokumente und einstellungen\Sabine F\Anwendungsdaten\dvdcss
2008-10-17 11:07 --------- d-----w c:\programme\SpyBot Search and Destroy 1.2
2008-10-17 10:57 --------- d-----w c:\programme\Norman Virus Control
2008-10-16 20:16 --------- d-----w c:\programme\Creative
2008-10-15 22:27 --------- d-----w c:\programme\quick time 7.4 für drei tv
2008-10-15 21:31 --------- d-----w c:\programme\user
2008-10-15 21:29 --------- d--h--w c:\programme\InstallShield Installation Information
2008-10-15 21:29 --------- d-----w c:\programme\MUSICMATCH
2008-10-14 12:48 --------- d-----w c:\programme\Foobar Decoder flac
2008-10-14 12:47 --------- d-----w c:\programme\audacity töne für handy bearbeiten
2008-10-06 08:30 --------- d-----w c:\programme\MSN Messenger
2008-10-04 03:41 --------- d-----w c:\programme\Round the World Calculator
2008-09-23 07:42 --------- d-----w c:\programme\pdf creator forge
2008-08-29 08:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 15:20 59,176 ----a-w c:\windows\system32\sbbd.exe
2006-03-09 19:51 57,368 ----a-w c:\dokumente und einstellungen\Sabine F\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2004-04-11 09:17 1,120 -c--a-w c:\programme\Global.sw
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChkMail"="èn‹" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2002-07-11 315392]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2002-07-24 274508]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2001-10-18 163840]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2002-08-23 266240]
"SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2001-08-02 94208]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2001-08-02 352256]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\programme\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2006-06-21 180269]
"QuickTime Task"="c:\programme\quick time 7.4 für drei tv\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SBAMTray"="c:\programme\CounterSpy\SBAMTray.exe" [2008-08-26 677160]
"ZoneAlarm Client"="c:\programme\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 c:\windows\system32\Ati2mdxx.exe]
"LTSMMSG"="LTSMMSG.exe" [2002-05-07 c:\windows\LTSMMSG.exe]
"WLANSTA.EXE"="WLANSTA.EXE" [2002-07-04 c:\windows\system32\WLANSTA.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^InterVideo WinCinema Manager.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Trafficdetector.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Trafficdetector.lnk
backup=c:\windows\pss\Trafficdetector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-10-05 09:52 98304 c:\programme\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\programme\D-Tools f Sims2\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\ICQ5\\ICQLite\\ICQLite.exe"=
"c:\\Programme\\RealPlayer\\realplay.exe"=
"c:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programme\\MSN Messenger\\livecall.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\itunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-12 110160]
R1 Hotkey;Hotkey;c:\windows\system32\drivers\Hotkey.sys [2001-06-26 5364]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-08-13 13360]
R1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys [2001-08-23 4828]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-12 20560]
R2 SBAMSvc;Sunbelt VIPRE Antivirus Service;c:\programme\CounterSpy\SBAMSvc.exe [2008-08-26 869672]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-08-13 68912]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [2002-05-07 808939]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-10-17 814740]
S3 dsNcAdpt;Juniper Network Connect Adapter;c:\windows\system32\DRIVERS\dsNcAdpt.sys [ ]
S3 epcfw2k;SCM-Parallelanschluss-CF-Treiber;c:\windows\system32\DRIVERS\epcfw2k.sys [2001-08-17 144896]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2007-11-06 87848]
S3 WLANRB;NETGEAR Wireless 802.11b LAN RB Driver;c:\windows\system32\DRIVERS\MA401RB.sys [2002-07-04 593920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2931ec0-39bc-11dc-92d1-0000e2905fd8}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Inhalt des "geplante Tasks" Ordners

2008-11-13 c:\windows\Tasks\User_Feed_Synchronization-{96E3044E-305C-453B-9864-DB4009EEAD89}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

SharedTaskScheduler-{203B1C4D9-BC71-8916-38AD-9DEA5D213614} - (no file)
SafeBoot-TDSSpaxt.sys


.
------- Zusätzlicher Suchlauf -------
.
R0 -: HKCU-Main,Start Page = hxxp://mail.google.com/
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 21:44:05
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\programme\Avast4\aswUpdSv.exe
c:\programme\Avast4\ashServ.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\wdfmgr.exe
c:\programme\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-11-13 21:59:26 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-11-13 20:59:04

Vor Suchlauf: 4.588.457.984 Bytes frei
Nach Suchlauf: 4,577,865,728 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

232 --- E O F --- 2008-10-30 06:15:43


and here's the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30:51, on 13.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\LTSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Programme\RealPlayer\RealPlay.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\quick time 7.4 für drei tv\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Programme\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChkMail] èn‹
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ5\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ5\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.t-online.at
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D4B7ACF-DAF1-4975-8A75-5E13D6DE715D}: NameServer = 213.94.78.16 213.94.78.17
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAMME\NORMAN VIRUS CONTROL\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Programme\CounterSpy\SBAMSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOKUME~1/SABINE~1/LOKALE~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - http://www.thesunsetresort.com/images/gallery_images/Resort%20Beach%20Hamock%20Large.jpg

--
End of file - 7273 bytes



should I now be worried about my cc-details, that I transmitted recently? :( (as I told you earlier)

thank you so much!

Blade81
2008-11-14, 08:02
Hi


should I now be worried about my cc-details, that I transmitted recently? :( (as I told you earlier)
Don't think so :)


Start hjt, do a system scan, check (if found):
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

Close browsers and fix checked.



Uninstall old Java versions and get Java 6 Update 7 here (http://javadl.sun.com/webapps/download/AutoDL?BundleId=23111).


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report & a fresh hjt log.

Sabine
2008-11-14, 17:11
Hi Blade!

Once again: thank you!

I did everything as requested, it seems kasperksy didn't find anything. yay!

One thing I saw is that my virus scanner (avast) stopped launching upon start of the pc ever since I used combofix. Or at least active protection is not enabled. I couldn't get it back on. when I put it from disabled to standard protection and press okay, it doesnt change. When I then open the settings of the active protection again it is back to disabled. Also, there is no symbol in the task bar. I guess the button to solve this is hidden somewhere and I can't get it. :) Or sould I re-install avast (or switch to avg or antivir, if they are better?)
Hope you can also help me in this case :)


here are the logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 06:08:31
Records in database: 1384367
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 86097
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:57:24

No malware has been detected. The scan area is clean.

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:05:55, on 14.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\LTSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\quick time 7.4 für drei tv\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Programme\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChkMail] èn‹
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ5\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ5\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.t-online.at
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D4B7ACF-DAF1-4975-8A75-5E13D6DE715D}: NameServer = 213.94.78.16 213.94.78.17
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAMME\NORMAN VIRUS CONTROL\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Programme\CounterSpy\SBAMSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOKUME~1/SABINE~1/LOKALE~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - http://www.thesunsetresort.com/images/gallery_images/Resort%20Beach%20Hamock%20Large.jpg

--
End of file - 7270 bytes

Thank you so much again!
Have a good weekend. I won't be at home this weekend, but I'll be back on Monday :)

Blade81
2008-11-14, 21:27
Thanks, hope you have/had a good weekend too :)


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Sabine
2008-11-17, 15:46
Hi Blade!


Well congrats, it appears your system is all clean

wohoo, that's fantastic. Thank you so much!

Here's an update from my side.

- reset system restore
- uninstalled combofix
- updated windows via windwosupdate
Installed everything except ServicePack3 and the malware tool for November. Should I get SP3?

-checked IE settings, everything was already set as it should be according your directions

-installed adaware2008 and uninstalled the previous version
-installed spywareblaster

-I did NOT do the thing with the host files, because my pc is already pretty slow and I didn't want to risk it getting worse. Hope that is fine.


Problems that occur right now:

- I posted this in my last post, but here is it one more time: One thing I saw is that my virus scanner (avast) stopped launching upon start of the pc ever since I used combofix. Or at least active protection is not enabled. I couldn't get it back on. when I put it from disabled to standard protection and press okay, it doesnt change. When I then open the settings of the active protection again it is back to disabled. Also, there is no symbol in the task bar. I guess the button to solve this is hidden somewhere and I can't get it. Or sould I re-install avast (or switch to avg or antivir, if they are better?) Hope you can also help me in this case

- As for right now I use
Spybot (Teatimer disabled, should I enable it?)
Adaware (Adwatch disabled, should I rather enable this one?)
Spyblaster (created system snapshot and hosts back up)
Avast (except for the fact that it doesn't launch :( )
Zonealarm
ATF Cleaner (Can I keep using it?)
Is this enough and should I go with Teatime or Adwatch or neither of them?

-Planning to remove
Counterspy
Malwarebytes AntiMalware
CC Cleaner
Or should I keep them?

- Can I remove the self extractor files I downloaded for combofix to create the recovery console, or is this still needed?

Sorry, so many questions!
I really appreciate all of your help though!
Thanks again and have a good day! Kiitos :red: and Kippis (that's all I know:) )
Sabine

Blade81
2008-11-17, 18:25
Installed everything except ServicePack3 and the malware tool for November. Should I get SP3?
Hi Sabine

I've left that decision for the users to make. Some people has had problems with it and that's why I recommend taking backups of important files before updating if you're going to make it.


- I posted this in my last post, but here is it one more time: One thing I saw is that my virus scanner (avast) stopped launching upon start of the pc ever since I used combofix. Or at least active protection is not enabled. I couldn't get it back on. when I put it from disabled to standard protection and press okay, it doesnt change. When I then open the settings of the active protection again it is back to disabled. Also, there is no symbol in the task bar. I guess the button to solve this is hidden somewhere and I can't get it. Or sould I re-install avast (or switch to avg or antivir, if they are better?) Hope you can also help me in this case
To make sure Avast is working properly I recommend re-installing it. That should fix the problem.


- As for right now I use
Spybot (Teatimer disabled, should I enable it?)
Adaware (Adwatch disabled, should I rather enable this one?)
Spyblaster (created system snapshot and hosts back up)
Avast (except for the fact that it doesn't launch :( )
Zonealarm
ATF Cleaner (Can I keep using it?)
Is this enough and should I go with Teatime or Adwatch or neither of them?
Looks quite good after you get Avast back up and running :) Yes, you may use ATF Cleaner to clean temporary items. Using TeaTimer and Adwatch is up to you. I'm not personally big fan of either of them.


-Planning to remove
Counterspy
Malwarebytes AntiMalware
CC Cleaner
Or should I keep them?
You have quite a bunch antispyware programs there now. Malwarebytes Anti-Malware is powerful though and I'd keep it. Don't need to have it running all the time though. Just occasional runs once or twice a month.


- Can I remove the self extractor files I downloaded for combofix to create the recovery console, or is this still needed?
Yes, you may remove them :)

Sabine
2008-11-18, 11:05
You have quite a bunch antispyware programs there now.

yup, that's what I was thinking and that's why I wanted to get rid of some :) Thanks for your advice concerning the programs. I initially got them because I thought one of them could fix my little problem. I know now that it is much better to find someone who actually knows what he is doing and ask for help :red: I re-installed avast and it works fine now.
So again: thank you for fixing things, thank you!!!!!

Blade81
2008-11-18, 11:18
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.