View Full Version : Trojan: Virtumonde
Hi there,
it seem that other people have the same problems: Spybot detected a virtumonde but is not able to remove it. I backed up my reg with ERUNT and here's my HJT-Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:01, on 24.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\own\Internet\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\own\Programmierung\Java\jre\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\own\Internet\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Programme\own\Internet\Mozilla Thunderbird\thunderbird.exe
C:\Programme\own\Sicherheit\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\own\Programmierung\Java\jre\bin\ssv.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\own\Programmierung\Java\jre\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\own\Programmierung\Java\jre\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\own\Programmierung\Java\jre\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Apache2.2 - Apache Software Foundation - F:\apache2\bin\httpd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\own\Internet\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - F:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
--
End of file - 5344 bytes
pskelley
2009-07-25, 03:04
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
Not seeing anything in the HJT log, if you wish to proceed, do so like this.
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
http://www.besttechie.net/mbam/mbam-setup.exe <<< download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://thespykiller.co.uk/index.php/topic,5946.0.html
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thnaks
The scan did not detect anything dangerous. But my database is (maybe?) an old version, the update did not work (Error 732).
Apart from that, I want to inform you that I did some things between my first and your first post:
* I tried to update Java. There were some problems with uninstalling the old version. I deleted it manually. But as you can see: The uninstaller shows 2 versions now.
* I tried to update Spybot-S&D. I uninstalled the old version, but I was not able to install the new one. There was no connection, when the program tried to download additional files.
The logs:
Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2421
Windows 5.1.2600 Service Pack 3
25.07.2009 13:13:47
mbam-log-2009-07-25 (13-13-47).txt
Scan-Methode: Vollständiger Scan (C:\|E:\|F:\|G:\|I:\|)
Durchsuchte Objekte: 261161
Laufzeit: 40 minute(s), 26 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:23:25, on 25.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\own\Internet\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\own\Programmierung\Java\jre6\bin\jqs.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\own\Programmierung\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\own\Sicherheit\Malwarebytes' Anti-Malware\mbam.exe
C:\Programme\own\Programmierung\Notepad++\notepad++.exe
C:\Programme\own\Internet\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\own\Sicherheit\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\own\Programmierung\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\own\Programmierung\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\own\Programmierung\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Apache2.2 - Apache Software Foundation - F:\apache2\bin\httpd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\own\Internet\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\own\Programmierung\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - F:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
--
End of file - 5575 bytes
Uninstall list:
7-Zip 4.57
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2 - Deutsch
Apache HTTP Server 2.2.9
ATI - Dienstprogramm zur Deinstallation der Software
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
Audiograbber 1.83 SE
ColorPic
Dev-C++ 5 beta 9 release (4.9.9.2)
ERUNT 1.1j
EVEREST Home Edition v2.20
FileZilla Client 3.0.11.1
Funktion "TrackPoint-Eingabehilfen"
GIMP 2.6.6
GPL Ghostscript 8.62
GPL Ghostscript Fonts
Groovy
GSview 4.9
GTK+ Runtime 2.12.8 rev a (nur entfernen)
HashTab 1.14 for x32
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix für Windows Internet Explorer 7 (KB947864)
Hotfix für Windows XP (KB961118)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Java DB 10.4.2.1
Java(TM) 6 Update 14
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 14
Java(TM) SE Development Kit 6 Update 7
Last.fm 1.5.4.24567
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 German Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.5
MiKTeX 2.7
mMHouse
Mozilla Firefox (3.5.1)
Mozilla Thunderbird (2.0.0.22)
mPfMgr
mProSafe
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MusicBrainz Picard 0.10
mWlsSafe
mXML
MySQL Server 5.0
NetBeans IDE 6.5
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Notepad++
OpenOffice.org 3.0
PC Connectivity Solution
Pidgin
PLT Scheme v4.1.1
Pointofix
Python 2.5.2
RedMon - Druckeranschluß-Umleitungsmonitor
SA60xx Device Manager
Sicherheitsupdate für Windows Internet Explorer 7 (KB938127-v2)
Sicherheitsupdate für Windows Internet Explorer 7 (KB950759)
Sicherheitsupdate für Windows Internet Explorer 7 (KB953838)
Sicherheitsupdate für Windows Internet Explorer 7 (KB956390)
Sicherheitsupdate für Windows Internet Explorer 7 (KB958215)
Sicherheitsupdate für Windows Internet Explorer 7 (KB960714)
Sicherheitsupdate für Windows Internet Explorer 7 (KB961260)
Sicherheitsupdate für Windows Internet Explorer 7 (KB963027)
Sicherheitsupdate für Windows Internet Explorer 7 (KB969897)
Sicherheitsupdate für Windows Internet Explorer 8 (KB969897)
SoundMAX
TeXnicCenter Version 1 Beta 7.01 (Greengrass)
The Regex Coach 0.9.2
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Energie-Manager
ThinkPad FullScreen Magnifier
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad UltraNav Driver
ThinkPad-Konfiguration
ThinkPad-Präsentationsdirektor
ThinkPad-UltraNav-Assistent
ThinkVantage System für aktiven Festplattenschutz
ThinkVantage Technologies Welcome Message
Tweak UI
Update für Windows Internet Explorer 8 (KB971930)
VideoLAN VLC media player 0.8.6i
VPN Client
Wallpapers
Websitemirror
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Windows-Treiberpaket - Nokia Modem (10/27/2008 3.9)
Windows-Treiberpaket - Nokia Modem (10/27/2008 7.01.0.1)
Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0)
WinMerge 2.8.4.0
XP Themes
Thank you for your help.
pskelley
2009-07-25, 15:20
MBAM database this morning is version 1.39 (Database 2498 7/24/2009)
the old database you ran my be why it did not find anything. Appears something is blocking your access to updates for various programs. How are you posting to this thread?
Let's look at the uninstall list first.
Adobe Flash Player 10 Plugin <<< not sure why I see a pluin but no Flash Player?
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 8.1.2 - Deutsch <<< out of date and unsafe:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.adobe.com/support/security/bulletins/apsb09-07.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 3.0 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
J2SE Runtime Environment 5.0 Update 6
Java DB 10.4.2.1
Java(TM) 6 Update 7
Out of date and unsafe.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
http://raproducts.org/ <<< this tool will help uninstall old versions.
If you can not do any of the above, move on to combofix, perhaps it will tell us why.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed
Please continue as follows:
1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
2) Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When the tool is finished, it will produce a report for you. Post that report and a new HJT log
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Thanks
How are you posting to this thread?
I am posting to this thread with the same computer we're working on, via Firefox.
I did not understand the part: "If you can not do any of the above, move on to combofix, perhaps it will tell us why."
I updated the Flash Player Plugin, uninstalled Adobe Reader and ran this JavaRa tool to delete the old JRE.
Should I use combofix now or not?
pskelley
2009-07-25, 15:55
Yes...follow the instructions and run combofix.
Here you go.
ComboFix 09-07-24.01 - User 25.07.2009 15:33.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2046.1368 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\User\Desktop\ComboFix.exe
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-4172071277-2194094571-159085178-500
c:\windows\Installer\203d8.msi
c:\windows\Installer\3c5569.msi
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
F:\start.bat
.
((((((((((((((((((((((( Dateien erstellt von 2009-06-25 bis 2009-07-25 ))))))))))))))))))))))))))))))
.
2009-07-25 03:45 . 2009-07-25 03:45 -------- d-----w- c:\dokumente und einstellungen\User\Anwendungsdaten\Malwarebytes
2009-07-25 03:45 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 03:45 . 2009-07-25 03:45 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-07-25 03:45 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 11:48 . 2009-07-24 11:48 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 08:53 . 2009-07-24 08:53 -------- d-----w- c:\windows\system32\Macromed
2009-07-24 08:43 . 2009-07-24 08:43 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-24 08:43 . 2009-07-24 08:43 -------- d-----w- c:\programme\MSBuild
2009-07-24 08:43 . 2009-07-24 08:43 -------- d-----w- c:\programme\Reference Assemblies
2009-07-24 08:43 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-24 08:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-24 08:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-24 08:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-24 08:43 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-24 08:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-24 08:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-24 08:36 . 2009-07-24 08:36 -------- d-sh--w- c:\dokumente und einstellungen\User\IECompatCache
2009-07-24 08:33 . 2009-07-24 08:33 -------- d-sh--w- c:\dokumente und einstellungen\User\PrivacIE
2009-07-24 06:55 . 2009-07-24 06:55 -------- d---a-w- c:\windows\system32\runouce.exe
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 12:26 . 2008-06-01 22:08 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe
2009-07-24 21:46 . 2008-07-05 21:19 -------- d-----w- c:\dokumente und einstellungen\User\Anwendungsdaten\.purple
2009-07-24 13:46 . 2009-03-13 15:25 1 ----a-w- c:\dokumente und einstellungen\User\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-24 09:33 . 2006-01-27 01:01 84722 ----a-w- c:\windows\system32\perfc007.dat
2009-07-24 09:33 . 2006-01-27 01:01 459396 ----a-w- c:\windows\system32\perfh007.dat
2009-07-24 09:18 . 2008-05-04 02:50 73336 ----a-w- c:\dokumente und einstellungen\User\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-07-24 09:15 . 2007-11-28 05:47 73336 ----a-w- c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-07-24 08:30 . 2008-06-09 05:38 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-07-23 23:21 . 2009-03-22 18:09 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Aspell
2009-07-08 20:57 . 2008-06-06 10:34 -------- d-----w- c:\dokumente und einstellungen\User\Anwendungsdaten\FileZilla
2009-06-30 15:34 . 2008-07-05 21:21 -------- d-----w- c:\dokumente und einstellungen\User\Anwendungsdaten\gtk-2.0
2009-06-28 12:57 . 2008-09-07 21:00 -------- d-----w- c:\dokumente und einstellungen\User\Anwendungsdaten\dvdcss
2009-06-16 14:36 . 2006-01-27 01:01 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-01-27 01:01 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2006-01-27 01:01 1296896 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 05:02 . 2006-01-27 01:01 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 16:03 . 2009-05-09 16:03 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-07 15:32 . 2006-01-27 01:01 348160 ----a-w- c:\windows\system32\localspl.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\programme\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]
"SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"SoundMAXPnP"="c:\programme\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\programme\own\Programmierung\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2006-03-15 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyDocs"= 00000000
"NoSMMyPictures"= 00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-25 18:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tvtnetwk"=2 (0x2)
"TVT Scheduler"=2 (0x2)
"TVT Backup Service"=2 (0x2)
"ThinkVantage Registry Monitor Service"=2 (0x2)
"TapiSrv"=3 (0x3)
"PsaSrv"=3 (0x3)
"IBMPMSVC"=2 (0x2)
"btwdins"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\apache2\\bin\\httpd.exe"=
"c:\\Programme\\own\\Internet\\Pidgin\\pidgin.exe"=
"c:\\Programme\\own\\Tools\\MusicBrainz Picard\\picard.exe"=
"c:\\Programme\\own\\Programmierung\\Eclipse\\eclipse.exe"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [28.11.2007 07:03 88576]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [28.11.2007 07:03 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [28.11.2007 07:02 4442]
R2 smihlp;SMI helper driver;c:\programme\ThinkVantage Fingerprint Software\smihlp.sys [25.04.2006 20:00 3456]
S3 Apache2.2;Apache2.2;f:\apache2\bin\httpd.exe [13.06.2008 04:05 24635]
S3 VtcDrv;Philips SA60xx Recovery Device;c:\windows\system32\drivers\vtcdrv.sys [15.03.2009 22:38 18560]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
Notify-NavLogon - (no file)
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://lenovo.live.com
IE: Senden an &Bluetooth-Gerät... - c:\programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\dokumente und einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\rthkfn9x.default\
FF - plugin: c:\programme\own\Multimedia\VLC\npvlc.dll
FF - plugin: c:\programme\own\Programmierung\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\programme\own\Programmierung\Java\jre6\bin\new_plugin\npjp2.dll
---- FIREFOX Richtlinien ----
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("media.cache_size", 51200);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("media.ogg.enabled", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("media.wave.enabled", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("layout.css.dpi", -1);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("geo.enabled", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\programme\own\Internet\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 15:35
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"f:\mysql\bin\mysqld-nt\" --defaults-file=\"f:\mysql\my.ini\" MySQL"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\vrlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\programme\ThinkVantage Fingerprint Software\infra.dll
c:\programme\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\programme\ThinkVantage Fingerprint Software\homepass.dll
c:\programme\ThinkVantage Fingerprint Software\bio.dll
c:\programme\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\programme\ThinkVantage Fingerprint Software\crypto.dll
- - - - - - - > 'lsass.exe'(1064)
c:\windows\system32\psqlpwd.dll
c:\programme\ThinkVantage Fingerprint Software\infra.dll
c:\programme\ThinkVantage Fingerprint Software\homefus2.dll
.
Zeit der Fertigstellung: 2009-07-25 15:36
ComboFix-quarantined-files.txt 2009-07-25 13:36
Vor Suchlauf: 4.905.988.096 Bytes frei
Nach Suchlauf: 5.076.312.064 Bytes frei
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
229 --- E O F --- 2009-07-25 01:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42:25, on 25.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\own\Internet\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\own\Programmierung\Java\jre6\bin\jqs.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programme\own\Internet\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Programme\own\Sicherheit\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\own\Programmierung\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\own\Programmierung\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\own\Programmierung\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Apache2.2 - Apache Software Foundation - F:\apache2\bin\httpd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\own\Internet\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\own\Programmierung\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - F:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
--
End of file - 5085 bytes
pskelley
2009-07-25, 17:09
Here is some information about Recovery Console in the event you ever need to use it.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Please see if you can update MBAM now, then run it as in the last instructions and post just the MBAM scan results.
Please tell me how the computer is running now?
Thanks
No, MBAM update still causes an Error. I dont understand this.
My Computer is running fine at all, there was never a "visible" problem (slow-down or sth. like that). The reason why I posted here, was because Spybot detected this virtumonde. Did you see anything suspect in my logs? Maybe it was a false-positive?
pskelley
2009-07-25, 18:42
No, MBAM update still causes an Error.
Please post that error word for word
It appears, when I click tab:"Updates"-> Button "Check for Updates". Its an Error-Popup and it says: "Ein Fehler ist aufgetreten, bitte geben sie den folgenden Fehlercode an das Malwarebytes' Antimalware Support-Team weiter. Error-code: 732 (0,0)". (Sorry, I installed it in German.)
I think I found out, why it does not work. Look at this: http://www.malwarebytes.org/forums/index.php?showtopic=20075. I am also not "online" with InternetExplorer, I blocked it via registry (with help of this (http://oschad.de/wiki/InternetExplorer).) Maybe thats the point?
pskelley
2009-07-25, 23:51
I am sorry, I read no German, since you said this:
My Computer is running fine at all, there was never a "visible" problem (slow-down or sth. like that). The reason why I posted here, was because Spybot detected this virtumonde
I can say that usually the reason Spybot S&D finds and can not remove virtumonde is because the program is outdated or the databases are not up to date. It can also be a false positive, you can read about those here:
http://forums.spybot.info/forumdisplay.php?f=16
Since you are not having problems, we will wrap this up and if you have additional questions about Spybot S&D you may prefer this forum.
http://forums.spybot.info/forumdisplay.php?f=15
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
Okay. Thank you very much for your help! Sorry that I wasted your time (with my false positive...).
matuxi