Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware blocks antivirus software updates and internet links

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » January 30th, 2009, 8:47 am

Hello,

I have a problem with my system and I would be very glad if you could help me fix it. I'm sure I have a virus or sth on my system. I can't update my antivrus software (antiVir and Ad-aware) anymore. When I try, it says that there is no Internet connection. That's not possible because I can go on the Internet and my Firewall isn't blocking them either.

And there is a second problem. When I click on a link I'm sometimes redirected to a completely different homepage.

I would very much appreciate if you could help me fix the problem.

Thanks a lot already in advance!

Here is my Hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:42:03, on 01.02.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=040409 serial=DR12WEX-1538262-SEU lang=DE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7080512042
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 5092 bytes
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm
Advertisement
Register to Remove

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 30th, 2009, 4:40 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » January 30th, 2009, 6:58 pm

Hi Dan,

thank you so much for trying to help me with the problem in my system. I really appreciate the time and effort you invest.

Here is the list with the programs that are running on my system.


Ad-Aware
Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Product/Adobe Studio Update 10/2001
Advanced PDF-to-Word 1.0 Demo
ALDI Foto Manager Free Sued
ALDI Online Druck Service 3.4.3.0 (D)
ALDI Sued Foto Service
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Camera RAW Plug-In for EPSON Creativity Suite
Canon i250
CCleaner (remove only)
CorelDRAW Graphics Suite 12
CX4300_5500_DX4400 Handbuch
dBpoweramp m4a Codec
dBpowerAMP Music Converter
dBpowerAMP Ogg Vorbis Codec
dBpowerAMP WMA V9 Codec
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
EPSON-Drucker-Software
ERUNT 1.1j
FlashGet 1.9.6.1073
HijackThis 2.0.2
iTunes
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000 SR-1
Monkey's Audio
Mozilla Firefox (3.0.5)
Nero OEM
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.1
Nokia MTP driver
Nokia N73 highlights
Nokia Nseries Skin for Microsoft Windows Media Player
Nokia PC Connectivity Solution
Nokia PC Suite
Nokia themes for your device
OpenOffice.org 2.0
PCI Audio Driver
PDFCreator
QuickTime
SUPER © Version 2008.bld.30 (Mar 22, 2008)
T-Online 5.0
T-Online Copas
T-Online Fotoservice
TRUST 320 SPACEC@M
T-Sinus 154data
Update für Windows XP (KB898461)
VIA AGP 4x/133 Driver Setup Program
VideoLAN VLC media player 0.8.6c
VTrain (Vokabeltrainer) 4.5
Web Stream Recorder Pro 1.61
Winamp (remove only)
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Millennium Edition - Schritt für Schritt interaktiv
Windows XP Service Pack 2
WinPcap 4.0.2
WinRAR archiver
WinZip 11.1
WM Recorder 11.3
Yahoo! Messenger
ZoneAlarm

Ok, I really hope yo can help me fix it.

Thanks again.

Marc
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 30th, 2009, 7:05 pm

As you have ccleaner on your system set it as instructed and do a scan.

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

----------------------------------


Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » January 30th, 2009, 8:29 pm

O, so this is the Combofix log

ComboFix 09-01-21.04 - Standard 2009-01-30 1:21:45.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.255.127 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*
.
- REDUZIERTER FUNKTIONALITÄTSMODUS -
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\FT62
c:\windows\system32\dPI19
D:\Autorun.inf

.
((((((((((((((((((((((( Dateien erstellt von 2008-12-28 bis 2009-01-30 ))))))))))))))))))))))))))))))
.

2009-03-21 12:07 . 2009-03-21 12:10 61,952 --a------ C:\nvjepyv.exe
2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\programme\Avira
2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-30 20:07 . 2009-01-30 20:07 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-30 20:07 . 2009-01-30 20:07 1,409 --a------ c:\windows\QTFont.for
2009-01-30 18:20 . 2009-01-30 18:20 <DIR> d-------- C:\BitRecorder
2009-01-30 18:18 . 2009-01-30 18:18 <DIR> d-------- c:\programme\StreamingStar
2009-01-22 03:08 . 2009-01-22 03:08 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Playrix Entertainment
2009-01-22 00:04 . 2009-01-22 00:04 <DIR> d--hs---- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\twain_32
2009-01-16 12:32 . 2009-01-16 12:32 <DIR> d-------- c:\dokumente und einstellungen\Standard\dwhelper

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 11:21 16,186,394 ------w c:\windows\Internet Logs\tvDebug.zip
2009-01-31 14:31 2,061,824 ------w c:\windows\Internet Logs\xDBF.tmp
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-18 23:39 3,076,608 ------w c:\windows\Internet Logs\xDBE.tmp
2008-10-21 00:20 688,640 ------w c:\windows\Internet Logs\xDBD.tmp
2008-10-07 23:49 215,552 ------w c:\windows\Internet Logs\xDBC.tmp
2008-10-05 09:03 20,419,767 ------w c:\windows\Internet Logs\vsmon_on_demand_2008_10_05_02_50_53_full.dmp.zip
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-14_22.12.49.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\18.11.2008\ERDNT.EXE
+ 2008-11-17 23:06:40 4,878,336 ----a-w c:\windows\ERDNT\18.11.2008\Users\00000001\ntuser.dat
+ 2008-11-17 23:06:40 28,672 ----a-w c:\windows\ERDNT\18.11.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\01.02.2009\ERDNT.EXE
+ 2009-02-01 12:20:14 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\01.02.2009\Users\00000001\ntuser.dat
+ 2009-02-01 12:20:14 28,672 ----a-w c:\windows\ERDNT\AutoBackup\01.02.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\13.01.2009\ERDNT.EXE
+ 2009-01-13 21:48:56 4,968,448 ----a-w c:\windows\ERDNT\AutoBackup\13.01.2009\Users\00000001\ntuser.dat
+ 2009-01-13 21:48:56 28,672 ----a-w c:\windows\ERDNT\AutoBackup\13.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\14.01.2009\ERDNT.EXE
+ 2009-01-14 10:23:58 4,972,544 ----a-w c:\windows\ERDNT\AutoBackup\14.01.2009\Users\00000001\ntuser.dat
+ 2009-01-14 10:23:58 28,672 ----a-w c:\windows\ERDNT\AutoBackup\14.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\14.12.2008\ERDNT.EXE
+ 2008-12-14 09:43:20 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\14.12.2008\Users\00000001\ntuser.dat
+ 2008-12-14 09:43:20 28,672 ----a-w c:\windows\ERDNT\AutoBackup\14.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\15.01.2009\ERDNT.EXE
+ 2009-01-15 10:42:10 4,968,448 ----a-w c:\windows\ERDNT\AutoBackup\15.01.2009\Users\00000001\ntuser.dat
+ 2009-01-15 10:42:12 28,672 ----a-w c:\windows\ERDNT\AutoBackup\15.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\15.12.2008\ERDNT.EXE
+ 2008-12-15 17:42:26 4,911,104 ----a-w c:\windows\ERDNT\AutoBackup\15.12.2008\Users\00000001\ntuser.dat
+ 2008-12-15 17:42:28 28,672 ----a-w c:\windows\ERDNT\AutoBackup\15.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\16.01.2009\ERDNT.EXE
+ 2009-01-16 10:05:14 4,976,640 ----a-w c:\windows\ERDNT\AutoBackup\16.01.2009\Users\00000001\ntuser.dat
+ 2009-01-16 10:05:14 28,672 ----a-w c:\windows\ERDNT\AutoBackup\16.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\16.12.2008\ERDNT.EXE
+ 2008-12-16 09:30:36 4,911,104 ----a-w c:\windows\ERDNT\AutoBackup\16.12.2008\Users\00000001\ntuser.dat
+ 2008-12-16 09:30:38 28,672 ----a-w c:\windows\ERDNT\AutoBackup\16.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\17.01.2009\ERDNT.EXE
+ 2009-01-17 00:53:06 5,025,792 ----a-w c:\windows\ERDNT\AutoBackup\17.01.2009\Users\00000001\ntuser.dat
+ 2009-01-17 00:53:08 28,672 ----a-w c:\windows\ERDNT\AutoBackup\17.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\17.12.2008\ERDNT.EXE
+ 2008-12-16 23:15:02 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\17.12.2008\Users\00000001\ntuser.dat
+ 2008-12-16 23:15:02 28,672 ----a-w c:\windows\ERDNT\AutoBackup\17.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\18.01.2009\ERDNT.EXE
+ 2009-01-18 11:29:04 5,025,792 ----a-w c:\windows\ERDNT\AutoBackup\18.01.2009\Users\00000001\ntuser.dat
+ 2009-01-18 11:29:04 28,672 ----a-w c:\windows\ERDNT\AutoBackup\18.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\18.12.2008\ERDNT.EXE
+ 2008-12-18 11:41:16 4,915,200 ----a-w c:\windows\ERDNT\AutoBackup\18.12.2008\Users\00000001\ntuser.dat
+ 2008-12-18 11:41:18 28,672 ----a-w c:\windows\ERDNT\AutoBackup\18.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\19.01.2009\ERDNT.EXE
+ 2009-01-18 23:40:20 5,038,080 ----a-w c:\windows\ERDNT\AutoBackup\19.01.2009\Users\00000001\ntuser.dat
+ 2009-01-18 23:40:22 28,672 ----a-w c:\windows\ERDNT\AutoBackup\19.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\19.12.2008\ERDNT.EXE
+ 2008-12-19 09:39:22 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\19.12.2008\Users\00000001\ntuser.dat
+ 2008-12-19 09:39:22 28,672 ----a-w c:\windows\ERDNT\AutoBackup\19.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\20.03.2009\ERDNT.EXE
+ 2009-03-20 11:23:02 5,058,560 ----a-w c:\windows\ERDNT\AutoBackup\20.03.2009\Users\00000001\ntuser.dat
+ 2009-03-20 11:23:04 28,672 ----a-w c:\windows\ERDNT\AutoBackup\20.03.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\20.12.2008\ERDNT.EXE
+ 2008-12-20 13:03:38 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\20.12.2008\Users\00000001\ntuser.dat
+ 2008-12-20 13:03:38 28,672 ----a-w c:\windows\ERDNT\AutoBackup\20.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\21.03.2009\ERDNT.EXE
+ 2009-03-21 01:52:34 5,058,560 ----a-w c:\windows\ERDNT\AutoBackup\21.03.2009\Users\00000001\ntuser.dat
+ 2009-03-21 01:52:36 28,672 ----a-w c:\windows\ERDNT\AutoBackup\21.03.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\22.01.2009\ERDNT.EXE
+ 2009-01-21 23:04:34 5,111,808 ----a-w c:\windows\ERDNT\AutoBackup\22.01.2009\Users\00000001\ntuser.dat
+ 2009-01-21 23:04:36 28,672 ----a-w c:\windows\ERDNT\AutoBackup\22.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\22.12.2008\ERDNT.EXE
+ 2008-12-22 14:36:14 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\22.12.2008\Users\00000001\ntuser.dat
+ 2008-12-22 14:36:14 28,672 ----a-w c:\windows\ERDNT\AutoBackup\22.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\23.01.2009\ERDNT.EXE
+ 2009-01-23 11:00:10 5,111,808 ----a-w c:\windows\ERDNT\AutoBackup\23.01.2009\Users\00000001\ntuser.dat
+ 2009-01-23 11:00:12 28,672 ----a-w c:\windows\ERDNT\AutoBackup\23.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\23.12.2008\ERDNT.EXE
+ 2008-12-23 18:45:44 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\23.12.2008\Users\00000001\ntuser.dat
+ 2008-12-23 18:45:44 28,672 ----a-w c:\windows\ERDNT\AutoBackup\23.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\24.01.2009\ERDNT.EXE
+ 2009-01-24 10:44:08 5,111,808 ----a-w c:\windows\ERDNT\AutoBackup\24.01.2009\Users\00000001\ntuser.dat
+ 2009-01-24 10:44:08 28,672 ----a-w c:\windows\ERDNT\AutoBackup\24.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\24.12.2008\ERDNT.EXE
+ 2008-12-24 10:10:52 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\24.12.2008\Users\00000001\ntuser.dat
+ 2008-12-24 10:10:52 28,672 ----a-w c:\windows\ERDNT\AutoBackup\24.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\25.01.2009\ERDNT.EXE
+ 2009-01-25 10:52:08 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\25.01.2009\Users\00000001\ntuser.dat
+ 2009-01-25 10:52:08 28,672 ----a-w c:\windows\ERDNT\AutoBackup\25.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\25.12.2008\ERDNT.EXE
+ 2008-12-25 22:58:16 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\25.12.2008\Users\00000001\ntuser.dat
+ 2008-12-25 22:58:16 28,672 ----a-w c:\windows\ERDNT\AutoBackup\25.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\26.01.2009\ERDNT.EXE
+ 2009-01-26 12:17:46 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\26.01.2009\Users\00000001\ntuser.dat
+ 2009-01-26 12:17:48 28,672 ----a-w c:\windows\ERDNT\AutoBackup\26.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\26.12.2008\ERDNT.EXE
+ 2008-12-26 10:06:58 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\26.12.2008\Users\00000001\ntuser.dat
+ 2008-12-26 10:06:58 28,672 ----a-w c:\windows\ERDNT\AutoBackup\26.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\27.01.2009\ERDNT.EXE
+ 2009-01-27 12:16:46 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\27.01.2009\Users\00000001\ntuser.dat
+ 2009-01-27 12:16:46 28,672 ----a-w c:\windows\ERDNT\AutoBackup\27.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\27.12.2008\ERDNT.EXE
+ 2008-12-27 00:01:28 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\27.12.2008\Users\00000001\ntuser.dat
+ 2008-12-27 00:01:28 28,672 ----a-w c:\windows\ERDNT\AutoBackup\27.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\28.12.2008\ERDNT.EXE
+ 2008-12-28 10:26:06 4,964,352 ----a-w c:\windows\ERDNT\AutoBackup\28.12.2008\Users\00000001\ntuser.dat
+ 2008-12-28 10:26:08 28,672 ----a-w c:\windows\ERDNT\AutoBackup\28.12.2008\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\30.01.2009\ERDNT.EXE
+ 2009-01-30 11:36:40 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\30.01.2009\Users\00000001\ntuser.dat
+ 2009-01-30 11:36:40 28,672 ----a-w c:\windows\ERDNT\AutoBackup\30.01.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\31.01.2009\ERDNT.EXE
+ 2009-01-31 00:55:04 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\31.01.2009\Users\00000001\ntuser.dat
+ 2009-01-31 00:55:04 28,672 ----a-w c:\windows\ERDNT\AutoBackup\31.01.2009\Users\00000002\UsrClass.dat
+ 2008-02-23 11:27:30 29,926 ----a-r c:\windows\Installer\{2B091530-69AA-442E-AB09-39ED06B58220}\MsblIco.Exe
- 2000-08-31 07:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-11-14 17:58:12 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2009-01-25 11:35:22 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-11-14 17:58:08 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-25 11:37:24 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-14 17:58:08 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-01-25 11:35:22 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2008-01-19 22:34:48 1,632 ----a-w c:\windows\SYSTEM32\d3d8caps.dat
+ 2009-01-22 02:08:50 1,632 ----a-w c:\windows\SYSTEM32\d3d8caps.dat
- 2008-10-30 02:10:48 1,744 ----a-w c:\windows\SYSTEM32\d3d9caps.dat
+ 2009-01-30 19:15:02 1,744 ----a-w c:\windows\SYSTEM32\d3d9caps.dat
+ 2004-08-04 08:57:58 93,184 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
- 2008-05-09 12:15:48 45,376 ----a-w c:\windows\SYSTEM32\DRIVERS\avgntdd.sys
+ 2008-05-09 11:15:48 45,376 ----a-w c:\windows\SYSTEM32\DRIVERS\avgntdd.sys
- 2008-01-21 17:11:30 22,336 ----a-w c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys
+ 2008-01-21 16:11:30 22,336 ----a-w c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys
- 2008-11-14 18:30:18 75,072 ----a-w c:\windows\SYSTEM32\DRIVERS\avipbb.sys
+ 2008-10-30 09:21:04 75,072 ----a-w c:\windows\SYSTEM32\DRIVERS\avipbb.sys
- 2007-01-25 18:31:34 42,000 ----a-w c:\windows\SYSTEM32\DRIVERS\npf.sys
+ 2007-11-06 20:22:06 34,064 ----a-w c:\windows\SYSTEM32\DRIVERS\npf.sys
- 2007-11-08 18:03:26 21,248 ----a-w c:\windows\SYSTEM32\DRIVERS\ssmdrv.sys
+ 2007-11-08 17:03:26 21,248 ----a-w c:\windows\SYSTEM32\DRIVERS\ssmdrv.sys
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\SYSTEM32\MACROMED\FLASH\FlashUtil10a.exe
- 2007-06-11 12:34:00 2,115,816 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\NPSWF32.dll
- 2007-06-11 12:34:00 190,696 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\NPSWF32_FlashUtil.exe
+ 2008-02-23 11:01:52 88,590 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
+ 2009-01-30 16:33:08 84,661 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_plugin.exe
- 2007-01-25 18:31:34 88,952 ----a-w c:\windows\SYSTEM32\Packet.dll
+ 2007-11-06 20:22:20 88,696 ----a-w c:\windows\SYSTEM32\Packet.dll
- 2007-01-25 18:31:36 53,299 ----a-w c:\windows\SYSTEM32\pthreadVC.dll
+ 2007-11-06 20:19:28 53,299 ----a-w c:\windows\SYSTEM32\pthreadVC.dll
- 2007-01-19 11:53:04 51,056 ----a-w c:\windows\SYSTEM32\sirenacm.dll
+ 2007-10-18 10:31:46 51,224 ----a-w c:\windows\SYSTEM32\sirenacm.dll
- 2007-01-25 18:31:34 68,480 ----a-w c:\windows\SYSTEM32\WanPacket.dll
+ 2007-11-06 20:22:30 68,224 ----a-w c:\windows\SYSTEM32\WanPacket.dll
- 2007-01-25 18:31:36 240,496 ----a-w c:\windows\SYSTEM32\wpcap.dll
+ 2007-11-06 20:23:18 240,248 ----a-w c:\windows\SYSTEM32\wpcap.dll
- 2008-11-14 21:02:18 294,912 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-02-02 00:17:08 147,456 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-02-02 00:16:14 49,152 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012009020220090203\index.dat
+ 2006-12-01 21:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 23:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 23:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 23:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 23:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 23:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 23:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 23:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 23:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 23:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 23:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 23:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 23:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 23:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 23:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot auf jetziges Datum zurückgesetzt --
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\Standard\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2005-04-25 13:45 36040 c:\progra~1\GEMEIN~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\programme\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\programme\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\Windows Live\\Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\SYSTEM32\DRIVERS\avmwan.sys [2007-01-15 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\SYSTEM32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\SYSTEM32\DRIVERS\fpcibase.sys [2007-01-15 444416]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [2007-11-06 34064]
S3 w32n5223;w32n5223 Protocol Driver;c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]

--- Andere Dienste/Treiber im Speicher ---

*NewlyCreated* - ANTIVIRSCHEDULER
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
Inhalt des "geplante Tasks" Ordners

2009-02-01 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.
.
------- Zusätzlicher Suchlauf -------
.
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: &Alles mit FlashGet laden - c:\programme\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\programme\FlashGet\jc_link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 01:22:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...


c:\windows\system32\drivers\gaopdxnvrmpifo.sys 81920 bytes
c:\windows\system32\gaopdxcounter 16384 bytes
c:\windows\system32\gaopdxxsvypaoi.dll 65536 bytes

Scan erfolgreich abgeschlossen
versteckte Dateien: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxnvrmpifo.sys"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxnvrmpifo.sys"
"group"="file system"
"userdata"=dword:ffffffff
.
Zeit der Fertigstellung: 2009-01-30 1:24:18
ComboFix-quarantined-files.txt 2009-01-30 00:24:16
ComboFix4.txt 2008-11-14 21:14:14
ComboFix3.txt 2008-11-16 03:06:50
ComboFix2.txt 2008-11-17 23:16:56

Vor Suchlauf: 1.478.787.072 Bytes frei
Nach Suchlauf: 1,473,511,424 Bytes frei

337








And this is the Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:29:21, on 30.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=040409 serial=DR12WEX-1538262-SEU lang=DE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7080512042
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 5092 bytes
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 30th, 2009, 8:43 pm

Did you have problems running cf? only I note you have run it four times.
Do you have the report for the fist run at all? :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » January 30th, 2009, 9:24 pm

It just said, that it's january 30rd and that it won't run the way it should.
I didn't do the whole procedure. This is the first and only log.
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 31st, 2009, 1:41 am

edit: ignore this post reply will be getting back to you soon.
Have to look into something for you. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 31st, 2009, 6:24 am

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\nvjepyv.exe
Click Submit/Send File
Please post back, to let me know the results.


If Jotti is too busy please try Virustotal

--------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:


Code: Select all
KillAll::
Rootkit::
c:\windows\system32\drivers\gaopdxnvrmpifo.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxsvypaoi.dll
Driver::
gaopdxserv.sys
File::
c:\windows\Internet Logs\xDBE.tmp
c:\windows\Internet Logs\xDBD.tmp
c:\windows\Internet Logs\xDBC.tmp






Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » January 31st, 2009, 9:22 am

The Antivir Update worked this time, as well as Adaware.
Not sure if the google links work too.


here is the jotti result:

Service load: 0% 100%

File: nvjepyv.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 4e38987f1200029a0f023e7d5939496b
Packers detected: Analyzing...


Scan taken on 31 Jan 2009 12:53:57 (GMT)
A-Squared Found Virus.Win32.Zbot!IK
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found Win32:Zbot-AZC
AVG Antivirus Found nothing
BitDefender Found Gen:Trojan.Heur.25
ClamAV Found nothing
CPsecure Found Troj.GameThief.W32.Magania.astp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found Win32:Zbot-AZC
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Malware-Cryptor.Win32.General.4 (probable variant)


here is the new combofix

ComboFix 09-01-21.04 - Standard 2009-01-30 14:01:13.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.255.110 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Standard\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*
.
- REDUZIERTER FUNKTIONALITÄTSMODUS -

FILE ::
c:\windows\Internet Logs\xDBC.tmp
c:\windows\Internet Logs\xDBD.tmp
c:\windows\Internet Logs\xDBE.tmp
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDBC.tmp
c:\windows\Internet Logs\xDBD.tmp
c:\windows\Internet Logs\xDBE.tmp
c:\windows\system32\drivers\gaopdxnvrmpifo.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxsvypaoi.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-12-28 bis 2009-01-30 ))))))))))))))))))))))))))))))
.

2009-03-21 12:07 . 2009-03-21 12:10 61,952 --a------ C:\nvjepyv.exe
2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\programme\Avira
2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-30 20:07 . 2009-01-30 20:07 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-30 20:07 . 2009-01-30 20:07 1,409 --a------ c:\windows\QTFont.for
2009-01-30 18:20 . 2009-01-30 18:20 <DIR> d-------- C:\BitRecorder
2009-01-30 18:18 . 2009-01-30 18:18 <DIR> d-------- c:\programme\StreamingStar
2009-01-22 03:08 . 2009-01-22 03:08 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Playrix Entertainment
2009-01-22 00:04 . 2009-01-22 00:04 <DIR> d--hs---- c:\dokumente und einstellungen\LocalService\Anwendungsdaten\twain_32
2009-01-16 12:32 . 2009-01-16 12:32 <DIR> d-------- c:\dokumente und einstellungen\Standard\dwhelper

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 11:21 16,186,394 ------w c:\windows\Internet Logs\tvDebug.zip
2009-01-31 14:31 2,061,824 ------w c:\windows\Internet Logs\xDBF.tmp
2009-01-30 13:01 56,832 ----a-w c:\windows\SYSTEM32\gaopdxxsvypaoi.dll
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-05 09:03 20,419,767 ------w c:\windows\Internet Logs\vsmon_on_demand_2008_10_05_02_50_53_full.dmp.zip
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-30_ 1.23.01,94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\ERDNT.EXE
+ 2009-01-30 13:09:22 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\Users\00000001\ntuser.dat
+ 2009-01-30 13:09:22 28,672 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\Users\00000002\UsrClass.dat
- 2009-02-02 00:17:08 147,456 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-01-30 13:08:14 32,768 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-01-30 12:57:20 49,152 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012009013020090131\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\Standard\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2005-04-25 13:45 36040 c:\progra~1\GEMEIN~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\programme\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\programme\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\Windows Live\\Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\SYSTEM32\DRIVERS\avmwan.sys [2007-01-15 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\SYSTEM32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\SYSTEM32\DRIVERS\fpcibase.sys [2007-01-15 444416]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [2007-11-06 34064]
S3 w32n5223;w32n5223 Protocol Driver;c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]
.
Inhalt des "geplante Tasks" Ordners

2009-01-30 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.
.
------- Zusätzlicher Suchlauf -------
.
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: &Alles mit FlashGet laden - c:\programme\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\programme\FlashGet\jc_link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
FF - ProfilePath - c:\dokumente und einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\160jeysz.default\
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPOJI610.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 14:10:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxnvrmpifo.sys"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxnvrmpifo.sys"
"group"="file system"
"userdata"=dword:ffffffff
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\SYSTEM32\ZONELABS\vsmon.exe
c:\programme\Lavasoft\Ad-Aware\aawservice.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\update.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-01-30 14:14:05 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-01-30 13:14:00
ComboFix4.txt 2008-11-16 03:06:50
ComboFix3.txt 2008-11-17 23:16:56
ComboFix5.txt 2009-01-30 13:00:20
ComboFix2.txt 2009-01-30 00:24:20

Vor Suchlauf: 1.475.379.200 Bytes frei
Nach Suchlauf: 1,432,272,896 Bytes frei

202
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 31st, 2009, 1:32 pm

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::
Rootkit::
c:\windows\SYSTEM32\gaopdxxsvypaoi.dll
Driver::
gaopdxserv
File::
C:\nvjepyv.exe


    


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » January 31st, 2009, 6:42 pm

Here's the new log:

ComboFix 09-01-31.01 - Standard 2009-01-30 23:25:50.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.255.108 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Standard\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
C:\nvjepyv.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\LocalService\Anwendungsdaten\twain_32
c:\dokumente und einstellungen\LocalService\Anwendungsdaten\twain_32\user.ds
C:\nvjepyv.exe
c:\windows\SYSTEM32\gaopdxxsvypaoi.dll
d:\recycler\S-7-4-21-100026844-100021564-100019803-2812.com

.
((((((((((((((((((((((( Dateien erstellt von 2008-12-28 bis 2009-01-31 ))))))))))))))))))))))))))))))
.

2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\programme\Avira
2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-30 20:07 . 2009-01-30 20:07 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-30 20:07 . 2009-01-30 20:07 1,409 --a------ c:\windows\QTFont.for
2009-01-30 18:20 . 2009-01-30 18:20 <DIR> d-------- C:\BitRecorder
2009-01-30 18:18 . 2009-01-30 18:18 <DIR> d-------- c:\programme\StreamingStar
2009-01-22 03:08 . 2009-01-22 03:08 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Playrix Entertainment
2009-01-16 12:32 . 2009-01-16 12:32 <DIR> d-------- c:\dokumente und einstellungen\Standard\dwhelper

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 11:21 16,186,394 ------w c:\windows\Internet Logs\tvDebug.zip
2009-01-31 14:31 2,061,824 ------w c:\windows\Internet Logs\xDBF.tmp
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-05 09:03 20,419,767 ------w c:\windows\Internet Logs\vsmon_on_demand_2008_10_05_02_50_53_full.dmp.zip
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-30_ 1.23.01,94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\ERDNT.EXE
+ 2009-01-30 13:09:22 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\Users\00000001\ntuser.dat
+ 2009-01-30 13:09:22 28,672 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-31\ERDNT.EXE
+ 2009-01-31 22:34:18 5,140,480 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-31\Users\00000001\ntuser.dat
+ 2009-01-31 22:34:18 28,672 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-31\Users\00000002\UsrClass.dat
- 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 07:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2009-02-02 00:17:08 147,456 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-01-31 22:32:40 65,536 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-01-30 21:03:32 81,920 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012009013020090131\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\Standard\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2005-04-25 13:45 36040 c:\progra~1\GEMEIN~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\programme\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\programme\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\Windows Live\\Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\SYSTEM32\DRIVERS\avmwan.sys [2007-01-15 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\SYSTEM32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\SYSTEM32\DRIVERS\fpcibase.sys [2007-01-15 444416]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [2007-11-06 34064]
S3 w32n5223;w32n5223 Protocol Driver;c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]
.
Inhalt des "geplante Tasks" Ordners

2009-01-30 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.
.
------- Zusätzlicher Suchlauf -------
.
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: &Alles mit FlashGet laden - c:\programme\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\programme\FlashGet\jc_link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
FF - ProfilePath - c:\dokumente und einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\160jeysz.default\
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPOJI610.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 23:35:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\programme\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programme\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-01-31 23:39:11 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-01-31 22:39:06
ComboFix4.txt 2008-11-17 23:16:56
ComboFix5.txt 2009-01-30 22:24:44
ComboFix3.txt 2009-01-30 00:24:20
ComboFix2.txt 2009-01-30 13:14:16

Vor Suchlauf: 1.208.745.984 Bytes frei
Nach Suchlauf: 1,222,803,456 Bytes frei

187
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » January 31st, 2009, 9:58 pm

Hi, hope things are a little better for you now? I just need to send some files off to be looked at which are quarantined at the moment.

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?p=400270#p40027
Collect::
C:\Qoobox\Quarantine\C\windows\system32\drivers\gaopdxnvrmpifo.sys.vir
C:\Qoobox\Quarantine\C\windows\system32\gaopdxcounter.vir
C:\Qoobox\Quarantine\C\windows\system32\gaopdxxsvypaoi.dll.vir

  

    


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


edited to include files for upload.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby dan12 » February 1st, 2009, 7:13 am

Have edited my last post, it pays to include the files for upload :oops:
Let me know when carried out and if it was successful.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware blocks antivirus software updates and internet links

Unread postby sowhat12 » February 2nd, 2009, 6:13 pm

Hi Dan,

everything works fine. I can do updates again and there's no redirecting anymore. Thank you so much for your help. I did as you said. Here is the latest log:

ComboFix 09-02-02.03 - Standard 2009-02-02 23:01:52.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.255.95 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Standard\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\autorun.inf
f:\recycler\S-7-4-21-100026844-100021564-100019803-2812.com

.
((((((((((((((((((((((( Dateien erstellt von 2009-01-02 bis 2009-02-02 ))))))))))))))))))))))))))))))
.

2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\programme\Avira
2009-02-01 13:37 . 2009-02-01 13:37 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-30 20:07 . 2009-01-30 20:07 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-30 20:07 . 2009-01-30 20:07 1,409 --a------ c:\windows\QTFont.for
2009-01-30 18:20 . 2009-01-30 18:20 <DIR> d-------- C:\BitRecorder
2009-01-30 18:18 . 2009-01-30 18:18 <DIR> d-------- c:\programme\StreamingStar
2009-01-22 03:08 . 2009-01-22 03:08 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Playrix Entertainment
2009-01-16 12:32 . 2009-01-16 12:32 <DIR> d-------- c:\dokumente und einstellungen\Standard\dwhelper

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 11:21 16,186,394 ------w c:\windows\Internet Logs\tvDebug.zip
2009-01-31 14:31 2,061,824 ------w c:\windows\Internet Logs\xDBF.tmp
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-30_ 1.23.01,94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\02.02.2009\ERDNT.EXE
+ 2009-02-02 12:29:04 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\02.02.2009\Users\00000001\ntuser.dat
+ 2009-02-02 12:29:04 28,672 ----a-w c:\windows\ERDNT\AutoBackup\02.02.2009\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\ERDNT.EXE
+ 2009-01-30 13:09:22 5,124,096 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\Users\00000001\ntuser.dat
+ 2009-01-30 13:09:22 28,672 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-30\Users\00000002\UsrClass.dat
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-31\ERDNT.EXE
+ 2009-01-31 22:34:18 5,140,480 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-31\Users\00000001\ntuser.dat
+ 2009-01-31 22:34:18 28,672 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-31\Users\00000002\UsrClass.dat
- 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 13:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2009-02-02 00:17:08 147,456 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2009-02-02 21:54:08 212,992 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
- 2009-02-02 00:16:14 49,152 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012009020220090203\index.dat
+ 2009-02-02 21:54:08 49,152 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012009020220090203\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-01-31 385024]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\Standard\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2005-04-25 13:45 36040 c:\progra~1\GEMEIN~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\programme\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\programme\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\Windows Live\\Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\SYSTEM32\DRIVERS\avmwan.sys [2007-01-15 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\SYSTEM32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\SYSTEM32\DRIVERS\fpcibase.sys [2007-01-15 444416]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [2007-11-06 34064]
S3 w32n5223;w32n5223 Protocol Driver;c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]
.
Inhalt des "geplante Tasks" Ordners

2009-02-02 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.
.
------- Zusätzlicher Suchlauf -------
.
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: &Alles mit FlashGet laden - c:\programme\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\programme\FlashGet\jc_link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
FF - ProfilePath - c:\dokumente und einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\160jeysz.default\
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\Java\j2re1.4.0\bin\NPOJI610.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 23:04:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2009-02-02 23:06:58
ComboFix-quarantined-files.txt 2009-02-02 22:06:56
ComboFix5.txt 2009-02-02 22:00:42
ComboFix4.txt 2009-01-30 00:24:20
ComboFix3.txt 2009-01-30 13:14:16
ComboFix2.txt 2009-01-31 22:39:22

Vor Suchlauf: 976.420.864 Bytes frei
Nach Suchlauf: 997,720,064 Bytes frei

175
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware