Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

re-installation after remote access trojan Laptop1

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

re-installation after remote access trojan Laptop1

Unread postby Helmut13 » October 14th, 2012, 4:40 am

Hello,

I had a remote acces trojan on my home network (one desktop and two laptops)

viewtopic.php?f=12&t=60553

I reinstalled Laptop 1 completely new. As I had to copy my documents and so on I want to check if the trojan is really not present anymore.

Here are my logs of laptop 1:

DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by HelmutN at 10:28:58 on 2012-10-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.242 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Online Armor\OAui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
TCP: Interfaces\{293ED8FA-0655-4E86-B0BE-4A4DE8364322} : NameServer = 192.168.0.1
TCP: Interfaces\{72E7A426-CC93-427F-BD8B-66E39198EF9E} : NameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SEH: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - c:\program files\online armor\oaevent.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\helmutn\application data\mozilla\firefox\profiles\80sypium.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-10-9 36552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-10-9 208320]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-10-9 44992]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-10-9 27648]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-10-9 31920]
R2 AntiVirSchedulerService;Avira Planer;c:\program files\avira\antivir desktop\sched.exe [2012-10-9 84256]
R2 AntiVirService;Avira Echtzeit-Scanner;c:\program files\avira\antivir desktop\avguard.exe [2012-10-9 108320]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-10-9 83792]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-10-9 216072]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-10-9 4463864]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2012-10-9 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2012-10-9 6100]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-10-9 250808]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-9 115168]
.
=============== Created Last 30 ================
.
2012-10-12 15:33:03 -------- d-----w- c:\windows\ie8updates
2012-10-12 15:02:03 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-12 15:02:03 14676960 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-12 15:02:02 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-12 15:02:02 891808 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-10-12 15:02:02 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-12 15:02:02 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-12 15:02:02 155104 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2012-10-12 15:02:02 145376 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2012-10-12 15:02:01 91104 ----a-w- c:\program files\mozilla firefox\smime3.dll
2012-10-12 14:51:07 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-10-12 14:51:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-10-12 14:51:04 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-10-12 14:51:02 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-10-12 14:51:02 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-10-12 14:51:01 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-10-12 14:51:00 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-10-12 14:40:04 -------- d-sh--w- c:\documents and settings\helmutn\IETldCache
2012-10-11 20:03:11 -------- dc-h--w- c:\windows\ie8
2012-10-11 19:25:52 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-10-11 19:25:33 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-10-11 19:24:58 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-10-11 19:24:39 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-10-11 19:24:31 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-10-11 19:23:06 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-10-11 19:22:47 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-10-11 19:22:18 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-10-11 19:22:18 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-10-11 19:21:51 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-10-11 19:21:50 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-10-11 19:21:50 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-10-11 19:21:49 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-10-11 19:21:49 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-10-11 19:21:48 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-10-11 19:21:48 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-10-11 19:21:26 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-10-11 19:20:24 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-10-11 19:20:14 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-10-11 19:20:02 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-10-11 19:18:33 293376 ------w- c:\windows\system32\browserchoice.exe
2012-10-11 19:17:41 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2012-10-11 19:15:25 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-10-11 19:15:22 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-10-11 19:12:59 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-10-11 19:12:55 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-10-11 19:12:54 2192896 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-10-11 19:12:52 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-10-11 19:12:51 2069632 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-10-11 19:12:37 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2012-10-11 19:12:12 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-10-11 19:11:12 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-10-11 19:11:12 3072 ------w- c:\windows\system32\iacenc.dll
2012-10-11 19:07:07 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-10-11 19:06:58 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-10-10 20:07:34 -------- d-----w- c:\windows\system32\PreInstall
2012-10-10 20:07:30 -------- d--h--w- c:\windows\$hf_mig$
2012-10-10 18:18:49 -------- d-----w- c:\documents and settings\helmutn\local settings\application data\Temp
2012-10-10 18:18:49 -------- d-----w- c:\documents and settings\helmutn\local settings\application data\Adobe
2012-10-10 18:14:24 65024 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP86.DLL
2012-10-10 18:14:23 22528 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD86.DLL
2012-10-10 18:14:17 161792 ----a-w- c:\windows\system32\CNMLM86.DLL
2012-10-10 18:08:45 -------- d-----w- c:\program files\MSECache
2012-10-10 18:05:35 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2012-10-10 18:05:35 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-10-10 17:51:11 -------- d-----w- C:\biathwin
2012-10-10 17:51:10 -------- d-----w- C:\Biathlon
2012-10-10 17:37:13 -------- d-----w- c:\program files\VideoLAN
2012-10-10 17:21:37 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2012-10-10 17:21:37 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2012-10-10 17:21:07 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2012-10-10 17:20:53 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2012-10-10 17:20:52 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2012-10-10 17:20:52 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2012-10-10 17:20:52 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2012-10-10 17:20:51 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2012-10-10 17:20:44 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-10-10 17:20:14 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-10-10 17:19:17 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll
2012-10-09 19:53:08 18944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2012-10-09 19:53:08 17920 ----a-w- c:\windows\system32\mdimon.dll
2012-10-09 19:48:59 -------- d-----w- c:\windows\SHELLNEW
2012-10-09 19:31:11 294912 ----a-r- c:\windows\system32\atiiiexx.dll
2012-10-09 19:31:11 131072 ----a-r- c:\windows\system32\ATIDEMGR.dll
2012-10-09 19:30:25 -------- d-----w- c:\program files\ATI Technologies
2012-10-09 19:29:20 34329 ------w- c:\windows\O2Remove.EXE
2012-10-09 19:28:56 6100 ----a-r- c:\windows\system32\drivers\MbxStby.sys
2012-10-09 19:28:56 191092 ----a-r- c:\windows\system32\drivers\o2mmb.sys
2012-10-09 19:27:18 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-10-09 19:26:27 65536 ----a-w- c:\windows\SmCfg.exe
2012-10-09 19:26:27 528384 ----a-w- c:\windows\system32\SLLights.dll
2012-10-09 19:26:27 454656 ----a-w- c:\windows\system32\slcpappl.cpl
2012-10-09 19:26:27 368640 ----a-w- c:\windows\system32\slmh.exe
2012-10-09 19:26:27 208896 ----a-w- c:\windows\system32\amr_cpl.dll
2012-10-09 19:26:27 167936 ----a-w- c:\windows\system32\minirec.exe
2012-10-09 19:26:27 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-10-09 19:26:27 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2012-10-09 19:26:27 15040 ----a-w- c:\windows\system32\drivers\winddx.sys
2012-10-09 19:26:27 135168 ----a-w- c:\windows\system32\SLMOHServ.dll
2012-10-09 19:26:26 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2012-10-09 19:26:26 175104 ----a-w- c:\windows\system32\csamsp.dll
2012-10-09 19:25:16 -------- d-----w- c:\windows\Modio
2012-10-09 19:22:06 466944 ----a-w- c:\windows\system32\w29NCPA.dll
2012-10-09 19:22:06 3298432 ----a-w- c:\windows\system32\drivers\w29n51.sys
2012-10-09 19:22:06 1671168 ----a-w- c:\windows\system32\w29mlres.dll
2012-10-09 19:18:57 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2012-10-09 19:18:57 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2012-10-09 19:18:52 159488 ----a-r- c:\windows\system32\drivers\vinyl97.sys
2012-10-09 19:18:50 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2012-10-09 19:18:50 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-10-09 19:18:50 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2012-10-09 19:18:50 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2012-10-09 19:18:48 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2012-10-09 19:18:48 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2012-10-09 19:18:48 129536 ----a-w- c:\windows\system32\ksproxy.ax
2012-10-09 19:18:38 36864 ----a-w- c:\windows\system32\UnAudioNT.dll
2012-10-09 19:18:37 -------- d-----w- c:\program files\VIAudioi
2012-10-09 19:18:32 328704 ----a-w- c:\windows\IsUn0407.exe
2012-10-09 19:10:09 221184 ------w- c:\program files\common files\installshield\iscript\iscript.dll
2012-10-09 19:10:03 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-10-09 19:09:57 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-10-09 19:09:48 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-10-09 19:09:45 610436 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2012-10-09 19:06:29 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-10-09 19:06:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-10-09 19:06:22 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2012-10-09 19:06:22 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-10-09 19:03:23 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 19:03:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 19:01:11 -------- d-----w- c:\documents and settings\helmutn\local settings\application data\Mozilla
2012-10-09 18:59:39 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-09 18:38:32 -------- d-----w- c:\windows\system32\appmgmt
2012-10-09 18:13:50 -------- d-----w- c:\documents and settings\helmutn\application data\Avira
2012-10-09 18:06:44 -------- d-----w- c:\documents and settings\helmutn\application data\CallingID
2012-10-09 18:06:41 -------- d-----w- c:\documents and settings\helmutn\local settings\application data\DoNotTrackPlus
2012-10-09 17:46:57 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-10-09 17:45:45 -------- d-----w- c:\documents and settings\helmutn\application data\OnlineArmor
2012-10-09 17:45:45 -------- d-----w- c:\documents and settings\all users\application data\OnlineArmor
2012-10-09 17:45:22 44992 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2012-10-09 17:45:22 31920 ----a-w- c:\windows\system32\drivers\OAnet.sys
2012-10-09 17:45:22 27648 ----a-w- c:\windows\system32\drivers\OAmon.sys
2012-10-09 17:45:22 208320 ----a-w- c:\windows\system32\drivers\OADriver.sys
2012-10-09 17:44:52 -------- d-----w- c:\program files\Online Armor
2012-10-09 17:44:18 -------- d-----w- c:\documents and settings\helmutn\application data\Malwarebytes
2012-10-09 17:43:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-09 17:43:51 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-09 17:43:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-09 17:40:49 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-09 17:40:49 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-09 17:40:47 -------- d-----w- c:\program files\Avira
2012-10-09 17:40:47 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-10-09 17:25:56 9728 ------w- c:\windows\system32\rwnh.dll
2012-10-09 17:21:31 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2012-10-09 17:18:47 -------- d-----w- c:\windows\network diagnostic
2012-10-09 17:18:45 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2012-10-09 17:18:44 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-10-09 17:16:51 19569 ----a-w- c:\windows\005445_.tmp
2012-10-09 17:04:07 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2012-10-09 17:02:34 -------- d-s---w- c:\windows\system32\Microsoft
2012-10-09 16:55:59 44672 ------w- c:\windows\system32\drivers\uagp35.sys
2012-10-09 16:48:58 2897920 ------w- c:\windows\system32\xpsp2res.dll
2012-10-09 16:47:50 19528 ----a-w- c:\windows\003575_.tmp
2012-10-09 16:47:46 -------- d-----w- c:\windows\system32\ReinstallBackups
2012-10-09 16:47:38 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2012-10-08 20:02:29 -------- d-----w- c:\windows\ServicePackFiles
2012-10-08 20:01:58 214528 ----a-w- c:\program files\internet explorer\connection wizard\icwconn1.exe
2012-10-08 20:00:59 326432 ----a-w- c:\windows\system32\msexcl40.dll
.
==================== Find3M ====================
.
2012-10-09 19:33:32 86016 ----a-w- c:\windows\system32\ati2evxx.dll
2012-10-09 19:33:32 81920 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-10-09 19:33:32 65536 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-10-09 19:33:32 6524928 ----a-w- c:\windows\system32\atioglxx.dll
2012-10-09 19:33:32 376832 ----a-w- c:\windows\system32\ati2evxx.exe
2012-10-09 19:33:32 30720 ----a-w- c:\windows\system32\ati2edxx.dll
2012-10-09 19:33:32 24064 ----a-w- c:\windows\system32\ativcoxx.dll
2012-10-09 19:33:32 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-10-09 19:33:32 118784 ----a-w- c:\windows\system32\atipdlxx.dll
2012-10-09 19:33:32 102400 ----a-w- c:\windows\system32\Oemdspif.dll
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:19 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 10:32:20,64 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-14.05)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 08.10.2012 19:51:14
System Uptime: 14.10.2012 08:59:19 (2 hours ago)
.
Motherboard: To be filled by O.E.M. | | To be filled by O.E.M.
Processor: Intel(R) Pentium(R) M processor 1.70GHz | CPU 1 | 1699/400mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 9,359 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 08.10.2012 20:03:07 - System Checkpoint
RP2: 08.10.2012 20:12:54 - Online Armor Installation
RP3: 08.10.2012 21:57:56 - Installed Windows XP Service Pack 1.
RP4: 09.10.2012 18:47:52 - Installed Windows XP Service Pack 2.
RP5: 09.10.2012 19:17:03 - Installed Windows XP Service Pack 3.
RP6: 09.10.2012 19:45:33 - Online Armor Installation
RP7: 09.10.2012 20:38:14 - Removed Ask Toolbar.
RP8: 09.10.2012 21:28:36 - Installed O2Micro MemoryCardBus Windows Driver
RP9: 09.10.2012 21:47:06 - Microsoft Office Professional Edition 2003 wird installiert
RP10: 10.10.2012 20:10:28 - Compatibility Pack für 2007 Office System wird installiert
RP11: 10.10.2012 22:07:18 - Software Distribution Service 3.0
RP12: 11.10.2012 21:46:41 - Software Distribution Service 3.0
RP13: 12.10.2012 17:31:47 - Software Distribution Service 3.0
RP14: 12.10.2012 17:45:33 - Installed Windows XP WgaNotify.
RP15: 14.10.2012 09:37:05 - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4) - Deutsch
ATI Display Driver
Avira Free Antivirus
Compatibility Pack für 2007 Office System
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Malwarebytes Anti-Malware Version 1.65.0.1400
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 16.0.1 (x86 de)
Mozilla Maintenance Service
O2Micro MemoryCardBus Windows Driver
Online Armor 6.0
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847-v2)
Security Update for Windows XP (KB2744842)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Smart Link 56K Modem
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
VIA Audio Driver Setup Program
VLC media player 2.0.3
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
14.10.2012 10:29:23, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
12.10.2012 17:43:00, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: Access is denied.
12.10.2012 17:43:00, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Access is denied.
12.10.2012 17:38:56, error: MRxSmb [8003] - The master browser has received a server announcement from the computer COMPUTER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{293ED8FA-0655-4E86-. The master browser is stopping or an election is being forced.
11.10.2012 20:46:17, error: NetBT [4307] - Initialization failed because the transport refused to open initial Addresses.
09.10.2012 20:48:38, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MEDIA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{72E7A426-CC93-427F-. The master browser is stopping or an election is being forced.
09.10.2012 20:23:36, error: DCOM [10000] - Unable to start a DCOM Server: {43AB7B5D-4C40-4103-A549-7002A116A7D5}. The error: "%5" Happened while starting this command: C:\Program Files\Ask.com\CallingIDSDK\CIDGlobalLight.exe -Embedding
09.10.2012 18:40:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: OADevice
08.10.2012 20:12:59, error: Service Control Manager [7003] - The OADriver service depends on the following nonexistent service: FltMgr
.
==== End Of File ===========================

Thank you
Helmut13
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm
Advertisement
Register to Remove

Re: re-installation after remote access trojan Laptop1

Unread postby wannabeageek » October 14th, 2012, 6:41 pm

Hello Helmut13, and Welcome to MalWare Removal forums!

My name is wannabeageek and I'll be helping you with any malware problems.
I am a MRU Undergraduate trainee here, and as such my posts to you have to first be checked by a Teacher.
Because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:

    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.
wannabeageek
MRU Master
MRU Master
 
Posts: 1871
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: re-installation after remote access trojan Laptop1

Unread postby wannabeageek » October 15th, 2012, 10:20 pm

Hi Helmut,
The DDS logs look good so job well done on the reinstallation. The following scans should tell us if there are any problems. However, I am not expecting any.

-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any item it finds.
IMPORTANT >> tell it to DELETE or QUARANTINE any items it finds.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
As you already have Malwarebytes' Anti-Malware installed on your computer, could you please do a scan using this procedure:
  • Open Malwarebytes' Anti-Malware
  • Select the Update tab. Choose Check for Updates.
  • Restart Malwarebytes Anti-Malware after the Update if you have to.
  • After the update has been completed, select the Settings tab, then the Scanner Settings tab
  • For Action for Potentially Unwanted Programs (PUP), choose Show in results list and check for removal
  • Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Make sure all items are checked. Then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.
    The same new log can also be found via the Logs tab when the application is re-started.
Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
This allows MBAM to remove additional items that could not be removed while Windows is running.
------------------------------------------------------------
OTL
Please download OTL ... by Old Timer . Save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Check the boxes labeled :
    • Scan All Users
    • LOP check
    • Purity check
    • Extra Registry > Use SafeList
    Make sure all other windows are closed to let it run uninterrupted.
  • Click on Run Scan at the top left hand corner. Do not change any settings unless otherwise told to do so.
    When the scan starts, OTL may appear to be frozen while it runs. Please be patient.
  • When done, two Notepad files will open.
    (The OTL logs may show some items under a heading labeled Zero Access. This does NOT mean there is any infection.)
  • Please post the contents of both OTL.txt and Extras.txt files in your next reply.
------------------------------------------------------------


Please include in your next reply:
The contents of:
  • Last Scan log from Antivir
  • MalwareBytes log
  • OTL.txt
  • Extras.txt
Please feel free to use separate replies.
Thanks,
wannabeageek
wannabeageek
MRU Master
MRU Master
 
Posts: 1871
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: re-installation after remote access trojan Laptop1

Unread postby wannabeageek » October 19th, 2012, 8:26 am

Due to Lack of Response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
wannabeageek
MRU Master
MRU Master
 
Posts: 1871
Joined: November 23rd, 2009, 10:21 pm
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware