1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive [InActive] cmd, regedit, totalcmd crash Windows-Shell/Explorer, Malware?

Discussion in 'Malware and Virus Removal Archive' started by Steffen, 2009/05/05.

  1. 2009/05/05
    Steffen

    Steffen Inactive Thread Starter

    Joined:
    2009/05/05
    Messages:
    2
    Likes Received:
    0
    Hi,

    since some days the following problem occurs on my WinXP Home, SP3:

    cmd.exe, totalcmd.exe, regedit, regedt32, notepad all crash the Windows Shell, which then restarts after some seconds.
    Same in Safe Mode.

    dds does not work (maybe because cmd.exe crashes?) Can you tell me how?
    Ill post my Hijackthis below.

    InternetExplorer, Opera work (now). I had a lot of crashes of these yesterday but after virusscan and some removals that seems to be repaired??? I never really experienced browser hijacks. Had some problems with accessing AV SW but this is gone now.

    I ran Antivir, McAfee systemscans, Spybot, Sophos Antirootkit, AVGAntirootkit )

    I got reportings and removals of TR.Gendal and TR.Agent.

    Have ZoneAlarm running, no further firewall.

    AviraAntivir does not update ( "an error occured withing the WinInet-Library. ")
    But it never did before as I installed it just after having removed McAffee.


    Thanks for your help
    Steffen



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:34:02, on 05.05.2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Avira\AntiVir Desktop\sched.exe
    C:\Programme\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Programme\MySQL\MySQL Server 5.1\bin\mysqld.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Programme\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
    C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Programme\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\NCLAUNCH.EXe
    C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programme\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Dokumente und Einstellungen\Steffen\Desktop\OTListIt2.exe
    C:\WINDOWS\notepad.exe
    c:\programme\avira\antivir desktop\avcenter.exe
    C:\Programme\Avira\AntiVir Desktop\update.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Programme\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programme\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab
    O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://hamburgcam.axiscam.net:8080/activex/AMC.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D29AC44-C503-447B-863D-A84BBAD7DF25}: NameServer = 195.50.140.114 195.50.140.252
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
    O23 - Service: F80D34F7 - Unknown owner - C:\WINDOWS\system32\F80D34F7.exe (file missing)
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: MySQL - Unknown owner - C:\Programme\MySQL\MySQL.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 7940 bytes
     
    Steffen,
    #1
  2. 2009/05/06
    Steffen

    Steffen Inactive Thread Starter

    Joined:
    2009/05/05
    Messages:
    2
    Likes Received:
    0
    [seems resolved]

    Ok i identified thread

    http://www.windowsbbs.com/malware-v...refox-google-redirect-cmd-regedit-crashes.htm l

    as being _very_ much what i had:

    A strange, simular to "aux "= "c:\windows\ayg.iee" entry in
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] which i found with the Regquery.exe (regedit not working)

    This file was deletable but re-created immediately.

    I than ran Combofix with a CFScript.txt on Desktop as described in above thread:

    Collect::
    c:\windows\ayg.iee
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "= "wdmaud.drv "

    I didnt have the impression combofix took notice of that but anyway successfully fixed my system! See log below.

    regedit, cmd all run again. Are there further problems in Combofix's log to take notice of?

    Steffen



    ComboFix 09-05-05.04 - Steffen 06.05.2009 13:07.1 - NTFSx86
    ausgeführt von:: c:\dokumente und einstellungen\Steffen\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
    FW: ZoneAlarm Firewall *disabled*
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\ayg.iee
    c:\windows\regedit.com
    c:\windows\system32\a.bat
    c:\windows\system32\taskmgr.com

    .
    ((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_FILEMON
    -------\Legacy_OREANS32
    -------\Service_oreans32


    ((((((((((((((((((((((( Dateien erstellt von 2009-04-06 bis 2009-05-06 ))))))))))))))))))))))))))))))
    .

    2009-05-05 19:07 . 2009-05-05 16:52 360021 ----a-w C:\dds.scr
    2009-05-05 18:57 . 2008-04-14 05:52 401920 ----a-w c:\windows\system32\cmd2.exe
    2009-05-05 16:58 . 2009-05-05 16:58 -------- d-----w c:\programme\Misc. Support Library (Spybot - Search & Destroy)
    2009-05-05 16:58 . 2009-05-05 16:58 -------- d-----w c:\programme\SDHelper (Spybot - Search & Destroy)
    2009-05-05 16:58 . 2009-05-05 16:58 -------- d-----w c:\programme\File Scanner Library (Spybot - Search & Destroy)
    2009-05-05 16:55 . 2008-04-14 05:52 401920 ----a-w c:\windows\system32\Kopie (2) von cmd.exe
    2009-05-05 16:48 . 2009-05-05 16:48 -------- d-----w c:\programme\Trend Micro
    2009-05-05 07:01 . 2009-05-05 07:01 -------- d---a-w c:\windows\system32\runouce.exe
    2009-05-05 07:00 . 2009-05-05 07:00 626688 ----a-w c:\windows\system32\msvcr80.dll
    2009-05-05 07:00 . 2009-05-05 07:00 548864 ----a-w c:\windows\system32\msvcp80.dll
    2009-05-05 07:00 . 2009-05-05 07:00 28672 ----a-w c:\windows\system32\eEmpty.exe
    2009-05-05 07:00 . 2009-05-05 07:00 -------- d-----w c:\programme\Gemeinsame Dateien\MicroWorld
    2009-05-05 07:00 . 2009-05-05 07:00 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\MicroWorld
    2009-05-04 21:51 . 2009-05-04 21:51 -------- d-----w c:\dokumente und einstellungen\Steffen\Anwendungsdaten\Malwarebytes
    2009-05-04 21:51 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-05-04 21:51 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-04 21:51 . 2009-05-04 21:51 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2009-05-04 21:51 . 2009-05-04 21:51 -------- d-----w c:\programme\Malwarebytes' Anti-Malware
    2009-05-04 21:39 . 2008-04-14 05:52 401920 ----a-w c:\windows\system32\Kopie von cmd.exe
    2009-05-04 21:34 . 2009-05-04 21:34 -------- d-----w c:\programme\Sophos
    2009-05-04 21:27 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
    2009-05-04 21:27 . 2009-05-04 21:27 -------- d-----w c:\programme\Avira
    2009-05-04 21:27 . 2009-05-04 21:27 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
    2009-05-04 21:05 . 2009-05-04 21:05 -------- d-----w C:\!KillBox
    2009-05-04 21:04 . 2009-05-04 21:05 -------- d-----w c:\programme\Softwin
    2009-05-04 20:10 . 2009-05-04 21:17 -------- d-----w C:\RkUnhooker
    2009-05-04 19:40 . 2009-05-04 19:40 -------- d-----w c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Identities
    2009-05-01 06:55 . 2009-05-01 06:55 -------- d-----w c:\dokumente und einstellungen\Steffen\Anwendungsdaten\Buhl Data Service GmbH
    2009-05-01 06:55 . 2009-05-01 06:55 -------- d-----w c:\programme\WISO
    2009-05-01 06:55 . 2009-05-01 06:55 -------- d-----w c:\programme\Gemeinsame Dateien\Buhl Data Service
    2009-04-18 07:21 . 2009-04-18 07:21 -------- d-----w c:\dokumente und einstellungen\Steffen\wertPhone
    2009-04-17 16:01 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
    2009-04-17 16:01 . 2009-03-06 14:19 286720 ------w c:\windows\system32\dllcache\pdh.dll
    2009-04-17 16:01 . 2009-02-09 11:21 111104 ------w c:\windows\system32\dllcache\services.exe
    2009-04-17 16:01 . 2009-02-09 10:51 401408 ------w c:\windows\system32\dllcache\rpcss.dll
    2009-04-17 16:01 . 2009-02-09 10:51 473600 ------w c:\windows\system32\dllcache\fastprox.dll
    2009-04-17 16:01 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
    2009-04-17 16:01 . 2009-02-09 10:51 678400 ------w c:\windows\system32\dllcache\advapi32.dll
    2009-04-17 16:01 . 2009-02-09 10:51 736768 ------w c:\windows\system32\dllcache\lsasrv.dll
    2009-04-17 16:01 . 2009-02-09 10:51 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
    2009-04-17 16:01 . 2009-02-09 10:51 740352 ------w c:\windows\system32\dllcache\ntdll.dll
    2009-04-17 16:01 . 2008-04-21 21:13 217600 ------w c:\windows\system32\dllcache\wordpad.exe

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-06 11:11 . 2006-12-17 10:29 16474898 ----a-w c:\windows\Internet Logs\tvDebug.zip
    2009-05-05 17:03 . 2007-01-07 12:59 -------- d-----w c:\programme\Spybot - Search & Destroy
    2009-05-05 07:07 . 2009-05-05 16:37 55296 ----a-w c:\windows\Internet Logs\xDBF.tmp
    2009-05-04 21:24 . 2005-10-21 15:33 -------- d-----w c:\programme\Network Associates
    2009-05-04 19:59 . 2009-05-04 20:56 2984960 ----a-w c:\windows\Internet Logs\xDBD.tmp
    2009-05-04 19:59 . 2009-05-04 20:56 2166272 ----a-w c:\windows\Internet Logs\xDBE.tmp
    2009-05-01 06:55 . 2005-10-12 17:27 -------- d--h--w c:\programme\InstallShield Installation Information
    2009-04-19 20:38 . 2005-11-05 13:49 -------- d-----w c:\programme\eMule
    2009-04-18 08:47 . 2005-10-22 15:47 42860 ----a-w c:\dokumente und einstellungen\Steffen\Anwendungsdaten\wklnhst.dat
    2009-04-17 19:58 . 2004-08-18 12:05 547266 ----a-w c:\windows\system32\perfh007.dat
    2009-04-17 19:58 . 2004-08-18 12:05 124822 ----a-w c:\windows\system32\perfc007.dat
    2009-03-22 15:44 . 2008-03-09 11:25 -------- d-----w c:\programme\Windows Live
    2009-03-22 15:42 . 2009-03-22 15:42 -------- d-----w c:\programme\Microsoft
    2009-03-22 15:42 . 2009-03-22 15:42 -------- d-----w c:\programme\Windows Live SkyDrive
    2009-03-22 15:37 . 2009-03-22 15:37 -------- d-----w c:\programme\Gemeinsame Dateien\Windows Live
    2009-03-22 13:42 . 2009-03-22 14:18 2140160 ----a-w c:\windows\Internet Logs\xDBC.tmp
    2009-03-22 13:42 . 2009-03-22 14:18 5953024 ----a-w c:\windows\Internet Logs\xDBB.tmp
    2009-03-20 18:37 . 2009-03-20 18:37 -------- d-----w c:\programme\Apache Software Foundation
    2009-03-20 17:42 . 2009-03-20 17:42 -------- d-----w c:\programme\MySQL
    2009-03-06 14:19 . 2004-08-18 12:05 286720 ----a-w c:\windows\system32\pdh.dll
    2009-03-03 00:03 . 2004-08-18 12:05 826368 ----a-w c:\windows\system32\wininet.dll
    2009-02-20 16:49 . 2004-08-18 12:05 78336 ----a-w c:\windows\system32\ieencode.dll
    2009-02-09 14:04 . 2004-08-18 12:05 1846912 ----a-w c:\windows\system32\win32k.sys
    2009-02-09 11:21 . 2004-08-03 23:50 2026496 ----a-w c:\windows\system32\ntkrnlpa.exe
    2009-02-09 11:21 . 2004-08-18 12:05 2147840 ----a-w c:\windows\system32\ntoskrnl.exe
    2009-02-09 11:21 . 2004-08-18 12:05 111104 ----a-w c:\windows\system32\services.exe
    2009-02-09 10:51 . 2004-08-18 12:05 401408 ----a-w c:\windows\system32\rpcss.dll
    2009-02-09 10:51 . 2004-08-18 12:05 736768 ----a-w c:\windows\system32\lsasrv.dll
    2009-02-09 10:51 . 2004-08-18 12:05 678400 ----a-w c:\windows\system32\advapi32.dll
    2009-02-09 10:51 . 2004-08-18 12:05 740352 ----a-w c:\windows\system32\ntdll.dll
    2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
    2009-02-06 10:39 . 2004-08-18 12:05 35328 ----a-w c:\windows\system32\sc.exe
    .

    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "msnmsgr "= "c:\programme\Windows Live\Messenger\msnmsgr.exe" [2009-03-22 3885408]
    "NCLaunch "= "c:\windows\NCLAUNCH.EXe" [2006-09-23 40960]
    "SpybotSD TeaTimer "= "c:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Zone Labs Client "= "c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2006-07-09 968696]
    "McAfeeUpdaterUI "= "c:\programme\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
    "CTSysVol "= "c:\programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "QuickTime Task "= "c:\programme\QuickTime\qttask.exe" [2007-06-29 286720]
    "avgnt "= "c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "P17Helper "= "P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
    Monitor Apache Servers.lnk - c:\programme\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

    c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\AutorunsDisabled
    Adobe Reader - Schnellstart.lnk - c:\programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Programme\\Messenger\\Msmsgs.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe "=
    "c:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe "=

    R1 NETDSL;AVM PPP over Ethernet;c:\windows\system32\drivers\netdsl.sys [20.11.2005 12:20 11264]
    R2 aadev;AVM ADSL Adapter Device;c:\windows\system32\drivers\Aadev.sys [20.11.2005 12:20 27648]
    R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [04.05.2009 23:27 108289]
    R2 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [09.03.2006 22:51 837696]
    R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [20.12.2008 20:42 6016]
    R3 AVMDSLPPPOE;AVM DSL PPPoE CAPI Treiber;c:\windows\system32\drivers\avmdsloe.sys [27.06.2003 02:00 45440]
    R3 AVMNDSL;AVM DSL NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmndsl.sys [27.06.2003 02:00 38992]
    R3 FDSSBASE;AVM FRITZ!Card DSL SL (WinXP/2000);c:\windows\system32\drivers\fdssbase.sys [27.06.2003 02:00 715264]
    R3 ncfvsbus;NCF Virtual Serial Bus Enumerator;c:\windows\system32\drivers\ncfvsbus.sys [05.02.2006 16:17 25088]
    R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\drivers\NETFWDSL.SYS [20.11.2005 12:20 374272]
    R3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [30.10.2006 19:23 176640]
    S3 F80D34F7;F80D34F7;c:\windows\system32\F80D34F7.exe --> c:\windows\system32\F80D34F7.exe [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [02.08.2005 23:10 32512]
    S3 rkhdrv10;Rootkit Unhooker Driver; [x]
    S3 rkhdrv40;Rootkit Unhooker Driver; [x]
    S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [03.04.2006 19:01 22528]
    S4 Apache2.2;Apache2.2;c:\programme\Apache Software Foundation\Apache2.2\bin\httpd.exe [10.12.2008 01:10 24636]
    S4 MsDtsServer;SQL Server Integration Services;c:\programme\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [04.03.2007 00:12 202096]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\programme\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [09.12.2005 11:40 2799808]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf340215-40b3-11da-a40d-00123f76dddb}]
    \Shell\auto\command - F:\Knight.exe open
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
    \Shell\explore\command - F:\Knight.exe open
    \Shell\find\command - F:\Knight.exe open
    \Shell\install\command - F:\Knight.exe open
    \Shell\open\command - F:\Knight.exe open
    .
    Inhalt des "geplante Tasks" Ordners

    2005-10-20 c:\windows\Tasks\ISP-Anmeldungserinnerung 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-18 05:52]

    2009-05-06 c:\windows\Tasks\User_Feed_Synchronization-{538AA0D5-7B4A-4E3E-90F6-D872F3A767F1}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -

    Notify-WgaLogon - (no file)


    .
    ------- Zusätzlicher Suchlauf -------
    .
    uStart Page = hxxp://www.google.de/
    uInternet Connection Wizard,ShellNext = iexplore
    Trusted Zone: microsoft.com\office
    TCP: {9D29AC44-C503-447B-863D-A84BBAD7DF25} = 195.50.140.114 195.50.140.252
    DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-06 13:12
    Windows 5.1.2600 Service Pack 3 NTFS

    Scanne versteckte Prozesse...

    Scanne versteckte Autostarteinträge...

    Scanne versteckte Dateien...

    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath "= "\ "c:\programme\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\ "c:\programme\MySQL\MySQL Server 5.1\my.ini\" MySQL "
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------

    [HKEY_USERS\S-1-5-21-2034782772-786938502-3445982532-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-2034782772-786938502-3445982532-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (S-1-5-21-2034782772-786938502-3445982532-1006)
    @Allowed: (Read) (S-1-5-21-2034782772-786938502-3445982532-1006)
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------

    - - - - - - - > 'winlogon.exe'(688)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1724)
    c:\windows\system32\WPDShServiceObj.dll
    c:\programme\Nokia\Nokia PC Suite 7\phonebrowser.dll
    c:\programme\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\programme\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ger.nlr
    c:\programme\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\windows\system32\ZoneLabs\vsmon.exe
    c:\programme\Avira\AntiVir Desktop\avguard.exe
    c:\windows\system32\CTSVCCDA.EXE
    c:\programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\programme\MySQL\MySQL Server 5.1\bin\mysqld.exe
    c:\windows\system32\MsPMSPSv.exe
    c:\programme\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2009-05-06 13:18 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2009-05-06 11:18

    Vor Suchlauf: 24 Verzeichnis(se), 32.738.689.024 Bytes frei
    Nach Suchlauf: 23 Verzeichnis(se), 32.902.705.152 Bytes frei

    WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    236 --- E O F --- 2009-05-06 10:45
     
    Steffen,
    #2


  3. to hide this advert.

  4. 2009/05/13
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Hi and welcome


    I can see more then one Antivirus on the computer.
    This will cause problems with fixes we need and use up most of your computers resources.
    Make a decision which to keep and which to uninstall.

    ~~~~~~~~~~~~~~~~~~~~~~~
    Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



    Download Flash_Disinfector.exe by sUBs from >here< or from >here< and save it to your desktop.

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Your desktop will vanish for a while, and then reappear. This is normal.
    • Wait until it has finished scanning and then exit the program. If you use more than 1 flash drive, run the tool with each plugged in.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Please leave the flash drive plugged in while completing the following.




    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

    Click on this link Here to see a list of programs that should be disabled.
    The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
    Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    File:: 
F:\Knight.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bf340215-40b3-11da-a40d-00123f76dddb}]
    [​IMG]

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
    NEXT**
    Your version of Java is outdated.

    Please download JavaRa to your desktop and unzip it to its own folder

    Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    Accept any prompts.
    Open JavaRa.exe again and select Search For Updates.
    Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
    Follow the instructions for the browser you use.
    Read the instructions about the cookies. Delete what you do not need.

    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    The rest are optional - if you want to remove the lot, check "Select All ".
    Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
    If you use the Firefox or Opera browsers, you can use this program
    as a quick way to tidy those up as well.
    When you have finished, click on the Exit button in the Main menu.
    ========================



    NEXT**
    I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
    The below scan can take up to an hour or longer, please be patient.

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


    Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

    Other available links
    Kaspersky Online Scanner or from here
    http://www.kaspersky.com/virusscanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.

    • The program will install and then begin downloading the latest definition
      files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
      * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
      * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
      * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Once the scan is complete, click on View scan report To obtain the report:
    Click on: Save Report As
    Next, in the Save as prompt, Save in area, select: Desktop
    In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
    Text file [*.txt]
    Then, click: Save
    Please post the Kaspersky Online Scanner Report in
    your reply.

    Animated tutorial
    http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

    (Note.. for Internet Explorer 7 users:
    If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%    .)
    Or use Firefox with IE-Tab plugin
    https://addons.mozilla.org/en-US/firefox/addon/1419


    In your next reply post:
    ComboFix.txt
    Kaspersky log
    New HJT log taken after the above scans have run


    You may need several replies to post the requested logs, otherwise they might get cut off.


    Please tell me how your computer is at the moment.
     
    Juliet,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...