AVG detected a Trojan horse Generic11.AVBS , advice/help needed

[Santuzzo]

OK, thank you very much !

I will disable AVG the way you explained and come back as soon as I have results and I'll post the log.

 

[Santuzzo]

Still couldn't turn off AVG. In the msconfig startuplist only the AVG tray shows up, if I turn it off, only the icon is gone, but AVG is still runnung. Tried to shut down all AVG processes in taks manager, but some of them just start up by themselves again right after me shutting thme down. I gues in order to turn AVG off I'd have to de-install it....

 

[Osiris]

I wouldnt worry about it, just run combofix

 

[Santuzzo]

OK, somebody in another thread (memory) could tell me how to turn off AVG (just open resident shield and uncheck active), so I could run combofix with AVG deactivated.

Here's the log, sorry again, it's fomr the German version, I hope that does not cause any problems or unclarities....



ComboFix 09-05-12.04 - Lars 13.05.2009 2:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3063.2141 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Lars\Desktop\Neuer Ordner\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((( Dateien erstellt von 2009-04-13 bis 2009-05-13 ))))))))))))))))))))))))))))))
.

2009-05-11 07:52 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-10 23:49 . 2009-05-10 23:49 -------- d-----w c:\programme\Trend Micro
2009-05-10 23:11 . 2009-05-10 23:45 -------- d-----w c:\dokumente und einstellungen\Lars\.housecall6.6
2009-05-10 21:45 . 2009-05-11 07:52 -------- d-----w c:\programme\Panda Security
2009-05-05 16:05 . 2009-05-05 16:15 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\IK Multimedia
2009-05-05 11:38 . 2009-05-06 09:41 80 ----a-w c:\windows\msocreg32.dat
2009-05-05 11:36 . 2009-05-05 11:36 -------- d-----w c:\programme\IK Multimedia
2009-04-30 00:32 . 2009-04-30 00:32 -------- d-----w c:\programme\Toontrack
2009-04-29 12:59 . 2009-04-29 13:00 -------- d-----w C:\Netgear
2009-04-29 12:26 . 2008-07-29 09:52 679680 ----a-w c:\windows\system32\drivers\rt2860.sys
2009-04-29 12:26 . 2008-07-29 09:46 217088 ----a-w c:\windows\system32\RaCoInst.dll
2009-04-29 12:26 . 2008-07-29 09:46 14640 ----a-w c:\windows\system32\RaCoInst.dat
2009-04-29 12:26 . 2009-04-29 12:26 -------- d-----w c:\programme\Sweex
2009-04-28 17:56 . 2009-04-28 17:56 -------- d-----w c:\windows\Sun
2009-04-25 11:54 . 2009-04-25 11:54 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Sonoma Wire Works
2009-04-19 13:41 . 2009-04-19 13:41 -------- d-----w c:\programme\Windows Media Connect 2
2009-04-19 13:39 . 2009-04-19 13:40 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-18 15:31 . 2009-04-18 16:48 -------- d-----w c:\dokumente und einstellungen\Lars\Contacts
2009-04-18 15:04 . 2009-04-18 15:04 -------- d-----w c:\dokumente und einstellungen\Lars\Anwendungsdaten\Creative
2009-04-18 14:55 . 2006-06-15 18:18 90112 ----a-r c:\windows\CtDrvIns.exe
2009-04-18 14:55 . 2006-09-11 17:00 32768 ----a-r c:\windows\V0270Mon.exe
2009-04-18 14:55 . 2006-07-24 17:00 20480 ----a-r c:\windows\V0270Cfg.exe
2009-04-18 14:55 . 2005-07-06 17:07 36864 ----a-r c:\windows\system32\CtCamMgr.dll
2009-04-18 14:55 . 2006-05-31 17:00 20480 ----a-r c:\windows\system32\V0270Srv.exe
2009-04-18 14:55 . 2006-07-24 17:00 36864 ----a-r c:\windows\system32\V0270Pin.dll
2009-04-18 14:55 . 2006-06-01 17:00 28672 ----a-r c:\windows\system32\V0270Hwx.dll
2009-04-18 14:55 . 2006-09-11 17:00 294912 ----a-r c:\windows\system32\V0270Cvw.dll
2009-04-18 14:55 . 2006-09-12 17:00 221152 ----a-r c:\windows\system32\drivers\V0270Dev.sys
2009-04-18 14:55 . 2006-06-19 17:05 6912 ----a-r c:\windows\system32\drivers\V0270Vfx.sys
2009-04-18 14:54 . 2008-04-14 05:52 54272 -c--a-w c:\windows\system32\dllcache\vfwwdm32.dll
2009-04-18 14:54 . 2008-04-14 05:52 54272 ----a-w c:\windows\system32\vfwwdm32.dll
2009-04-18 14:53 . 1999-10-10 17:00 41984 ------w c:\windows\Ctregrun.exe
2009-04-18 14:53 . 2009-04-18 15:44 -------- d-----w c:\programme\Creative
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\programme\MSN Messenger
2009-04-14 21:30 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 21:30 . 2009-03-06 14:19 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 21:30 . 2009-02-09 11:21 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 21:30 . 2009-02-09 10:51 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 21:30 . 2009-02-09 10:51 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 21:30 . 2009-02-09 10:51 678400 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 21:30 . 2009-02-09 10:51 736768 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 21:30 . 2009-02-09 10:51 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 21:30 . 2009-02-09 10:51 740352 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 21:30 . 2008-04-21 21:13 217600 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 20:37 . 2009-04-13 20:37 -------- d-----w c:\dokumente und einstellungen\Lars\Anwendungsdaten\Media Player Classic
2009-04-13 20:30 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 00:49 . 2009-03-01 11:56 38197280 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-12 21:43 . 2006-02-28 12:00 70778 ----a-w c:\windows\system32\perfc007.dat
2009-05-12 21:43 . 2006-02-28 12:00 405448 ----a-w c:\windows\system32\perfh007.dat
2009-05-12 21:38 . 2009-03-01 12:30 8 ----a-w c:\windows\mvraidver.dat
2009-05-12 11:14 . 2009-03-01 11:56 443252 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-05 16:16 . 2009-02-28 23:28 -------- d--h--w c:\programme\InstallShield Installation Information
2009-05-05 13:27 . 2009-03-15 00:59 -------- d-----w c:\programme\Steinberg
2009-05-03 10:48 . 2009-03-01 18:35 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 10:48 . 2009-03-01 18:35 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 10:48 . 2009-03-01 18:35 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-24 17:18 . 2009-04-24 17:20 1891840 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-23 22:39 . 2009-04-23 22:41 1889792 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-04-20 17:36 . 2009-03-21 03:05 531456 ----a-w c:\windows\system32\drivers\L6UX2.sys
2009-04-20 17:36 . 2009-03-21 03:05 167936 ----a-w c:\windows\system32\l6ux2.dll
2009-04-15 08:31 . 2009-03-22 18:55 -------- d-----w c:\programme\Digital Timepiece
2009-04-11 21:37 . 2009-03-01 00:20 32952 ----a-w c:\dokumente und einstellungen\Lars\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-04-11 00:47 . 2009-03-21 03:59 -------- d-----w c:\programme\Gemeinsame Dateien\Native Instruments
2009-04-01 23:47 . 2009-04-01 23:47 -------- d-----w c:\programme\Spectrasonics
2009-03-31 00:36 . 2009-03-31 00:20 2516 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-31 00:20 . 2009-03-31 00:20 8 --sh--r c:\windows\system32\3F64046FE9.sys
2009-03-29 19:16 . 2009-03-29 19:08 -------- d-----w c:\programme\CleanMyPC
2009-03-29 18:46 . 2009-02-28 23:38 -------- d-----w c:\programme\ASUS
2009-03-29 18:32 . 2009-03-28 19:58 -------- d-----w c:\programme\Canon
2009-03-28 20:09 . 2009-03-28 20:09 -------- d-----w c:\programme\Gemeinsame Dateien\ScanSoft Shared
2009-03-28 20:03 . 2009-03-28 20:03 -------- d-----w c:\programme\Gemeinsame Dateien\CANON
2009-03-28 20:01 . 2009-03-28 20:01 -------- d--h--w c:\programme\CanonBJ
2009-03-28 18:33 . 2009-03-28 18:33 -------- d-----w c:\programme\VS Revo Group
2009-03-22 12:38 . 2009-03-22 12:38 -------- d-----w c:\programme\Gemeinsame Dateien\Steinberg
2009-03-22 12:38 . 2009-03-15 00:55 -------- d-----w c:\programme\Syncrosoft
2009-03-22 10:24 . 2009-03-22 10:24 -------- d-----w c:\programme\M-Audio MA_CMIDI
2009-03-22 01:26 . 2009-02-28 23:51 -------- d-----w c:\programme\Gemeinsame Dateien\Adobe
2009-03-21 03:05 . 2009-03-21 03:05 -------- d-----w c:\programme\Common Files
2009-03-21 03:01 . 2009-03-21 02:52 -------- d--h--w c:\programme\Zero G Registry
2009-03-21 01:56 . 2009-03-21 01:56 -------- d-----w c:\programme\Roland
2009-03-21 01:56 . 2009-03-21 01:56 -------- d-----w c:\programme\PowerTracks DirectX Plugins
2009-03-15 23:17 . 2009-03-15 22:35 -------- d-----w c:\programme\ZOOM
2009-03-15 23:13 . 2009-03-15 23:11 60348 ----a-w c:\windows\system32\ZoomUnin.exe
2009-03-15 01:34 . 2009-03-15 01:34 -------- d-----w c:\programme\Gemeinsame Dateien\Digidesign
2009-03-06 14:19 . 2006-02-28 12:00 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-01 11:54 . 2009-03-01 11:53 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-03-01 11:48 . 2009-03-01 11:48 0 ----a-w c:\windows\nsreg.dat
2009-03-01 03:06 . 2009-03-01 03:06 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-01 03:04 . 2009-03-01 03:04 22328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-01 03:04 . 2009-03-01 03:04 22328 ----a-w c:\dokumente und einstellungen\Lars\Anwendungsdaten\PnkBstrK.sys
2009-03-01 03:04 . 2009-03-01 03:04 107832 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-01 03:04 . 2009-03-01 03:04 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-01 03:04 . 2009-03-01 03:04 2250024 ----a-w c:\windows\system32\pbsvc.exe
2009-03-01 00:19 . 2009-03-01 00:19 0 ----a-w c:\windows\ativpsrm.bin
2009-02-28 23:34 . 2009-02-28 23:34 301 ---ha-w c:\windows\nsi8.tmp
2009-02-28 23:09 . 2009-02-28 22:38 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 22:38 . 2006-02-28 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-28 22:37 . 2009-02-28 22:37 21740 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-20 08:09 . 2006-02-28 12:00 671744 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:09 . 2006-02-28 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"SoundMAXPnP"="c:\programme\Analog Devices\Core\smax4pnp.exe" [2008-04-14 1040384]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2008-09-12 4039168]
"ISUSPM Startup"="c:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2008-05-26 1423360]
"QFan Help"="c:\program files\ASUS\Ai Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-11-30 881152]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Six Engine"="c:\programme\ASUS\EPU-6 Engine\SixEngine.exe" [2008-08-20 5971968]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SSBkgdUpdate"="c:\programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="d:\programs\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-11 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\Lars\Startmen￾\Programme\Autostart\
OpenOffice.org 3.0.lnk - d:\programs\Open Office\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\dokumente und einstellungen\All Users\Startmen￾\Programme\Autostart\
MarvellTrayStartup.lnk - c:\programme\Marvell\raid\tray\RaidTray.bat [2009-3-1 135]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 10:48 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
"midi7"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^forteManager.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\forteManager.lnk
backup=c:\windows\pss\forteManager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programs\\Far Cry2\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Programs\\Far Cry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Programs\\Far Cry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programme\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programme\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programme\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"c:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programme\\MSN Messenger\\livecall.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [24.06.2008 00:21 150568]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [01.03.2009 01:38 272424]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11.05.2009 09:52 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01.03.2009 20:35 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01.03.2009 20:35 108552]
R2 AsSysCtrlService;ASUS System Control Service;c:\programme\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe [01.03.2009 01:38 86016]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [01.03.2009 20:35 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01.03.2009 20:35 298776]
R2 Marvell RAID;Marvell RAID Event Agent;c:\programme\Marvell\raid\svc\mvraidsvc.exe [06.08.2008 03:28 147456]
R2 MRUWebService;MRU Web Service;c:\programme\Marvell\raid\Apache2\bin\httpd.exe [22.04.2008 06:21 24635]
R2 RVIEGVST;VSC VST Engine;c:\programme\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [21.03.2009 03:56 188276]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [01.03.2009 02:14 93184]
R3 L6UX2;Service - Line 6 UX2;c:\windows\system32\drivers\L6UX2.sys [21.03.2009 05:05 531456]
R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [15.03.2009 02:56 23288]
R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\drivers\V0270Dev.sys [18.04.2009 16:55 221152]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\drivers\V0270Vfx.sys [18.04.2009 16:55 6912]
S3 LGDDCDevice;LGDDCDevice;c:\programme\LG Soft India\forteManager\bin\I2CDriver.sys [01.03.2009 02:04 14336]
S3 LGII2CDevice;LGII2CDevice;c:\programme\LG Soft India\forteManager\bin\PII2CDriver.sys [01.03.2009 02:04 13312]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [29.04.2009 14:26 679680]
S3 sessavs;sessavs;c:\windows\system32\drivers\sessavs.sys [21.03.2009 08:09 35216]
S3 sessusb;sessusb;c:\windows\system32\drivers\sessusb.sys [21.03.2009 08:09 210064]
S3 SkLaggProtocol;Marvell Link Aggregation Protocol;c:\windows\system32\drivers\yk51x32l.sys [14.12.2007 11:10 57344]
S3 SkVlanProtocol;Marvell VLAN Protocol;c:\windows\system32\drivers\yk51x32v.sys [23.11.2007 11:10 20992]
S3 ZMGHPAudioSrv;ZOOM G Series High Performance Audio Driver Service;c:\windows\system32\drivers\zmghpau.sys [11.08.2008 11:02 91136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Zusätzlicher Suchlauf -------
.
IE: Easy-WebPrint - Drucken - d:\programs\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Easy-WebPrint - Schnelldruck - d:\programs\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint - Vorschau - d:\programs\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint - Zu Druckliste hinzufügen - d:\programs\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
Trusted Zone: line6.net
FF - ProfilePath - c:\dokumente und einstellungen\Lars\Anwendungsdaten\Mozilla\Firefox\Profiles\3u4nx6f5.default\
FF - component: c:\programme\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-13 02:49
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-682003330-1604221776-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:bc,76,7e,a3,e9,40,fd,43,56,be,71,bc,43,49,60,0d,f5,dd,dc,f3,0e,
28,b0,c4,6c,b2,ea,07,15,76,97,5e,c1,a8,fe,b1,92,9f,62,a8,7e,2c,8d,cf,b9,b4,\
"rkeysecu"=hex:2f,02,a4,59,9b,24,4d,78,33,bb,ab,39,a5,8f,f4,46
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
.
Zeit der Fertigstellung: 2009-05-13 2:50
ComboFix-quarantined-files.txt 2009-05-13 00:50

Vor Suchlauf: 13 Verzeichnis(se), 82.647.535.616 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 82.684.289.024 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

249 --- E O F --- 2009-04-23 00:57

 

[Santuzzo]

Malwarebytes is scannig right now.
I will post the log when it's done.

I have a few questions regarding combofix:

1. it's an exe file, so when I ran it, it did not really install itslef but started the scanner right away. It also does not show on my list of installed programs, but it did create some entries and folders. Is this the way it's supposed to be or did something go wrong here?
What if I want to deinstall it, how do I do that? If I only delete the exe file, there will still be the foldres and the entries and I don't know where they all are located. Would sometihng like CCleaner find that stuff?

2. when I ran it it said that my PC does not have the MS system recovery console installed, and it recommened to install it, so I had combo fix download and install it. Was that correct? OR should I not have done that?



EDIT: MAlwarebytes just got stuck and froze up on me ....... while alsmot done with the scan.....but now I have to shut it down without having a log. At the stae it forze it said infected objects : 0. So I guess it looks fine, no?
Any idea why it froze up? This kind of stuff bothers me, my PC is still very new and it's a very powerful one, too, so I thnk stuff like this should not happen.....

Anyway, since it's very late now over here, I will go to bed and run a new malwarebytes scan tomorrow morning, and hopefully it won't freeze then, so I can post a log.

Thanks!

Lars

 

[Santuzzo]

Malwarebytes is scannig right now.
I will post the log when it's done.

I have a few questions regarding combofix:

1. it's an exe file, so when I ran it, it did not really install itslef but started the scanner right away. It also does not show on my list of installed programs, but it did create some entries and folders. Is this the way it's supposed to be or did something go wrong here?
What if I want to deinstall it, how do I do that? If I only delete the exe file, there will still be the foldres and the entries and I don't know where they all are located. Would sometihng like CCleaner find that stuff?

2. when I ran it it said that my PC does not have the MS system recovery console installed, and it recommened to install it, so I had combo fix download and install it. Was that correct? OR should I not have done that?



EDIT: MAlwarebytes just got stuck and froze up on me ....... while alsmot done with the scan.....but now I have to shut it down without having a log. At the stae it forze it said infected objects : 0. So I guess it looks fine, no?
Any idea why it froze up? This kind of stuff bothers me, my PC is still very new and it's a very powerful one, too, so I thnk stuff like this should not happen.....

Anyway, since it's very late now over here, I will go to bed and run a new malwarebytes scan tomorrow morning, and hopefully it won't freeze then, so I can post a log.

Thanks!

Lars

I tried to run a malwarebytes scan several times, but eacht time it got stock, it froze and it would not respond.
So, it does not work on my PC, for whatever reason. I had to un-install it.

Is the hijackthislog and combofix enough or need I run any other scans except Malwarebyte, since that one does not seem to work here?

 

[Osiris]

Now post a new hijackthis log

 

[Santuzzo]

Ok, here is the new hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:00:25, on 13.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programme\Marvell\raid\svc\mvraidsvc.exe
C:\Programme\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Programme\Marvell\raid\Apache2\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Marvell\raid\Apache2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\TurboV\TurboV.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\ASUS\EPU-6 Engine\SixEngine.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Programs\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\V0270Mon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Marvell\raid\tray\zRaidTray.exe
D:\Programs\Open Office\OpenOffice.org 3\program\soffice.exe
D:\Programs\Open Office\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\Mozilla Firefox\firefox.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Programs\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Programs\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Six Engine] "C:\Programme\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Programs\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = D:\Programs\Open Office\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: MarvellTrayStartup.lnk = C:\Programme\Marvell\raid\tray\RaidTray.bat
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15107/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Programme\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Programme\Marvell\raid\svc\mvraidsvc.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Programme\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Programme\Marvell\raid\Apache2\bin\httpd.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8480 bytes

 

[Osiris]

Remove these entries

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

I need you to run one more scan

Smitfraud

SmitFraudFix

 

[Santuzzo]

Do I need to remove the file you mentioned BEFORE I scan with SmitfRaud?

By the way, I tried to re-install Malwarebytes and ran a scan, but agian, after about 40mins it froze......is that normal?