TechSpot

Bamital-AF found at explorer.exe

Solved
By Bidabdy
Oct 27, 2010
  1. Hey guys, this is my first log here.

    I apologize, if there are several mistakes in here, but I have read some threads on this topic, but I couldn't reply to them, that's why I start this new thread. And please excuse me, if I do not understand erverything immediately, because my english isn't the best.

    If you need any information about my pc, I'll do my best to answer them. My system is:
    Windows 7 Pro 32bit
    Pentium Dual-Core T4200
    RAM 4 GB

    My avast! Antivir detected a bamital-af virus at my explorer.exe that caused no problem for some days, but today, my explorer crushed.
    I've done a ComboFix-scan und a malwarebytes-scan. The logs are posted below.
    I've also started Windows in Safe-Mode and looked for hotfix.exe as running task (but there was none), because in other threads these steps are requested. But after reboot, my system worked normally. That is my current situation. System works, but Avast still finds bamital-af at explorer.exe, malware finds no infected files...

    If any other information are necessary, let me know.
    Thanks a lot for your help!
    Bidabdy

    ====================================
    ComboFix-Log:
    ====================================

    ComboFix 10-10-22.03 - Janus 27.10.2010 13:58:20.1.2 - x86 MINIMAL
    Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3583.2859 [GMT 2:00]
    ausgeführt von:: d:\janus\Desktop\ComboFix.exe
    * Neuer Wiederherstellungspunkt wurde erstellt
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\hpeAF42.dll
    c:\users\Public\Documents\Server\admin.txt
    c:\users\Public\Documents\Server\server.dat

    c:\windows\explorer.exe . . . ist infiziert!! . . .Failed to restore. Attempting to replace on reboot

    Infizierte Kopie von c:\windows\System32\wininit.exe wurde gefunden und desinfiziert
    Kopie von - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe wurde wiederhergestellt

    Infizierte Kopie von c:\windows\explorer.exe wurde gefunden und desinfiziert
    Kopie von - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe wurde wiederhergestellt
    .
    ((((((((((((((((((((((( Dateien erstellt von 2010-09-27 bis 2010-10-27 ))))))))))))))))))))))))))))))
    .

    2010-10-27 12:02 . 2010-10-27 12:07 -------- d-----w- c:\users\Janus\AppData\Local\temp
    2010-10-27 12:02 . 2010-10-27 12:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-27 12:02 . 2010-10-27 12:02 -------- d-----w- c:\users\Janus II\AppData\Local\temp
    2010-10-27 12:02 . 2010-10-27 12:02 -------- d-----w- c:\users\Gast\AppData\Local\temp
    2010-10-26 19:29 . 2010-10-26 19:29 -------- d-----w- c:\programdata\TechSmith
    2010-10-26 19:29 . 2010-10-26 19:29 -------- d-----w- c:\program files\Snagit 10
    2010-10-26 19:29 . 2010-10-26 19:29 -------- d-----w- c:\users\Janus\AppData\Local\TechSmith
    2010-10-26 19:16 . 2010-10-26 19:17 -------- d-----w- c:\program files\CamStudio
    2010-10-19 21:15 . 2010-10-19 21:15 -------- d-----w- c:\program files\Common Files\Skype
    2010-09-28 12:54 . 2010-09-28 12:56 -------- d-----w- c:\program files\pdf24

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-01 16:18 . 2010-05-18 16:51 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2010-09-01 16:17 . 2010-05-18 17:15 218808 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-09-01 16:17 . 2010-05-18 16:50 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
    2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-06-12 497536]
    "P2Go_Menu"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
    "HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-09-06 204680]

    c:\users\Janus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

    R3 AF9035BDA;Cinergy T-Stick service;c:\windows\system32\DRIVERS\AF9035BDA.sys [2009-11-05 247488]
    R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\Drivers\btnetBus.sys [2009-06-17 29192]
    R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-04-06 13224]
    R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2009-06-17 25480]
    R3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\DRIVERS\s0017bus.sys [2008-10-21 86824]
    R3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0017mdfl.sys [2008-10-21 15016]
    R3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0017mdm.sys [2008-10-21 114600]
    R3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0017mgmt.sys [2008-10-21 108328]
    R3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\DRIVERS\s0017nd5.sys [2008-10-21 26024]
    R3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0017obex.sys [2008-10-21 104616]
    R3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\DRIVERS\s0017unic.sys [2008-10-21 109736]
    R3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
    S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys [2009-06-17 20744]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-12 691696]
    S1 aswSP;avast! Self Protection; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 EmmaDevMgmtSvc;Emma Device Management;c:\program files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe [2010-03-30 306296]
    S2 EmmaUpdMgmtSvc;Emma Update Management;c:\program files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe [2010-03-30 162936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 135664]
    S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-16 537520]
    S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-06-12 91136]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 09:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Inhalt des "geplante Tasks" Ordners

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 16:37]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 16:37]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    IE: Free YouTube to Mp3 Converter - c:\users\Janus\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Janus\AppData\Roaming\Mozilla\Firefox\Profiles\tqe3c6xm.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\Janus\AppData\Roaming\Mozilla\Firefox\Profiles\tqe3c6xm.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll

    ---- FIREFOX Richtlinien ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -

    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85D031F8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
    SecurityProcedure -> 0x85d52dc0
    QueryNameProcedure -> 0x85d52f50
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------

    [HKEY_USERS\S-1-5-21-60326797-3918604750-2168802739-1000\Software\SecuROM\License information*]
    "datasecu"=hex:d2,19,c8,25,6e,6b,70,9a,1f,f9,5a,13,fd,32,5e,55,01,79,20,e9,a2,
    bc,f0,39,df,2a,ae,48,aa,bb,ed,f6,12,87,3a,dd,60,3e,0d,55,47,f5,56,36,bf,ab,\
    "rkeysecu"=hex:8e,0f,b5,76,8b,f1,ba,a4,8b,93,2f,6c,f6,47,72,cc

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\ASUS\ATK Hotkey\ASLDRSrv.exe
    c:\program files\Avast4\aswUpdSv.exe
    c:\program files\Avast4\ashServ.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\ASUS\ATK Hotkey\HControl.exe
    c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
    c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
    c:\program files\ASUS\ATK Hotkey\WDC.exe
    c:\program files\Avast4\ashWebSv.exe
    c:\program files\Avast4\ashMaiSv.exe
    c:\windows\system32\conhost.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2010-10-27 14:10:01 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2010-10-27 12:10

    Vor Suchlauf: 8 Verzeichnis(se), 89.820.397.568 Bytes frei
    Nach Suchlauf: 13 Verzeichnis(se), 90.602.225.664 Bytes frei

    - - End Of File - - 0E9B391122BFB5B82D05534C8FF9B1C1


    ====================================
    malwarebytes-log:
    ====================================

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Datenbank Version: 4963

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    27.10.2010 14:56:28
    mbam-log-2010-10-27 (14-56-28).txt

    Art des Suchlaufs: Quick-Scan
    Durchsuchte Objekte: 162114
    Laufzeit: 5 Minute(n), 27 Sekunde(n)

    Infizierte Speicherprozesse: 0
    Infizierte Speichermodule: 0
    Infizierte Registrierungsschlüssel: 0
    Infizierte Registrierungswerte: 0
    Infizierte Dateiobjekte der Registrierung: 0
    Infizierte Verzeichnisse: 0
    Infizierte Dateien: 0

    Infizierte Speicherprozesse:
    (Keine bösartigen Objekte gefunden)

    Infizierte Speichermodule:
    (Keine bösartigen Objekte gefunden)

    Infizierte Registrierungsschlüssel:
    (Keine bösartigen Objekte gefunden)

    Infizierte Registrierungswerte:
    (Keine bösartigen Objekte gefunden)

    Infizierte Dateiobjekte der Registrierung:
    (Keine bösartigen Objekte gefunden)

    Infizierte Verzeichnisse:
    (Keine bösartigen Objekte gefunden)

    Infizierte Dateien:
    (Keine bösartigen Objekte gefunden)
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot. I'll help with the malware. But I'd like you please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    You don't have to run Malwarebytes again now. But I am surprised your scan didn't turn up and of the rogue entries- I may have you repeat it later. As for Combofix, we usually suggest running that after we check the logs, if it's appropriate- but it isn't always the first scan. You may have come across my post for finding and removing the Think Point Rogue but it isn't always easy to get out the hotfix.exe. So let's go along the way I direct.

    So go to the thread and include logs for DDS (2 logs) and GMER in next reply. I would also like you to run this online AV scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Summary for logs:
    DDS> 2 logs
    GMER
    Eset online AV scan

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Bidabdy

    Bidabdy TS Rookie Topic Starter

    Hey, thanks for your help. Here are the logs you asked for. TFC has deleted about 650 mb of temporary files. Did not know there are that much of them.

    ====================================
    GMER-log:
    ====================================


    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-28 10:10:14
    Windows 6.1.7600
    Running: rofrfgf1.exe; Driver: C:\Users\Janus\AppData\Local\Temp\kglcypog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8304C579 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83070F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? System32\Drivers\spzi.sys Das System kann den angegebenen Pfad nicht finden. !
    PAGE ataport.SYS!DllUnload + 1 8CA8AAD7 4 Bytes JMP 85CFF1D9
    .text USBPORT.SYS!DllUnload 91E43CA0 5 Bytes JMP 86EBE1D8
    .text abv7qs0u.SYS 92D27000 12 Bytes CALL 79C0F346
    .text abv7qs0u.SYS 92D2700D 9 Bytes [C7, 41, 83, 48, EB, 41, 83, ...] {MOV DWORD [ECX-0x7d], 0x8341eb48; ADD [EAX], AL}
    .text abv7qs0u.SYS 92D27017 170 Bytes [00, DE, 67, 93, 8C, E6, 65, ...]
    .text abv7qs0u.SYS 92D270C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    .text abv7qs0u.SYS 92D270CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
    .text ...
    ? C:\Users\Janus\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. !
    ? C:\Windows\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[380] ntdll.dll!LdrLoadDll 777CF585 5 Bytes JMP 002113F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5844] USER32.dll!TrackPopupMenu 77904B3B 5 Bytes JMP 68FF3687 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8C83A042] \SystemRoot\System32\Drivers\spzi.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8C83A6D6] \SystemRoot\System32\Drivers\spzi.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8C83A800] \SystemRoot\System32\Drivers\spzi.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8C83A13E] \SystemRoot\System32\Drivers\spzi.sys
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortNotification] 00147880
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortInitialize] 157B805E
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
    IAT \SystemRoot\System32\Drivers\abv7qs0u.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73E3250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73E32494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73E15624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73E156E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73E28573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73E24D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73E250CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73E251A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E266D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73E282CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73E28819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73E2907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73E2E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[2704] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73E24C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3244] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [757E5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3244] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [757E5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3244] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [757E5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3244] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [757E5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 85D061F8
    Device \FileSystem\fastfat \FatCdrom 8B6C61F8
    Device \Driver\volmgr \Device\VolMgrControl 85D011F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{36134B73-7162-4D2D-956A-8C094F8E56C5} 86E31500
    Device \Driver\usbohci \Device\USBPDO-0 86EBF1F8
    Device \Driver\usbehci \Device\USBPDO-1 86EC01F8
    Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    Device \Driver\usbohci \Device\USBPDO-2 86EBF1F8
    Device \Driver\usbehci \Device\USBPDO-3 86EC01F8

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\volmgr \Device\HarddiskVolume1 85D011F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\volmgr \Device\HarddiskVolume2 85D011F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom0 86D7E1F8
    Device \Driver\volmgr \Device\HarddiskVolume3 85D011F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D031F8
    Device \Driver\atapi \Device\Ide\IdePort0 85D031F8
    Device \Driver\atapi \Device\Ide\IdePort1 85D031F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 85D031F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel0 85D041F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel1 85D041F8
    Device \Driver\cdrom \Device\CdRom1 86D7E1F8
    Device \Driver\volmgr \Device\HarddiskVolume4 85D011F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\NetBT \Device\NetBt_Wins_Export 86E31500
    Device \Driver\sptd \Device\4118552128 spzi.sys

    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{3EF91902-A761-49A8-9CF7-931D702DA431} 86E31500
    Device \Driver\PCI_PNP4128 \Device\0000005e spzi.sys
    Device \Driver\usbohci \Device\USBFDO-0 86EBF1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{ECF60B3A-C958-4FCA-BC2A-B8A6AA6D9DC5} 86E31500
    Device \Driver\usbehci \Device\USBFDO-1 86EC01F8
    Device \Driver\usbohci \Device\USBFDO-2 86EBF1F8
    Device \Driver\usbehci \Device\USBFDO-3 86EC01F8
    Device \Driver\abv7qs0u \Device\Scsi\abv7qs0u1Port2Path0Target0Lun0 86EB81F8
    Device \Driver\abv7qs0u \Device\Scsi\abv7qs0u1 86EB81F8
    Device \FileSystem\fastfat \Fat 8B6C61F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fcf40d94a
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x83 0xF7 0x77 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC3 0x46 0xA3 0x63 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1B 0x78 0xA6 0x8F ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fcf40d94a (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x83 0xF7 0x77 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC3 0x46 0xA3 0x63 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1B 0x78 0xA6 0x8F ...

    ---- EOF - GMER 1.0.15 ----

    ====================================
    DDS-Log
    ====================================



    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Janus at 10:13:17,47 on 28.10.2010
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3583.2436 [GMT 2:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe
    C:\Program Files\Avast4\aswUpdSv.exe
    C:\Program Files\Avast4\ashServ.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe
    C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\lxbccoms.exe
    C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\ASUS\ATK Hotkey\HControl.exe
    C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
    C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
    C:\Program Files\ASUS\ATK Hotkey\WDC.exe
    C:\Program Files\Avast4\ashWebSv.exe
    C:\Program Files\Avast4\ashMaiSv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\mobsync.exe
    d:\Janus\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 10\SnagitBHO.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GR469A~1.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: TerraTec Home Cinema: {ad6e6555-fb2c-47d4-8339-3e2965509877} - c:\progra~1\terrat~1\THCDES~1.DLL
    TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 10\SnagitIEAddin.dll
    uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
    mRun: [P2Go_Menu] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [PDFPrint] c:\program files\pdf24\pdf24.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\janus\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Free YouTube to Mp3 Converter - c:\users\janus\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GRA32A~1.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GR469A~1.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\janus\appdata\roaming\mozilla\firefox\profiles\tqe3c6xm.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\janus\appdata\roaming\mozilla\firefox\profiles\tqe3c6xm.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-9 114768]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-9 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-9 53328]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-12-13 138680]
    R2 EmmaDevMgmtSvc;Emma Device Management;c:\program files\common files\sony ericsson\emma core\services\EmmaDeviceMgmt.exe [2010-3-30 306296]
    R2 EmmaUpdMgmtSvc;Emma Update Management;c:\program files\common files\sony ericsson\emma core\services\EmmaUpdateMgmt.exe [2010-3-30 162936]
    R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
    R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-4-28 90112]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-12-13 254040]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-12-13 352920]
    R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-11-9 91136]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-9 167936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-9 135664]
    S3 AF9035BDA;Cinergy T-Stick service;c:\windows\system32\drivers\AF9035BDA.sys [2009-11-23 247488]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 29192]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-4-6 13224]
    S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
    S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2010-4-28 86824]
    S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2010-4-28 15016]
    S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2010-4-28 114600]
    S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2010-4-28 108328]
    S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2010-4-28 26024]
    S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2010-4-28 104616]
    S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2010-4-28 109736]
    S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
    S3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]

    =============== Created Last 30 ================

    2010-10-27 12:37:55 -------- d-----w- c:\users\janus\appdata\roaming\Malwarebytes
    2010-10-27 12:37:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-27 12:37:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-27 12:37:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-27 12:37:47 -------- d-----w- c:\progra~2\Malwarebytes
    2010-10-27 12:07:20 -------- d-----w- C:\$RECYCLE.BIN
    2010-10-27 12:02:14 -------- d-----w- c:\users\janus\appdata\local\temp
    2010-10-27 11:48:48 98816 ----a-w- c:\windows\sed.exe
    2010-10-27 11:48:48 77312 ----a-w- c:\windows\MBR.exe
    2010-10-27 11:48:48 256512 ----a-w- c:\windows\PEV.exe
    2010-10-27 11:48:48 161792 ----a-w- c:\windows\SWREG.exe
    2010-10-26 19:29:04 -------- d-----w- c:\users\janus\appdata\local\TechSmith
    2010-10-26 19:29:04 -------- d-----w- c:\program files\Snagit 10
    2010-10-26 19:16:57 -------- d-----w- c:\program files\CamStudio
    2010-09-28 12:54:52 -------- d-----w- c:\program files\pdf24

    ==================== Find3M ====================

    2010-09-01 16:17:51 218808 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-09-01 16:17:51 218808 ----a-w- c:\windows\system32\PnkBstrB.exe

    ============= FINISH: 10:13:42,52 ===============

    ====================================
    DDS-Attach
    ====================================



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 09.11.2009 00:15:28
    System Uptime: 28.10.2010 02:02:59 (8 hours ago)

    Motherboard: ASUSTeK Computer Inc. | | K70IO
    Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | Socket 478 | 2000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 110 GiB total, 85,122 GiB free.
    D: is FIXED (NTFS) - 176 GiB total, 120,124 GiB free.
    E: is CDROM ()
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Coprozessor
    Device ID: PCI\VEN_10DE&DEV_0AA3&SUBSYS_1D171043&REV_B1\3&267A616A&0&1D
    Manufacturer:
    Name: Coprozessor
    PNP Device ID: PCI\VEN_10DE&DEV_0AA3&SUBSYS_1D171043&REV_B1\3&267A616A&0&1D
    Service:

    ==== System Restore Points ===================

    RP64: 10.08.2010 04:56:42 - Geplanter Prüfpunkt
    RP65: 23.08.2010 15:04:05 - Geplanter Prüfpunkt
    RP66: 06.09.2010 19:11:51 - Geplanter Prüfpunkt
    RP67: 28.09.2010 14:55:18 - Gerätetreiber-Paketinstallation: PDF24 Drucker
    RP68: 22.10.2010 04:02:48 - Geplanter Prüfpunkt
    RP69: 26.10.2010 21:28:12 - Snagit 10 wird installiert

    ==== Installed Programs ======================

    AAC Decoder
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.3 - Deutsch
    ASUS Power4Gear Hybrid
    ATK Hotkey
    AutoUpdate
    avast! Antivirus
    Battlefield: Bad Company™ 2
    Call of Duty: Modern Warfare 2
    Call of Duty: Modern Warfare 2 - Multiplayer
    CamStudio
    Cinergy T-Stick V8.08.18.01
    CyberLink Power2Go
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Emma Core
    ETDWare PS/2-x86 7.0.5.5_WHQL
    Far Cry 2
    Fraps (remove only)
    Free Audio CD Burner version 1.4
    Free PDF to Word Doc Converter v1.1
    Free YouTube to MP3 Converter version 3.8
    Garmin Communicator Plugin
    Garmin MapSource
    Garmin Training Center
    Garmin USB Drivers
    GIMP 2.6.8
    Glary Utilities 2.21.0.863
    Google Earth
    Google SketchUp 7
    Google Update Helper
    H.264 Decoder
    ICQ6.5
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    Lexmark Z500-Z600 Series
    LightScribe System Software 1.14.17.1
    Malwarebytes' Anti-Malware
    Microsoft Office Access MUI (German) 2007
    Microsoft Office Excel MUI (German) 2007
    Microsoft Office Groove MUI (German) 2007
    Microsoft Office InfoPath MUI (German) 2007
    Microsoft Office OneNote MUI (German) 2007
    Microsoft Office Outlook MUI (German) 2007
    Microsoft Office PowerPoint MUI (German) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Italian) 2007
    Microsoft Office Proofing (German) 2007
    Microsoft Office Publisher MUI (German) 2007
    Microsoft Office Shared MUI (German) 2007
    Microsoft Office Ultimate 2007
    Microsoft Office Word MUI (German) 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    MKV Splitter
    Mozilla Firefox (3.6.11)
    Nokia Connectivity Cable Driver
    NVIDIA Drivers
    NVIDIA PhysX
    Paint.NET v3.5.5
    PC Connectivity Solution
    PDF24 Creator 2.8.5
    PunkBuster Services
    QuickTime
    Realtek 8136 8168 8169 Ethernet Driver
    Realtek High Definition Audio Driver
    SEMC OMSI Module
    Skype™ 4.2
    Snagit 10
    Sony Ericsson PC Suite 6.011.00
    SRS Premium Sound Control Panel
    Steam
    TeamSpeak 2 RC2
    TeamSpeak 3 Client
    TerraTec Home Cinema
    Uninstall 1.0.0.1
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.0.3
    Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
    Windows Mobile-Gerätecenter
    WinRAR

    ==== End Of File ===========================

    ====================================
    Eset Online AV-Log:
    ====================================


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # IEXPLORE.EXE=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=3fa77e8090c6f94eb2f2db379b4bab39
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-28 10:58:05
    # local_time=2010-10-28 12:58:05 (+0100, Mitteleuropäische Sommerzeit)
    # country="Germany"
    # lang=9
    # osver=6.1.7600 NT
    # compatibility_mode=769 16775165 100 92 41981 224531762 128426 0
    # compatibility_mode=5893 16776573 100 94 30534449 40692951 0 0
    # compatibility_mode=8192 67108863 100 0 110 110 0 0
    # scanned=147852
    # found=3
    # cleaned=0
    # scan_time=9277
    C:\Qoobox\Quarantine\C\Windows\explorer.exe.vir Win32/Bamital.EL trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir Win32/Bamital.EL trojan 00000000000000000000000000000000 I
    C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan 00000000000000000000000000000000 I
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You do know there is a language other than English- yes?

    Translate please:
    ===============================================
    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
    ================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\Users\Public\Documents\Server\hlp.dat
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===============================================
     
  5. Bidabdy

    Bidabdy TS Rookie Topic Starter

    Oh, that's because I've installed this in German, to make it easier for me to understand. These words say:
    C:\Users\Janus\AppData\Local\Temp\mbr.sys File couldn't be found by system!
    C:\Windows\system32\Drivers\PROCEXP113.SYS File couldn't be found by system!


    ====================================
    Bookit Remover-Log:
    ====================================

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 (build 7600), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`f4600000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    ====================================
    OTMovit-Log:
    ====================================

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Users\Public\Documents\Server\hlp.dat moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Gast
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Janus
    ->Temp folder emptied: 222803 bytes
    ->Temporary Internet Files folder emptied: 818640 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 44260740 bytes
    ->Flash cache emptied: 982 bytes

    User: Janus II
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 106 bytes
    RecycleBin emptied: 6755 bytes

    Total Files Cleaned = 43,00 mb


    OTM by OldTimer - Version 3.1.17.1 log created on 10302010_160100

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I had you remove the file that shows Bamital in OTMoveIt. Run Avast again and see what it shows. There are a few entries in the Combofix log I want to move, but it's taking me a bit to make sure I know what your German is trying to say to me!

    Will be back.
     
  7. Bidabdy

    Bidabdy TS Rookie Topic Starter

    Okay, avast reported:

    C:\Qoobox\Quarantine\C\Windows\explorer.exe.vir - Infection: Win32:Bamital-AF - Successfully moved to container
    C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir - Infection: Win32:Bamital-AF - Successfully moved to container
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, those 2 files were quarantined in Combofix. Qoobox is the name of the location it us them. Can you tell me what problems you are still noticing now?
     
  9. Bidabdy

    Bidabdy TS Rookie Topic Starter

    My system is working fine. In the beginning I only noticed the virus because of my avast and my explorer crushed a few days later once. But after a reboot it worked normal again. Since then no other problems came up.

    Now everything is okay...
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you only had one random explorer crash and we know the malware is gone, I don't think you need to run any more scans. Do you know you do have to reboot occasionally on Windows to free up the RAM?

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  11. Bidabdy

    Bidabdy TS Rookie Topic Starter

    Okay, thanks a lot! All the programms are removed and Avast says my system is clear. Thank you very much for your time and your help.

    Greets,
    Bidabdy
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Glad to help. Stay clean and safe:

    Tips for added security and safer browsing:
    (Note: some of these programs may not work on Windows 7 or a 64bit system)
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.