Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

scrinject.b.gen in Browser Cache

This is a discussion on scrinject.b.gen in Browser Cache within the Resolved HJT Threads forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 12-06-2011, 03:54 AM   #1
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



Hi!

I have a Chrome Portable Browser in a TrueCrypt container. Now I've checked it with Nod32 and it found 2 scrinject.b.gen Viruses in the browser cache. Nod32 then deleted it, when scanning again it diedn't find anything. Am I infected?

Version der Signaturdatenbank: 6673 (20111130)
Datum: 01.12.2011 Uhrzeit: 10:14:00
Geprüfte Laufwerke, Ordner und Dateien: M:\Bootsektor;M:\;V:\Bootsektor;V:\
M:\Backup\IronPortable\Profile\Default\Cache\f_000 0df - HTML/ScrInject.B.Gen Virus - Aktionsauswahl aufgeschoben bis zum Abschluss des Scans
M:\Backup\IronPortable\Profile\Default\Cache\f_000 0e6 - HTML/ScrInject.B.Gen Virus - Aktionsauswahl aufgeschoben bis zum Abschluss des Scans
M:\Backup\IronPortable\Profile\Default\Cache\f_000 2cf » GZIP » f_0002cf - Archiv beschädigt
M:\Backup\IronPortable\Profile\Default\Cache\f_000 2d0 » GZIP » f_0002d0 - Archiv beschädigt
M:\Dropbox\Software\KeePass-1.20-Setup.exe » INNO » files.info - Option wird nicht unterstützt
M:\Dropbox\Software\KeePass-2.17-Setup.exe » INNO » files.info - Option wird nicht unterstützt
M:\Eigene Dateien\pinfect.zip » ZIP » ARJ.PIF - Fehler - Datei ist passwortgeschützt
M:\Eigene Dateien\pinfect.zip » ZIP » LHA.PIF - Fehler - Datei ist passwortgeschützt
M:\Eigene Dateien\pinfect.zip » ZIP » NOCLOSE.PIF - Fehler - Datei ist passwortgeschützt
M:\Eigene Dateien\pinfect.zip » ZIP » RAR.PIF - Fehler - Datei ist passwortgeschützt
M:\Eigene Dateien\pinfect.zip » ZIP » UC.PIF - Fehler - Datei ist passwortgeschützt
M:\Eigene Dateien\Dao\material dao\SoftonicDownloader_fuer_mozilla-firefox.exe - Variante von Win32/SoftonicDownloader.A evtl. unerwünschte Anwendung - Aktionsauswahl aufgeschoben bis zum Abschluss des Scans
V:\Backup\clockworkmod\backup\2011-11-29.16.06.48_MIUI\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\Backup\clockworkmod\backup\2011-11-29.16.06.48_MIUI\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
V:\Backup\download\miui_ger_GALAXY_S2_1.11.25_FULL _EN_DE.zip » ZIP » system/lib/libiprouteutil.so - Archiv beschädigt - Datei kann nicht extrahiert werden
V:\Backup\download\miui_ger_GALAXY_S2_1.11.25_FULL _EN_DE.zip » ZIP » - Archiv beschädigt
V:\Backup\MIUI\theme\Blue Dado浅色版_(798299.1).mtz.temp » ZIP » boots/bootanimation.zip » ZIP » part1/0033.jpg - Archiv beschädigt
V:\Backup\MIUI\theme\ozgurce-en_(802118.1).mtz.temp » ZIP » icons » ZIP » com.gameloft.android.GAND.GloftHAWX.Hawx.png - Archiv beschädigt
V:\Backup\MIUI\theme\雾里看花_(799447.1).mtz.temp » ZIP » wallpaper/default_lock_wallpaper.jpg - Archiv beschädigt
V:\Backup\TitaniumBackup\com.android.email-20111127-121049.tar.gz » GZIP » com.android.email-20111127-121049.tar » TAR » data/data/com.android.email/./files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\Backup\TitaniumBackup\com.samsung.swift.app.kie sair-20111127-121254.tar.gz » GZIP » com.samsung.swift.app.kiesair-20111127-121254.tar » TAR » data/data/com.samsung.swift.app.kiesair/./files/www/apps/KiesAir/js/commands/serviceCommands/musics/ - Archiv beschädigt
V:\external_sd\clockworkmod\2011-11-27.17.49.12_cm7.1\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\external_sd\clockworkmod\2011-11-27.17.49.12_cm7.1\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
V:\external_sd\clockworkmod\2011-11-28.16.39.59_MIUI\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\external_sd\clockworkmod\2011-11-28.16.39.59_MIUI\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
V:\external_sd\clockworkmod\2011-11-29.12.07.21_MIUI\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\external_sd\clockworkmod\2011-11-29.12.07.21_MIUI\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
V:\external_sd\clockworkmod\2011-11-29.12.46.34_MIUI\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\external_sd\clockworkmod\2011-11-29.12.46.34_MIUI\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
V:\external_sd\clockworkmod\2011-11-29.15.36.20_MIUI\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\external_sd\clockworkmod\2011-11-29.15.36.20_MIUI\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
V:\external_sd\clockworkmod\2011-11-29.16.06.48_MIUI\data.ext4.tar » TAR » data/data/com.android.email/files/tempFile » MIME - - OK (eingebettete Archive NICHT geprüft)
V:\external_sd\clockworkmod\2011-11-29.16.06.48_MIUI\data.ext4.tar » TAR » data/data/com.ideashower.readitlater.pro/app_plugins/com.adobe.flashplayer/.macromedia/Flash_Player/ - Archiv beschädigt
M:\Backup\IronPortable\Profile\Default\Cache\f_000 0df - HTML/ScrInject.B.Gen Virus - gelöscht - in Quarantäne kopiert
M:\Backup\IronPortable\Profile\Default\Cache\f_000 0e6 - HTML/ScrInject.B.Gen Virus - gelöscht - in Quarantäne kopiert
M:\Eigene Dateien\Dao\material dao\SoftonicDownloader_fuer_mozilla-firefox.exe - Variante von Win32/SoftonicDownloader.A evtl. unerwünschte Anwendung - gelöscht - in Quarantäne kopiert
Geprüfte Objekte: 403572
Erkannte Bedrohungen: 3
Anzahl gesäuberter Objekte: 3
Abgeschlossen: 10:32:47 Benötigte Zeit: 1127 Sek. (00:18:47)[/CODE]

Then I've checked with Malwarebytes (see attachment). There 9 Trojan warnings come up. Are these false positives?

c:\glassfish3\jdk\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Adobe\adobe dreamweaver cs5\JVM\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Adobe\adobe flash builder 4\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Adobe\adobe flash catalyst cs5\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\common files\Java\java update\jaureg.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Java\jdk1.6.0_26\jre\bin\javacpl.cpl (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Java\jdk1.6.0_26\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Java\jre6\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\programdata\Adobe\CS5\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.[/CODE]

Then I've scanned with Eset Online Scan. There it found "emoteAdmin.NetCat" and "OpenCandy":

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f84db619bb94b146a2ebaba9c5b51c12
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-02 12:20:51
# local_time=2011-12-02 01:20:51 (+0100, Mitteleuropäische Zeit)
# country="Austria"
# lang=1033
# osver=6.0.6000 NT
# compatibility_mode=512 16777215 100 0 3050146 3050146 0 0
# compatibility_mode=5893 16776574 100 94 9009 74389218 0 0
# compatibility_mode=8192 67108863 100 0 9142 9142 0 0
# scanned=338235
# found=5
# cleaned=0
# scan_time=70423
C:\$RECYCLE.BIN\S-1-5-21-807366929-668818633-305008010-9881\$REPCFUM.zip Win32/RemoteAdmin.NetCat application (unable to clean) 00000000000000000000000000000000 I
C:\Programmdateien\winamp561_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Programmdateien\winamp5622_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
M:\Dropbox\Software\winamp5622_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
M:\IronPortable\Profile\Default\Cache\f_0043ec Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I[/CODE]

Then I've scanned with OTL (File attached).

Now I've also scanned with DDS and GMER (Files attached).

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by r. at 9:57:11 on 2011-12-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.43.1031.18.3579.2099 [GMT 1:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\System32\svchost.exe -k Bioscrypt
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Samsung\USB Drivers\26_VIA_driver2\x86\VIAService.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Nimbuzz\Nimbuzz.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
M:\Iron2\Iron\iron.exe
C:\Program Files\Sandboxie\SandboxieCrypto.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
M:\Iron2\Iron\iron.exe
M:\Iron2\Iron\iron.exe
M:\Iron2\Iron\iron.exe
M:\Iron2\Iron\iron.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\explorer.exe
C:\Windows\System32\rundll32.exe
M:\Iron2\Iron\iron.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TIMEREC - Client] c:\program files\timerec2\client\TRC.exe
uRun: [Nimbuzz] c:\program files\nimbuzz\Nimbuzz.exe
uRun: [AdobeBridge]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\r.\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SAOB Monitor] c:\program files\acronis\trueimagehome\onlinebackupstandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: An OneNote s&enden - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.23.45.5
TCP: Interfaces\{C1C04D7F-CACE-4170-85B1-331E2845B2C7} : DhcpNameServer = 10.23.45.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: DeviceNP - DeviceNP.dll
AppInit_DLLs: c:\progra~1\hewlet~1\iam\bin\APSHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
LSA: Notification Packages = scecli ASWLNPkg
.
============= SERVICES / DRIVERS ===============
.
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2009-7-29 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-7-29 12960]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-12-2 752128]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-12-1 17904]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2009-7-29 12528]
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-12-1 2996784]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 afcdpsrv;Acronis Nonstop Backup-Dienst;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-12-2 3246040]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2009-7-14 20992]
R2 ASChannel;Lokaler Verbindungskanal;c:\windows\system32\svchost.exe -k Bioscrypt [2009-7-14 20992]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2009-7-29 1201400]
R2 CDMA Device Service;CDMA Device Service;c:\program files\samsung\usb drivers\26_via_driver2\x86\VIAService.exe [2011-8-31 63488]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2009-7-29 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-4-7 77824]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-30 366152]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-4-7 2066968]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-12-2 167968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2009-12-10 214696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-30 22216]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-11-23 131856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-12-1 51632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-6-29 32312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2011-10-18 78136]
S3 FLCDLOCK;HP ProtectTools Gerätesperre/Überwachung;c:\windows\system32\flcdlock.exe [2009-8-5 362040]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2009-7-30 45056]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2011-8-11 181432]
S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-20 52224]
S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-10 1343400]
.
=============== Created Last 30 ================
.
2011-12-06 08:40:19 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b041922f-e041-4383-9b93-5c5e2b20ccd5}\mpengine.dll
2011-12-05 16:02:50 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-12-05 16:02:50 -------- d-----w- c:\program files\SpywareBlaster
2011-12-05 12:58:58 -------- d-----w- c:\users\r.\appdata\local\Chromium
2011-12-02 13:49:31 -------- d-----w- c:\users\r.\appdata\local\Diagnostics
2011-12-02 10:40:35 167968 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-12-02 10:40:34 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-12-02 10:40:33 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-12-02 10:40:26 170528 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-12-01 09:32:43 -------- d-----w- c:\users\r.\appdata\local\ESET
2011-12-01 09:04:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-01 09:04:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-01 08:47:32 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-30 14:51:17 -------- d-----w- c:\programdata\SecTaskMan
2011-11-30 14:51:14 -------- d-----w- c:\program files\Security Task Manager
2011-11-30 14:30:24 -------- d-----w- c:\users\r.\appdata\roaming\Malwarebytes
2011-11-30 14:30:13 -------- d-----w- c:\programdata\Malwarebytes
2011-11-30 14:30:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 14:30:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-30 13:17:54 -------- d-----w- c:\program files\Comparator
2011-11-30 11:54:36 -------- d-----w- C:\Downloads
2011-11-30 11:34:47 -------- d-----w- c:\program files\JDownloader
2011-11-24 13:49:21 -------- d-----w- c:\program files\AutoHotkey
2011-11-24 12:50:03 -------- d-----r- C:\Sandbox
2011-11-24 12:48:27 -------- d-----w- c:\program files\Sandboxie
2011-11-17 16:28:41 -------- d-----w- c:\program files\ModuleSoft
2011-11-09 11:24:00 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 11:23:59 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 11:23:59 2341888 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-12-06 08:40:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-01 10:48:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 01:43:42 78136 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2011-10-03 0403 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 9:58:02,28 ===============



Is the computer infected?

Regards,
Roman
Attached Files
File Type: zip Attach.zip (3.9 KB, 8 views)
File Type: txt otl.txt (62.8 KB, 5 views)

__________________
ro-mann is offline  
Old 12-08-2011, 08:28 PM   #2
Security Team
Analyst
 
Larusso's Avatar
 
Join Date: Oct 2009
Location: Wels\ Austria
Posts: 719
OS: Win7 / Win 10 TechPreview



Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

( Note, I am also from Austria so I understand the german part in your logs, which can be hard for others here )

__________________
regards, Daniel


There will never be peace in a war so I don't understand what they are fighting for

ASAP & UNITE Member
Larusso is offline  
Old 12-08-2011, 09:21 PM   #3
Security Team
Analyst
 
Larusso's Avatar
 
Join Date: Oct 2009
Location: Wels\ Austria
Posts: 719
OS: Win7 / Win 10 TechPreview



Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.


Do you have any problems with this system ?


Please launch DDS
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop and post both in your next reply



Please post in your next reply
dds.txt
attach.txt
__________________
regards, Daniel


There will never be peace in a war so I don't understand what they are fighting for

ASAP & UNITE Member
Larusso is offline  
Old 12-09-2011, 02:33 AM   #4
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



Thank you, I will do so on Monday, since I'm not in the office until then.

Regards,
Roman
__________________
ro-mann is offline  
Old 12-12-2011, 03:18 AM   #5
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



Hi!

No, I don't any problems with the system. I just got the Virus alarms I posted.

I've already posted the DDS Report last time. Do you need anything else from me?

Regards,
Roman

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by r. at 9:57:11 on 2011-12-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.43.1031.18.3579.2099 [GMT 1:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\System32\svchost.exe -k Bioscrypt
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Samsung\USB Drivers\26_VIA_driver2\x86\VIAService.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Nimbuzz\Nimbuzz.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
M:\Iron2\Iron\iron.exe
C:\Program Files\Sandboxie\SandboxieCrypto.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
M:\Iron2\Iron\iron.exe
M:\Iron2\Iron\iron.exe
M:\Iron2\Iron\iron.exe
M:\Iron2\Iron\iron.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\explorer.exe
C:\Windows\System32\rundll32.exe
M:\Iron2\Iron\iron.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TIMEREC - Client] c:\program files\timerec2\client\TRC.exe
uRun: [Nimbuzz] c:\program files\nimbuzz\Nimbuzz.exe
uRun: [AdobeBridge]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\r.\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SAOB Monitor] c:\program files\acronis\trueimagehome\onlinebackupstandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: An OneNote s&enden - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.23.45.5
TCP: Interfaces\{C1C04D7F-CACE-4170-85B1-331E2845B2C7} : DhcpNameServer = 10.23.45.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: DeviceNP - DeviceNP.dll
AppInit_DLLs: c:\progra~1\hewlet~1\iam\bin\APSHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
LSA: Notification Packages = scecli ASWLNPkg
.
============= SERVICES / DRIVERS ===============
.
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2009-7-29 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-7-29 12960]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-12-2 752128]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-12-1 17904]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2009-7-29 12528]
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-12-1 2996784]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 afcdpsrv;Acronis Nonstop Backup-Dienst;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-12-2 3246040]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2009-7-14 20992]
R2 ASChannel;Lokaler Verbindungskanal;c:\windows\system32\svchost.exe -k Bioscrypt [2009-7-14 20992]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2009-7-29 1201400]
R2 CDMA Device Service;CDMA Device Service;c:\program files\samsung\usb drivers\26_via_driver2\x86\VIAService.exe [2011-8-31 63488]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2009-7-29 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-4-7 77824]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-30 366152]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-4-7 2066968]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-12-2 167968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2009-12-10 214696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-30 22216]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-11-23 131856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-12-1 51632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-6-29 32312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2011-10-18 78136]
S3 FLCDLOCK;HP ProtectTools Gerätesperre/Überwachung;c:\windows\system32\flcdlock.exe [2009-8-5 362040]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-20 136176]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2009-7-30 45056]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2011-8-11 181432]
S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-20 52224]
S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-10 1343400]
.
=============== Created Last 30 ================
.
2011-12-06 08:40:19 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b041922f-e041-4383-9b93-5c5e2b20ccd5}\mpengine.dll
2011-12-05 16:02:50 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-12-05 16:02:50 -------- d-----w- c:\program files\SpywareBlaster
2011-12-05 12:58:58 -------- d-----w- c:\users\r.\appdata\local\Chromium
2011-12-02 13:49:31 -------- d-----w- c:\users\r.\appdata\local\Diagnostics
2011-12-02 10:40:35 167968 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-12-02 10:40:34 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-12-02 10:40:33 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-12-02 10:40:26 170528 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-12-01 09:32:43 -------- d-----w- c:\users\r.\appdata\local\ESET
2011-12-01 09:04:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-01 09:04:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-01 08:47:32 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-30 14:51:17 -------- d-----w- c:\programdata\SecTaskMan
2011-11-30 14:51:14 -------- d-----w- c:\program files\Security Task Manager
2011-11-30 14:30:24 -------- d-----w- c:\users\r.\appdata\roaming\Malwarebytes
2011-11-30 14:30:13 -------- d-----w- c:\programdata\Malwarebytes
2011-11-30 14:30:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 14:30:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-30 13:17:54 -------- d-----w- c:\program files\Comparator
2011-11-30 11:54:36 -------- d-----w- C:\Downloads
2011-11-30 11:34:47 -------- d-----w- c:\program files\JDownloader
2011-11-24 13:49:21 -------- d-----w- c:\program files\AutoHotkey
2011-11-24 12:50:03 -------- d-----r- C:\Sandbox
2011-11-24 12:48:27 -------- d-----w- c:\program files\Sandboxie
2011-11-17 16:28:41 -------- d-----w- c:\program files\ModuleSoft
2011-11-09 11:24:00 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 11:23:59 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 11:23:59 2341888 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-12-06 08:40:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-01 10:48:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 01:43:42 78136 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2011-10-03 0403 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 9:58:02,28 ===============
Attached Files
File Type: txt DDS.txt (15.8 KB, 8 views)
File Type: txt Attach.txt (6.1 KB, 7 views)
__________________
ro-mann is offline  
Old 12-12-2011, 01:19 PM   #6
Security Team
Analyst
 
Larusso's Avatar
 
Join Date: Oct 2009
Location: Wels\ Austria
Posts: 719
OS: Win7 / Win 10 TechPreview



Hy there,
I do not see any kind of running malware here.
Also I do not see any kind of an running Anti Virus. In fact that this is a business used PC, I can not recommend to install free versions, because those are only for Home Users.

If your business has IT support talk to them, if not let me know.

Quote:
M:\Eigene Dateien\Dao\material dao\SoftonicDownloader_fuer_mozilla-firefox.exe - Variante von Win32/SoftonicDownloader.A evtl. unerwünschte Anwendung - Aktionsauswahl aufgeschoben bis zum Abschluss des Scans
Only a note for the future. Use the original download locations for software.
Softtonic, cnet .... always includes some kind of junk.



Please download TFC by OldTimer to your desktop.
  • Close any open windows.
  • Please double-click TFC.exe to run it.
    Vista and Win7 Users: Please right-click on the file and choose Run As Administrator.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
  • Once it's finished it should automatically reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

It's normal after running TFC cleaner that the PC will be slower to boot the first time.




Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.
__________________
regards, Daniel


There will never be peace in a war so I don't understand what they are fighting for

ASAP & UNITE Member
Larusso is offline  
Old 12-13-2011, 04:19 AM   #7
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



Quote:
Originally Posted by Larusso View Post
Hy there,
I do not see any kind of running malware here.
Also I do not see any kind of an running Anti Virus. In fact that this is a business used PC, I can not recommend to install free versions, because those are only for Home Users.
I have Nod32 4, but I've uninstalled it when I scanned with Gmer, since you can't disable it. Once all scans are done, I will reinstall it?

Quote:
Originally Posted by Larusso View Post
Only a note for the future. Use the original download locations for software.
Softtonic, cnet .... always includes some kind of junk.
Is this malware or just some adware? I will avoid it from now on.





Quote:
Originally Posted by Larusso View Post
Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.
There was no option to register, just to install some ActiveX elements and do the scan:



I've scanned and it finds some Malware, however I think this are False Positives?
Attached Files
File Type: txt ActiveScan.txt (9.8 KB, 9 views)
__________________
ro-mann is offline  
Old 12-13-2011, 11:52 PM   #8
Security Team
Analyst
 
Larusso's Avatar
 
Join Date: Oct 2009
Location: Wels\ Austria
Posts: 719
OS: Win7 / Win 10 TechPreview



Quote:
I have Nod32 4, but I've uninstalled it when I scanned with Gmer, since you can't disable it. Once all scans are done, I will reinstall it?
Yes, you can do it now

Quote:
There was no option to register, just to install some ActiveX elements and do the scan
Thanks, have to adjust my canned.

Yes, the detections are FPs.


Any open issues ?
__________________
regards, Daniel


There will never be peace in a war so I don't understand what they are fighting for

ASAP & UNITE Member
Larusso is offline  
Old 12-14-2011, 12:31 AM   #9
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1


Quote:
Originally Posted by Larusso
Any open issues ?
No. So my system is clear? The issues detected by the other scans are no threat?
__________________
ro-mann is offline  
Old 12-14-2011, 01:35 AM   #10
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



I mean these:

Quote:
M:\Backup\IronPortable\Profile\Default\Cache\f_000 0df - HTML/ScrInject.B.Gen Virus - Aktionsauswahl aufgeschoben bis zum Abschluss des Scans
M:\Backup\IronPortable\Profile\Default\Cache\f_000 0e6 - HTML/ScrInject.B.Gen Virus - Aktionsauswahl aufgeschoben bis zum Abschluss des Scans
Quote:
C:\$RECYCLE.BIN\S-1-5-21-807366929-668818633-305008010-9881\$REPCFUM.zip Win32/RemoteAdmin.NetCat application (unable to clean) 00000000000000000000000000000000 I
C:\Programmdateien\winamp561_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Programmdateien\winamp5622_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
M:\Dropbox\Software\winamp5622_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
M:\IronPortable\Profile\Default\Cache\f_0043ec Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
Quote:
c:\glassfish3\jdk\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Adobe\adobe dreamweaver cs5\JVM\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Adobe\adobe flash builder 4\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Adobe\adobe flash catalyst cs5\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\common files\Java\java update\jaureg.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Java\jdk1.6.0_26\jre\bin\javacpl.cpl (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Java\jdk1.6.0_26\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\program files\Java\jre6\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
c:\programdata\Adobe\CS5\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully.
__________________
ro-mann is offline  
Old 12-14-2011, 06:18 AM   #11
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



Also, I've now reinstalled NOD32 and scanned and it finds a virus:

Code:
M:\Iron2\Profile\Default\Cache\f_0000ec	Variante von Win32/SweetIM.B evtl. unerwünschte Anwendung	Säubern
SweetIM is an application that is advertised on the external links on your forum.
__________________
ro-mann is offline  
Old 12-14-2011, 02:12 PM   #12
Security Team
Analyst
 
Larusso's Avatar
 
Join Date: Oct 2009
Location: Wels\ Austria
Posts: 719
OS: Win7 / Win 10 TechPreview



Hy there

From our pre-posting topic
Quote:
NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.


Quote:
M:\Dropbox\Software\winamp5622_full_emusic-7plus_all.exe Win32/OpenCandy
You can read about OpenCandy here
Connecting Software Developers and Advertisers | OpenCandy << English
Not really a threat, bundled with the ( curisos ) files you are downloading.


Quote:
c:\programdata\Adobe\CS5\jre\bin\javacpl.exe (Trojan.Dropper.pws) -> Quarantined and deleted successfully
Has been deleted.


What is SweetIM
SweetIM - Download << German

All those detections comes from downloading of files from different Websites instead the original download location.



Unless you have any open issues, you are good to go.


Please delete DDS and Gmer and all other Tools we have used.



Right-click on Computer and click Properties.
  • In the left pane, click System protection. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Under Protection Settings, click Configure.
  • Under Disk Space Usage, click Delete.
  • Click Continue, and then click OK.



Now that you appear to be free from malware lets help you stay that way!

It is vital that you keep your system up to date
  • Please enable Automatic Updates to keep your system up to date.
  • Windows Updates
    • Win XP: Start --> Control Panel and double- click on Automatic Updates.
    • Vista / 7: Start --> Control Panel --> System and Security --> Windows Updates
  • Software Updates
    Your installed Software also can have vulnerabilities that malware can use to infect your system.
    To keep your installed Software up to date I recommend File Hippo.


Anti Virus Software
  • Make sure to have one Anti Virus programme installed and update it on a regular basis. It is useless with out of date definitions.


Additional Protection
  • Malwarebytes Anti Malware
    The freeware Version is an on demand scanner which will check your system for malware. Update it once a week and run a Quick Scan. You can also buy a licence which offers more features.
  • WinPatrol
    WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.


Safer Browsing

Use an alternate browser
Other browsers tend to be more secure than IE as they do not make use of active x objects. Active x objects can be used by spyware as an infection point on your computer.Note: If you use Firefox you may want to have a look on this Add Ons.

Computer Maintenance
Clean out your temp files on a regular basis -I recommend TFC ( Temp File Cleaner ).



Thinking while surfing
There is no software which will protect your system from yourself.
I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preventing infection, and how to stay safe whilst browsing the internet.


If you have any questions kindly ask.

Please respond to this thread one more time so we can mark this thread as resolved.[/QUOTE]
__________________
regards, Daniel


There will never be peace in a war so I don't understand what they are fighting for

ASAP & UNITE Member
Larusso is offline  
Old 12-15-2011, 09:32 AM   #13
Registered Member
 
Join Date: Dec 2011
Posts: 8
OS: Windows 7 Prof. SP1



Great, thanks.

Regards,
Roman

__________________
ro-mann is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
I'm tech support, need help, this thing is nasty.
I've thrown everything I could at this so far. Malware bytes, superantispyware, hijack this, ccleaner... I could throw more I guess. I'm going to take the drive out and scan it on another machine. But I have seen this before and it angers me. SVCHOST.EXE starts eating resources, less...
DriftLife Resolved HJT Threads 15 08-04-2011 09:09 PM
Need assistance removing the Windows Recovery Virus
I am helping my brother's friend who's PC has been infected with the Windows Recovery Virus. I ran Malwarebytes numerous times. Each time it finds the virus and "removes" it but yet after every restart the virus is still there. I would have tried Combofix, but apparently it doesn't like the version...
tigerfansince84 Resolved HJT Threads 8 06-23-2011 07:23 AM
PC Performance Lapse - advice please?
Good evening chaps, I've tried a couple of things myself but my PC performance just won't return to its normal self. When I first bought my PC a couple of years ago, it was able to run games like WoW on consistent 60+ (sometimes way higher) FPS and even capable of running Crysis on fairly decent...
FlyingWolves PC Gaming Support 5 05-30-2011 07:32 AM
msvcr90.dll is not a valid
The application or dll. C:\programme files \ Norton 360\engine \4.3.0.5\ Microsoft.vc90.crt\msvcr90.dll is not valid windows image. Please check this against your installation diskette. Any help on this issue would be great. I have no access to the internet except through smart phone. ...
Andybriggz Virus/Trojan/Spyware Help 18 02-05-2011 01:06 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:56 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts