VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Fb virus - krone2510

https://forum.viry.cz:443/viewtopic.php?t=122431

Stránka 1 z 1

Fb virus - krone2510

Napsal: 20 čer 2012 09:35
od krone2510
Good Morning everybody,

I am sorry to write in English here, but you guys seem to be the only ones who might be able to help me. I have a Problem with the Virus in this thread "hxxp://wonderpicturesonc.net/albums.php?ref=facebook&w=Steffen&resource=youtube".
I was hoping you could help me in removing it, or at least tell me what it does or something.

Thank you for your help,

best wishes..

Re: Fb virus - krone2510

Napsal: 20 čer 2012 09:58
od vyosek
Good morning krone2510 and welcome :welcome:

So, please follow this manual http://www.bleepingcomputer.com/combofi ... e-combofix to use ComboFix and give me the log file

Re: Fb virus - krone2510

Napsal: 20 čer 2012 10:56
od krone2510
Sorry it took me so long, I had some problems with my Spyware program..

Here is the log:

ComboFix 12-06-19.03 - Steffen 20.06.2012 11:33:25.2.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.4095.2929 [GMT 2:00]
ausgeführt von:: c:\users\Steffen\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Sophos Anti-Virus *Disabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Vorheriger Suchlauf -------
.
c:\users\Steffen\AppData\Local\Microsoft\Windows\Temporary Internet Files\msn.gadget
c:\users\Steffen\AppData\Local\qqyqpp.exe
c:\users\Steffen\AppData\Roaming\cacaoweb\adstorage.db
c:\users\Steffen\AppData\Roaming\cacaoweb\cacaoweb.exe
c:\users\Steffen\AppData\Roaming\cacaoweb\downloadNQZLL6AY555083583.cacao
c:\users\Steffen\AppData\Roaming\cacaoweb\npdfile.dat
c:\users\Steffen\AppData\Roaming\cacaoweb\storage.db
c:\users\Steffen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oeoid.exe
c:\windows\jestertb.dll
c:\windows\security\Database\tmp.edb
D:\install.exe
.
-- Vorheriger Suchlauf --
.
Infizierte Kopie von c:\windows\SysWow64\userinit.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe wurde wiederhergestellt
.
--------
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-05-20 bis 2012-06-20 ))))))))))))))))))))))))))))))
.
.
2012-06-20 09:41 . 2012-06-20 09:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-19 19:49 . 2012-03-21 09:23 512472 ----a-w- c:\windows\SysWow64\msxml.dll
2012-06-19 19:49 . 2012-03-21 09:23 40408 ----a-w- c:\windows\system32\CleanMFT64.exe
2012-06-19 19:49 . 2008-09-17 19:17 658432 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
2012-06-19 19:49 . 2008-04-02 13:54 1101824 ----a-w- c:\windows\SysWow64\UniBox210.ocx
2012-06-19 19:49 . 2008-04-02 13:53 212992 ----a-w- c:\windows\SysWow64\UniBoxVB12.ocx
2012-06-19 19:49 . 2008-04-02 13:53 880640 ----a-w- c:\windows\SysWow64\UniBox10.ocx
2012-06-19 19:49 . 2004-03-08 22:00 1081616 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-19 19:49 . 2012-06-20 09:42 -------- d-----w- c:\program files (x86)\PC Tools Registry Mechanic
2012-06-19 19:49 . 2012-06-19 19:49 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-06-19 07:28 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F6F17994-6333-47E3-AEC7-EAA518D2FDCA}\mpengine.dll
2012-06-18 21:01 . 2012-06-18 21:01 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-18 21:01 . 2012-06-18 21:01 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-16 18:21 . 2012-06-16 18:21 -------- d-----w- c:\program files\iPod
2012-06-16 18:21 . 2012-06-16 18:22 -------- d-----w- c:\program files\iTunes
2012-06-16 18:21 . 2012-06-16 18:22 -------- d-----w- c:\program files (x86)\iTunes
2012-06-16 16:23 . 2012-06-16 16:23 -------- d-----w- c:\users\Steffen\AppData\Local\Macromedia
2012-06-13 06:33 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 06:33 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 06:33 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-06 07:22 . 2012-05-29 02:01 1344512 ----a-w- c:\windows\system32\ac3filter64.acm
2012-06-06 07:22 . 2012-05-29 01:56 1099264 ----a-w- c:\windows\SysWow64\ac3filter.acm
2012-06-06 07:22 . 2012-06-06 07:22 -------- d-----w- c:\program files (x86)\AC3Filter
2012-05-29 08:38 . 2012-05-29 08:38 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 16:20 . 2012-04-05 05:57 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-16 16:20 . 2011-05-17 04:48 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-09 20:42 . 2012-05-09 20:42 144672 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2012-05-09 20:42 . 2012-03-15 09:25 37400 ----a-w- c:\windows\system32\SophosBootTasks.exe
2012-05-05 12:15 . 2012-04-05 06:15 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-18 18:56 . 2012-04-18 18:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 18:56 . 2012-04-18 18:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-03-30 11:35 . 2012-05-10 07:11 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 14:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{64ead72b-ffd4-4e01-aa3a-4c71665d73e4}]
2010-11-29 14:26 3908192 ----a-w- c:\program files (x86)\BittorrentBar_DE\tbBitt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{64ead72b-ffd4-4e01-aa3a-4c71665d73e4}"= "c:\program files (x86)\BittorrentBar_DE\tbBitt.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{64ead72b-ffd4-4e01-aa3a-4c71665d73e4}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files (x86)\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-06-23 110592]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-03-15 900120]
"Freecorder FLV Service"="c:\program files (x86)\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"DataCardMonitor"="c:\program files (x86)\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe" [2011-01-23 253952]
"ROCCAT Pyra Mouse"="c:\program files (x86)\ROCCAT\Pyra Mouse\PyraMonitor.EXE" [2009-12-07 528384]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"SSDMonitor"="c:\program files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2012-03-21 103896]
.
c:\users\Steffen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-1-23 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
2;2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [x]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-02 136176]
R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-05-30 2009112]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-02 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 ICQ Service;ICQ Service;c:\program files (x86)\ICQ6Toolbar\ICQ Service.exe [2010-09-06 247096]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2012-03-21 793048]
S2 SAVAdminService;Sophos Anti-Virus Statusreporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-05-09 216600]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-05-09 139800]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-05-09 357400]
S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-05-30 2830360]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [x]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series - Adaptertreiber für Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT-Treiber;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-02 09:14]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-02 09:14]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000Core.job
- c:\users\Steffen\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-02 19:24]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000UA.job
- c:\users\Steffen\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-02 19:24]
.
2012-06-20 c:\windows\Tasks\RMAutoUpdate.job
- c:\program files (x86)\PC Tools Registry Mechanic\SULauncher.exe [2012-06-19 09:23]
.
2012-06-20 c:\windows\Tasks\RMSchedule.job
- c:\program files (x86)\PC Tools Registry Mechanic\RegMech.exe [2012-06-19 09:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://domredi.com/1/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:1926905636&cof=FORID:11&q={searchTerms}&sa=Search&siteurl=search.linkury.com
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
TCP: Interfaces\{B79AC39B-5209-4EC6-AC22-F5B6657CDA99}: NameServer = 137.193.10.34,137.193.10.35
FF - ProfilePath - c:\users\Steffen\AppData\Roaming\Mozilla\Firefox\Profiles\qpimnt8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: keyword.URL - hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:7317400059&cof=FORID:11&sa=Search&siteurl=search.linkury.com&q=
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-cacaoweb - c:\users\Steffen\AppData\Roaming\cacaoweb\cacaoweb.exe
Wow6432Node-HKCU-Run-rdnahgx - c:\users\Steffen\AppData\Local\qqyqpp.exe
WebBrowser-{64EAD72B-FFD4-4E01-AA3A-4C71665D73E4} - (no file)
HKLM-Run-(Standard) - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Sophos\AutoUpdate\ALsvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-06-20 11:49:51 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-06-20 09:49
.
Vor Suchlauf: 10 Verzeichnis(se), 115.449.905.152 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 115.076.210.688 Bytes frei
.
- - End Of File - - A72F65015BF7534075B23DECE9F5898A

Re: Fb virus - krone2510

Napsal: 20 čer 2012 10:59
od vyosek
Nothing happened, I'll be there all day :wink:

So, please give me a few minutes to write the next steps :worship:

Re: Fb virus - krone2510

Napsal: 20 čer 2012 11:19
od vyosek
I'm sorry, I haven't own manual for CFScript.txt in ENG, I use manual by chemist from TSF

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Kód: Vybrat vše

KillAll::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DivXUpdate"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"LogMeIn Hamachi Ui"=-
"SunJavaUpdateSched"=-
"QuickTime Task"=-
"iTunesHelper"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000000

Folder::
c:\program files (x86)\ICQ6Toolbar

Driver::
gupdate
gupdatem
ICQ Service

File::
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000Core.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000UA.job
c:\windows\Tasks\RMAutoUpdate.job
c:\windows\Tasks\RMSchedule.job

DDS::
uSearchAssistant = hxxp://cloud-search.linkury.com/results ... ORID:11&q={searchTerms}&sa=Search&siteurl=search.linkury.com

Firefox::
FF - ProfilePath - c:\users\Steffen\AppData\Roaming\Mozilla\Firefox\Profiles\qpimnt8s.default\
FF - prefs.js: keyword.URL - hxxp://cloud-search.linkury.com/results ... ury.com&q=

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

ClearJavaCache::

Reboot::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.

Obrázek
Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

Re: Fb virus - krone2510

Napsal: 20 čer 2012 12:07
od krone2510
Alright, here is the new log:

ComboFix 12-06-19.03 - Steffen 20.06.2012 12:28:31.3.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.4095.2838 [GMT 2:00]
ausgeführt von:: c:\users\Steffen\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Steffen\Desktop\CFScript.txt
AV: Sophos Anti-Virus *Disabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Sophos Anti-Virus *Disabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
"c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000Core.job"
"c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000UA.job"
"c:\windows\Tasks\RMAutoUpdate.job"
"c:\windows\Tasks\RMSchedule.job"
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\ICQ6Toolbar
c:\program files (x86)\ICQ6Toolbar\config.xml
c:\program files (x86)\ICQ6Toolbar\Icons.bmp
c:\program files (x86)\ICQ6Toolbar\ICQ Service.exe
c:\program files (x86)\ICQ6Toolbar\icq6Toolbar.ico
c:\program files (x86)\ICQ6Toolbar\ICQToolBar.dll
c:\program files (x86)\ICQ6Toolbar\ICQUnToolbar.exe
c:\program files (x86)\ICQ6Toolbar\logo_small.gif
c:\program files (x86)\ICQ6Toolbar\ServiceStarter.exe
c:\program files (x86)\ICQ6Toolbar\short.wav
c:\program files (x86)\ICQ6Toolbar\Version.txt
c:\program files (x86)\ICQ6Toolbar\voucher.bmp
c:\program files (x86)\ICQ6Toolbar\voucher2.bmp
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000Core.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257498083-3608871188-3601671484-1000UA.job
c:\windows\Tasks\RMAutoUpdate.job
c:\windows\Tasks\RMSchedule.job
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_gupdate
-------\Service_gupdatem
-------\Service_ICQ Service
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-05-20 bis 2012-06-20 ))))))))))))))))))))))))))))))
.
.
2012-06-19 19:49 . 2012-03-21 09:23 512472 ----a-w- c:\windows\SysWow64\msxml.dll
2012-06-19 19:49 . 2012-03-21 09:23 40408 ----a-w- c:\windows\system32\CleanMFT64.exe
2012-06-19 19:49 . 2008-09-17 19:17 658432 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
2012-06-19 19:49 . 2008-04-02 13:54 1101824 ----a-w- c:\windows\SysWow64\UniBox210.ocx
2012-06-19 19:49 . 2008-04-02 13:53 212992 ----a-w- c:\windows\SysWow64\UniBoxVB12.ocx
2012-06-19 19:49 . 2008-04-02 13:53 880640 ----a-w- c:\windows\SysWow64\UniBox10.ocx
2012-06-19 19:49 . 2004-03-08 22:00 1081616 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-19 19:49 . 2012-06-20 10:42 -------- d-----w- c:\program files (x86)\PC Tools Registry Mechanic
2012-06-19 19:49 . 2012-06-19 19:49 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-06-19 07:28 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F6F17994-6333-47E3-AEC7-EAA518D2FDCA}\mpengine.dll
2012-06-18 21:01 . 2012-06-18 21:01 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-18 21:01 . 2012-06-18 21:01 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-16 18:21 . 2012-06-16 18:21 -------- d-----w- c:\program files\iPod
2012-06-16 18:21 . 2012-06-16 18:22 -------- d-----w- c:\program files\iTunes
2012-06-16 18:21 . 2012-06-16 18:22 -------- d-----w- c:\program files (x86)\iTunes
2012-06-16 16:23 . 2012-06-16 16:23 -------- d-----w- c:\users\Steffen\AppData\Local\Macromedia
2012-06-13 06:33 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 06:33 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 06:33 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-06 07:22 . 2012-05-29 02:01 1344512 ----a-w- c:\windows\system32\ac3filter64.acm
2012-06-06 07:22 . 2012-05-29 01:56 1099264 ----a-w- c:\windows\SysWow64\ac3filter.acm
2012-06-06 07:22 . 2012-06-06 07:22 -------- d-----w- c:\program files (x86)\AC3Filter
2012-05-29 08:38 . 2012-05-29 08:38 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 16:20 . 2012-04-05 05:57 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-16 16:20 . 2011-05-17 04:48 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-09 20:42 . 2012-05-09 20:42 144672 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2012-05-09 20:42 . 2012-03-15 09:25 37400 ----a-w- c:\windows\system32\SophosBootTasks.exe
2012-05-05 12:15 . 2012-04-05 06:15 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-18 18:56 . 2012-04-18 18:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 18:56 . 2012-04-18 18:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-03-30 11:35 . 2012-05-10 07:11 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-20_09.44.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-07 08:05 . 2012-06-20 09:54 44176 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-20 10:43 38684 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-06 16:27 . 2012-06-20 10:43 15468 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4257498083-3608871188-3601671484-1000_UserData.bin
- 2012-06-20 09:42 . 2012-06-20 09:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-20 10:40 . 2012-06-20 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-20 09:42 . 2012-06-20 09:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-20 10:40 . 2012-06-20 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-06-20 09:32 616694 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-20 09:56 616694 c:\windows\system32\perfh009.dat
- 2009-07-14 17:58 . 2012-06-20 09:32 654852 c:\windows\system32\perfh007.dat
+ 2009-07-14 17:58 . 2012-06-20 09:56 654852 c:\windows\system32\perfh007.dat
- 2009-07-14 02:36 . 2012-06-20 09:32 106816 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-06-20 09:56 106816 c:\windows\system32\perfc009.dat
- 2009-07-14 17:58 . 2012-06-20 09:32 130434 c:\windows\system32\perfc007.dat
+ 2009-07-14 17:58 . 2012-06-20 09:56 130434 c:\windows\system32\perfc007.dat
+ 2009-07-14 05:01 . 2012-06-20 10:39 274848 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-06-20 09:41 274848 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-12-06 16:24 . 2012-06-20 10:39 38688504 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4257498083-3608871188-3601671484-1000-8192.dat
- 2010-12-06 16:24 . 2012-06-20 09:18 38688504 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4257498083-3608871188-3601671484-1000-8192.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 14:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{64ead72b-ffd4-4e01-aa3a-4c71665d73e4}]
2010-11-29 14:26 3908192 ----a-w- c:\program files (x86)\BittorrentBar_DE\tbBitt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{64ead72b-ffd4-4e01-aa3a-4c71665d73e4}"= "c:\program files (x86)\BittorrentBar_DE\tbBitt.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{64ead72b-ffd4-4e01-aa3a-4c71665d73e4}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files (x86)\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-06-23 110592]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-03-15 900120]
"Freecorder FLV Service"="c:\program files (x86)\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"DataCardMonitor"="c:\program files (x86)\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe" [2011-01-23 253952]
"ROCCAT Pyra Mouse"="c:\program files (x86)\ROCCAT\Pyra Mouse\PyraMonitor.EXE" [2009-12-07 528384]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"SSDMonitor"="c:\program files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2012-03-21 103896]
.
c:\users\Steffen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-1-23 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-05-30 2009112]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-28 2343816]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2012-03-21 793048]
S2 SAVAdminService;Sophos Anti-Virus Statusreporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-05-09 216600]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-05-09 139800]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-05-09 357400]
S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-05-30 2830360]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [x]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series - Adaptertreiber für Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT-Treiber;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"combofix"="c:\combofix\CF28694.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://domredi.com/1/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:1926905636&cof=FORID:11&q={searchTerms}&sa=Search&siteurl=search.linkury.com
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
TCP: Interfaces\{B79AC39B-5209-4EC6-AC22-F5B6657CDA99}: NameServer = 137.193.10.34,137.193.10.35
FF - ProfilePath - c:\users\Steffen\AppData\Roaming\Mozilla\Firefox\Profiles\qpimnt8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
WebBrowser-{64EAD72B-FFD4-4E01-AA3A-4C71665D73E4} - (no file)
AddRemove-ICQToolbar - c:\program files (x86)\ICQ6Toolbar\ICQUnToolbar.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Sophos\AutoUpdate\ALsvc.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-06-20 12:55:30 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-06-20 10:55
ComboFix2.txt 2012-06-20 09:49
.
Vor Suchlauf: 10 Verzeichnis(se), 115.151.794.176 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 115.008.589.824 Bytes frei
.
- - End Of File - - B12D7B18EB9B9FB70488A7CC6526D15F

Re: Fb virus - krone2510

Napsal: 20 čer 2012 12:16
od vyosek
Log file is OK, is the problem resolved? Can we make cleaning up after CF?

Re: Fb virus - krone2510

Napsal: 20 čer 2012 12:20
od krone2510
I guess so, it was a Virus from Facebook, so I don´t really know what it does. Normaly I don´t just click on something, but I guess it was a little bit too early for my taste.. :wink:

There are no problems here and if you think the log file is okay, then I guess it is gone. Thanks again, especially for the quick help! :thumbsup:

Re: Fb virus - krone2510

Napsal: 20 čer 2012 12:31
od vyosek
So even clean up :James008:

:arrow: Click Start > Run (or WIN+R) and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall



:offtopic: Where did you hear about our forum? Was it rrecommended by some of the current visitors?

You're welcome, it was my pleasure to help :worship:

Re: Fb virus - krone2510

Napsal: 20 čer 2012 12:42
od krone2510
Actually I just typed in the link and message I got from facebook which originally gave me the virus. And your site was the one that popped up, so I thought I´d try it out.

Well, as I said, thank you very much, your help is greatly appreciated..

Re: Fb virus - krone2510

Napsal: 20 čer 2012 13:07
od vyosek
Glad that your issue is resolved :worship:


Have a nice day :thumbsup:
Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz