Jump to content

Malware spy.qwas.exe


Jojo1
 Share

Recommended Posts

Hello Malewarebytes.

I got Windows XP - this is what happened:

I was surfing with Firefox, suddenly Java started and a file got opened by winamp!?!

I did a search with AntiVir and found Java-Virus JAVA/OpenConnect.AI, deleted it and later deleted and reinstalled the whole java.

After that, neither AntiVir nor Malewarebytes' Anti-Maleware could find any more malware.

With Neubers "Security Task Manager" i still find one suspicious process:

Aper1 Software: Aper1 Internet Browser

programm, invisible, not active

C:\spy.qwas\spy.qwas.exe

when i open the folder C:\spy.qwas it only shows C:\ in the adress bar and the folder attribute: hidden.

i just did:

- Malwarebytes' Anti-Malware scan -> (No malicious items detected)

- DeFogger - Disable

- DDS:

DDS (Ver_10-12-12.02) - NTFSx86

Run by PC01 at 17:05:45,56 on 13.02.2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2047.1518 [GMT 1:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\Programme\Sandboxie\SbieSvc.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\Programme\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Programme\Avira\AntiVir Desktop\avgnt.exe

C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe

C:\Programme\Logitech\SetPoint\SetPoint.exe

C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE

C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Programme\Avira\AntiVir Desktop\avguard.exe

C:\Programme\Cisco Systems\VPN Client\cvpnd.exe

C:\Programme\Hamachi\hamachi-2.exe

C:\Programme\Java\jre6\bin\jqs.exe

C:\Programme\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Dokumente und Einstellungen\PC01\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.de/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [?]

mRun: [startCCC] "c:\programme\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [WINDVDPatch] CTHELPER.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\logite~1.lnk - c:\programme\logitech\setpoint\SetPoint.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe

Trusted Zone: whatthemovie.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280779276812

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\pc01\anwend~1\mozilla\firefox\profiles\um48t8d1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\java\jre6\lib\deploy\jqs\ff

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com

FF - Ext: ImageShack® Toolbar: {7378B8C2-FC38-41b8-A8C9-875D1F5B0A24} - %profile%\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}

FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

============= FINISH: 17:07:15,60 ===============

Further actions?

Thanks in advance.

Greetings,

Jojo

Link to post
Share on other sites

Hello Jojo! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click [bF0-Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, please post these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log with Attach.txt

Link to post
Share on other sites

additional information: i restored the previously quarantined "Aper1 Internet Browser" and rebooted before the scans.

1.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5754

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

13.02.2011 18:05:16

mbam-log-2011-02-13 (18-05-16).txt

Scan type: Quick scan

Objects scanned: 141060

Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2.

DDS (Ver_10-12-12.02) - NTFSx86

Run by PC01 at 18:05:41,81 on 13.02.2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2047.1568 [GMT 1:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\Programme\Sandboxie\SbieSvc.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\Programme\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Programme\Avira\AntiVir Desktop\avgnt.exe

C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe

C:\Programme\Logitech\SetPoint\SetPoint.exe

C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE

C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Programme\Avira\AntiVir Desktop\avguard.exe

C:\Programme\Cisco Systems\VPN Client\cvpnd.exe

C:\Programme\Hamachi\hamachi-2.exe

C:\Programme\Java\jre6\bin\jqs.exe

C:\Programme\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\Dokumente und Einstellungen\PC01\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.de/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [?]

mRun: [startCCC] "c:\programme\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [WINDVDPatch] CTHELPER.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\logite~1.lnk - c:\programme\logitech\setpoint\SetPoint.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe

Trusted Zone: whatthemovie.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280779276812

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\pc01\anwend~1\mozilla\firefox\profiles\um48t8d1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\java\jre6\lib\deploy\jqs\ff

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com

FF - Ext: ImageShack

Attach.zip

Link to post
Share on other sites

Thanks!

  • Download OTL to your desktop. Otherwise, try OTL.com or OTL.scr .
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Link to post
Share on other sites

OTL.txt

OTL logfile created on: 13.02.2011 18:36:00 - Run 1

OTL by OldTimer - Version 3.2.20.6 Folder = C:\Dokumente und Einstellungen\PC01\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 77,00% Memory free

6,00 Gb Paging File | 5,00 Gb Available in Paging File | 93,00% Paging File free

Paging file location(s): C:\pagefile.sys 4048 4048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme

Drive C: | 465,76 Gb Total Space | 84,16 Gb Free Space | 18,07% Space Free | Partition Type: NTFS

Drive E: | 19,53 Gb Total Space | 2,33 Gb Free Space | 11,95% Space Free | Partition Type: NTFS

Drive F: | 170,37 Gb Total Space | 17,27 Gb Free Space | 10,14% Space Free | Partition Type: NTFS

Drive M: | 698,63 Gb Total Space | 125,25 Gb Free Space | 17,93% Space Free | Partition Type: NTFS

Computer Name: JOJO | User Name: PC01 | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Dokumente und Einstellungen\PC01\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

PRC - C:\Programme\Hamachi\hamachi-2.exe (LogMeIn Inc.)

PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

PRC - C:\Programme\Sandboxie\SbieSvc.exe (tzuk)

PRC - C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

PRC - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)

PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)

PRC - C:\Programme\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

PRC - C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)

========== Modules (SafeList) ==========

MOD - C:\Dokumente und Einstellungen\PC01\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)

MOD - C:\Programme\Logitech\SetPoint\lgscroll.dll (Logitech, Inc.)

MOD - C:\WINDOWS\system32\CTAGENT.DLL (Creative Technology Ltd)

========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found

SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

SRV - (Hamachi2Svc) -- C:\Programme\Hamachi\hamachi-2.exe (LogMeIn Inc.)

SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

SRV - (SbieSvc) -- C:\Programme\Sandboxie\SbieSvc.exe (tzuk)

SRV - (CVPND) -- C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)

SRV - (LBTServ) -- C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Programme\WinPcap\rpcapd.exe (CACE Technologies)

SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)

DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)

DRV - (SbieDrv) -- C:\Programme\Sandboxie\SbieDrv.sys (tzuk)

DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)

DRV - (teamviewervpn) -- C:\WINDOWS\system32\drivers\teamviewervpn.sys (TeamViewer GmbH)

DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)

DRV - (atksgt) -- C:\WINDOWS\system32\drivers\atksgt.sys ()

DRV - (lirsgt) -- C:\WINDOWS\system32\drivers\lirsgt.sys ()

DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys (Duplex Secure Ltd.)

DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (ATIAVAIW) -- C:\WINDOWS\system32\drivers\atinavt2.sys (ATI Technologies Inc.)

DRV - (LUsbFilt) -- C:\WINDOWS\system32\drivers\LUsbFilt.sys (Logitech, Inc.)

DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)

DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)

DRV - (LBeepKE) -- C:\WINDOWS\system32\drivers\LBeepKE.sys (Logitech, Inc.)

DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)

DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)

DRV - (MPE) -- C:\WINDOWS\system32\drivers\mpe.sys (Microsoft Corporation)

DRV - (usbaudio) USB-Audiotreiber (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)

DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)

DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)

DRV - (nvsmu) -- C:\WINDOWS\system32\drivers\nvsmu.sys (NVIDIA Corporation)

DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)

DRV - (tap0801) -- C:\WINDOWS\system32\drivers\tap0801.sys (The OpenVPN Project)

DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)

DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)

DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)

DRV - (emupia) -- C:\WINDOWS\system32\drivers\EMUPIA2K.SYS (Creative Technology Ltd)

DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS (Creative Technology Ltd)

DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\CTPRXY2K.SYS (Creative Technology Ltd)

DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)

DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)

DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\CTAC32K.SYS (Creative Technology Ltd)

DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)

DRV - (sfman) Creative-SoundFont-Verwaltungstreiber (WDM) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)

DRV - (emu10k1) Creative-Schnittstellen-Verwaltungstreiber (WDM) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)

DRV - (emu10k) Creative SB Live! (WDM) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)

DRV - (ctljystk) -- C:\WINDOWS\system32\drivers\ctljystk.sys (Creative Technology Ltd.)

DRV - (PfModNT) -- C:\WINDOWS\system32\PFMODNT.SYS (Creative Technology Ltd.)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.de/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false

FF - prefs.js..browser.startup.homepage: "http://www.google.de/"

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3

FF - prefs.js..extensions.enabledItems: {7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}:5.2.4.8

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:0.0.0

FF - prefs.js..extensions.enabledItems: tineye@ideeinc.com:1.0

FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.13

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010.08.02 21:16:32 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Programme\Java\jre6\lib\deploy\jqs\ff [2011.02.13 12:47:13 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.12.23 01:38:14 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2011.02.13 12:47:21 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2010.12.17 19:32:00 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Programme\Mozilla Thunderbird\plugins

[2010.01.31 17:39:22 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Mozilla\Extensions

[2010.01.31 17:39:22 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2009.03.20 18:26:55 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2011.02.13 14:09:42 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Mozilla\Firefox\Profiles\um48t8d1.default\extensions

[2010.03.22 21:59:30 | 000,000,000 | ---D | M] (ImageShack

Link to post
Share on other sites

  • Run OTL.exe
  • Under Custom Scans/Fixes post the following script:

:OTL

O4 - HKCU..\Run: [0] Reg Error: Value error. File not found

[2011.02.13 12:46:21 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun

[2011.02.13 12:36:07 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\QuickScan

@Alternate Data Stream - 857 bytes -> C:\Dokumente und Einstellungen\All Users\Startmen

Link to post
Share on other sites

i posted the script and did "fix".

after 1-2 minutes it had to reboot to complete the deletion of some files.

after the reboot i got the message: cant find otl.exe (apparently it also got deleted with some other files on my desktop (like the DDS.exe))

i klicked around and found the folder C:\_OTL\MovedFiles

there is a log (and some more folders):

All processes killed

========== OTL ==========

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\0 not found.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\jre1.6.0_23 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\tmp\si folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\tmp folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\9 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\8 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\7 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\63 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\62 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\61 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\60 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\6 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\59 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\58 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\57 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\56 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\55 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\54 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\53 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\52 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\51 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\50 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\5 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\49 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\48 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\47 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\46 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\45 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\44 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\43 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-434ba2df-n folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\42 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\41 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\40 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60d61b48-n folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\4 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\39 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\38 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\37 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\36 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\35 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\34 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\33 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\32 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\31 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\30 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\3 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\29 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\28 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\27 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\26 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\25 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\24 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\23 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\22 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\21 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\20 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\2 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\19 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\18 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\17 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\16 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\15 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\14 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\13 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\12 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\11 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\10 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\1 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0\0 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache\6.0 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\SystemCache folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\security folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\log folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\ext folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\tmp folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\host folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\9 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\8 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\7 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\63 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\62 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\61 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\6 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\59 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\58 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\57 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\56 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\55 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\54 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\53 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\52 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\51 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\50 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\5 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\49 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\48 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\47 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\46 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\45 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\44 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\43 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\42 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\41 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\40 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\4 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\39 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\38 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\37 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\36 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\35 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\34 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\33 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\32 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\31 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\30 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\3 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\29 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\28 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\27 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\26 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\25 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\24 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\23 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\22 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\21 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\20 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\2 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\19 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\18 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\17 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\16 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\15 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\14 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\13 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\12 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\11 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\10 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\1 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\0 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache\6.0 folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment\cache folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\Deployment folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java\AU folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun\Java folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\Sun folder moved successfully.

C:\Dokumente und Einstellungen\PC01\Anwendungsdaten\QuickScan folder moved successfully.

ADS C:\Dokumente und Einstellungen\All Users\Startmen

Link to post
Share on other sites

With Neubers "Security Task Manager" i still find one suspicious process:

Aper1 Software: Aper1 Internet Browser

programm, invisible, not active

C:\spy.qwas\spy.qwas.exe

when i open the folder C:\spy.qwas it only shows C:\ in the adress bar and the folder attribute: hidden.

this is still there.

if i hit the button "

Link to post
Share on other sites

Okay, thanks!

I know about the similiar problem in Windows 7, but in Windows XP... I'll check this out. Meanwhile:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

combofix gave an error after scanning like: Not enough main memory to complete the sort

nothing happened for few minutes so i rebooted.

should i try again?

i can not find C:\Combo-Fix.txt

here is C:\Combo-Fix\ComboFix.txt

ComboFix 11-02-12.02 - PC01 13.02.2011 20:08:23.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2047.1600 [GMT 1:00]

ausgef

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=75342

Collect::[8]
c:\spy.qwas\spy.qwas.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spy.qwas.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"?"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Let me know how are things running now.

Link to post
Share on other sites

Thanks for uploading files! :)

Yes, I found this information from the beginning. My last suggestions include change all of your passwords and:

Step 1

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Step 2

Keep your software up-to-date:

www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Hello Maniac,

Im not sure if its ok to post this as a reply to this thread but I had the exact same problem with spy.qwas and after reading this thread I am not sure wether it has been successfully removed.

I am using Windows 7 and used Malwarebytes quick-scan to remove and then delete all files found. In addition to that, I ran ComboFix. All symptoms seem to be gone but I don't know if all is really safe.

Should i do any further actions?

Thanks in advance.

Greets,

Lee

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.