BOO/TDss.D on my latop

October 6, 2011 at 18:40:49
Specs: Windows 7

boo/tdss.d

I have suddenly seen 15 error messages on my laptop.
after a restart, the screen was almost completely black, except for the task bar.
my antivirus program detects malware but acnnot repair t.

I have rebooted in safe mode and then made a backup of my files --> is the external disc now infected as well???

i have run tdsskiller on the system. I needed to get it from another computer via usb stick --> is that usb stick now infected as well??

I cannot get rid of this virus, tdsskiller didn't work.

Also, I have tried to post this messages more than once, it never showed up in the threads.

PLEASE HELP me!

Thank you very much.

Names of the malware that avira detects:
BOO/TDss.D

TR/Gendal.kdv.371931.1

C\HP\Bin\Endprocess.exe
APPL/KillApp.A

Thank you!



See More: BOO/TDss.D on my latop

Report •


#1
October 6, 2011 at 20:36:52

majamee,

Will be back shortly with instructions.

Thank you for your patience.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 6, 2011 at 20:51:38

majamee,

C.net

Is it possible for you to boot into Safe Mode with Networking?

If you cannot download the programs that follow, hopefully you will have access to a clean computer, and download them there. Then, use a USB drive to move them over to the Desktop of the infected computer.

Please download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...

Save the download to the Desktop

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link:
http://www.bleepingcomputer.com/for...

Right-click DDS and select: Run as Administrator

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - will show on the TaskBar)

Save both reports to your Desktop, and post them in your reply.

However, since these reports can be large, please upload them to Megaupload:
http://www.megaupload.com/

It is very easy to use.

Click: Browse
Select a file to upload
Upload the file
To the right of 'Send', enter a file description:
Click 'Send'
Copy the link provided, and post it in your reply.


Also download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

Right-click the file and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply.
This is a shorter report, and you do not need to upload it.


You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, or move it to a clean flash drive, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#3
October 7, 2011 at 01:15:03

Hi, before starting these actions, I have two questions to clarify:

- My Avira antivir shows the "closed umbrella" but it still shows these notifications...
- I disabled the firewall.

And:
- I can boot in safe mode, but do not know if I have network then.
Shall I go ahead in normal mode then?

--> The dds.scr file I cannot start in administrator mode. Must I first execute it?

Thank you very much!

MajaMee


Report •

Related Solutions

#4
October 7, 2011 at 01:27:13

Here are the two log files of dds

http://www.megaupload.com/?d=D3ZQOIQ4

http://www.megaupload.com/?d=AI6NZ96S

and the other one run as administrator

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 10:26:44
-----------------------------
10:26:44.602 OS Version: Windows x64 6.1.7601 Service Pack 1
10:26:44.603 Number of processors: 2 586 0x170A
10:26:44.604 ComputerName: MAJA UserName:
10:26:46.114 Initialize success
10:27:49.257 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
10:27:49.267 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 3
10:27:49.280 Disk 0 MBR read successfully
10:27:49.283 Disk 0 MBR scan
10:27:49.287 Disk 0 unknown MBR code
10:27:49.292 Service scanning
10:27:50.576 Modules scanning
10:27:50.585 Disk 0 trace - called modules:
10:27:50.596 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys iaStor.sys hal.dll
10:27:50.605 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80057d3060]
10:27:50.615 3 CLASSPNP.SYS[fffff8800111943f] -> nt!IofCallDriver -> [0xfffffa80057d2960]
10:27:50.623 5 hpdskflt.sys[fffff880023dd289] -> nt!IofCallDriver -> [0xfffffa80046c2980]
10:27:50.630 7 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80046c7050]
10:27:50.636 Scan finished successfully
10:27:58.550 Disk 0 MBR has been saved successfully to "C:\Users\anwender\Desktop\MBR.dat"
10:27:58.564 The log file has been saved successfully to "C:\Users\anwender\Desktop\aswMBR.txt"



Report •

#5
October 7, 2011 at 09:37:08

majamee,

When you ran aswMBR, another file was created on the Desktop: MBR.dat

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file

Then, click the 'Open' button.
The file is now displayed in the 'Submit' Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.

If you cannot do this from the infected computer, move the mbr.dat file to a USB flash drive, and the go to a clean computer and submit it from there

~~~~
Now, let's press on...

If you cannot run ComboFix first normally in Windows 7, go back to Safe Mode with Networking and run it from there.


Please download an updated version of ComboFix (CF):
http://download.bleepingcomputer.co...


Save ComboFix.exe to your Desktop!! <- Important!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...


Windows 7: To run the program, right-click and select: Run as Administrator

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it to Megauploads, as you did previously.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Now, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Execute the file:
Windows 7: Right-click and select: Run as Administrator

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.

Need to see the following uploads in your reply:
**The 'ComboFix log'
**The 'TDSSKiller' log
**Whether TDSSKiller needed a reboot


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
October 7, 2011 at 12:13:21

Thank you so much for your patience...

ok heres the virustotal check:

https://www.virustotal.com/file-sca...

will proceed now to the two others


Report •

#7
October 7, 2011 at 13:24:10

Now I have run combofix.

During the process, combofix automatically restartetd my laptop.

results:
some shortcuts have reappeared on my desktop.
i can see some folders and files.

BUT: firefox at first wouldn't start, there was an error messages about a registry key (in German: "es wurde versucht, einen Registrierungsschlüssel einem unzulässigen Vorgang zu unterziehen, der zum löschen markiert wurde"
I then rebooted it and now it works.

(I cannot boot in safe mode...)

here's the log file: http://www.megaupload.com/?d=Q6PULIQ3


Report •

#8
October 7, 2011 at 13:31:19

tdss seems to have found nothing.

heres the logfile, no reboot was done during the process:

http://www.megaupload.com/?d=JVGKKTJY

thanks again.

what do i do next?


Report •

#9
October 7, 2011 at 19:00:51

majamee,

Thanks for uploading the reports.

The normal solution for the: 'Illegal operation attempted on a registry key that has been marked for deletion' is to reboot the computer, which you already did.

Are you still unable to boot into Safe Mode?

See if you can run the ESET Online Scanner

First, disable your AntiVirus and any AntiSpyware programs while performing the scan. It will preclude conflicts, and will speed up scan time.

If needed, refer to the information available here to temporarily disable these programs:
http://www.bleepingcomputer.com/for...

Since you are using Windows Seven to perform this scan, go to 'Start' button, look for the browser icon, right-click it and select: 'Run as administrator.

In the browser address bar, copy paste the following:

http://www.eset.com/us/online-scanner

Press the ESET Online Scanner button
In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
Allow the ActiveX to download, and click 'Install':
http://www.eset.com/us/online-scann...

Click Start
Make sure that the option Remove found threats is unticked/unchecked
Click Scan, and wait for the scan to finish

If any threats are found, click the 'List of found threats', then click Export to text file...
Save the file to your Desktop as: 'ESET Scan'

Please provide the contents of the ESET Scan in your reply. If the report is not large, just post it in your reply.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#10
October 7, 2011 at 19:34:33

majamee,

Please disregard the 'Report' flag on the posts.

Have contacted a Moderator to have them reset.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
October 8, 2011 at 07:32:24

Hi, this is the result:

C:\Qoobox\Quarantine\C\ProgramData\6DSS92c31Apgjk.exe.vir Win32/Adware.HDDRescue.AB application
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-113890df a variant of Java/Agent.DT trojan
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-27297d2a a variant of Java/Agent.DT trojan
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-290d0990 a variant of Java/Agent.DT trojan
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-3637bbb2 a variant of Java/Agent.DT trojan
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-366bb642 a variant of Java/Agent.DT trojan
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-6a60bbb6 a variant of Java/Agent.DT trojan
C:\Users\anwender\Downloads\SoftonicDownloader_fuer_transmac.exe a variant of Win32/SoftonicDownloader.A application


One question:
do I also need to scan my external hard drive (to which I tried to save my files in safe mode) and the usb stick that I used for some transfers? I guess I could just throw away the stick, but the hard drive contains more files from the past. Thanks


Report •

#12
October 8, 2011 at 12:31:22

majamee,

Q.1: Are you able to boot to Safe Mode? Just want to make sure, since you made a comment to that effect.

Q.2: Also, on the entries identified by ESET, we will take care of those when we wrap up.

Q.3: Are you still experiencing malware problems as identified in your original post?


On scanning the external hard drive, Avira AntiVir Personal Free Antivirus should be able to do that.

Open AntiVir, plug in your external hard drive, and let AntiVir scan it. There may be a setting where you check which drives you want to scan.

The same goes for scanning the usb drives used for transfers. No need to throw them away.

I do not use AntiVir, but, if you go to the Avira website, there is a forum whre you can obtain assistance for AntiVir Free Antivirus on general questions about installation, configuration, etc.
If you wish, you can ask the specific question of how to scan your drives:
http://forum.avira.com/wbb/index.ph...


After you scan with AntiVir, post back if it is identifying malware, and where (C:\ drive, external HDD, USB flash drives), if that is the case.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#13
October 8, 2011 at 15:49:00

I don't think I'm able to boot to safe mode.

When I press ESC during start-up, I'm given different options:
F1 System Information
F2 System Diagnostics
F9 Boot Device Options
F10 BIOS Setup
F11 System Recovery

When I then press F9 (which I believe is what I did last time when I wanted to make a backup of my files - fater the malware came in) I'm given only one option:
--> Boot Option --> Notebook HD

No safe mode.


Report •

#14
October 8, 2011 at 16:17:55

Ok, now to your next question. Q3.

I don't have the Avira Messages popping up anymore, and my files seem to be back.

The Avira icon is still the closed umbrella even though I have reactivated it. But behind the word Webguard it says "unbekannt" - unknown.

The start menu is still empty (all shortcuts gone) except for the right hand side (doduments, images, music, computer...) and when I click on "All programs" the folders appear but then underneath the word [empty] but not the program startup.
No trashbin on my desktop.

I have found some of the programs in the C:/Programme (x86) directory. Not all though, for example the .exe for MS Word and powerpoint etc. is gone.
I could open a Word document though that was on my desktop.

Here are the logfiles of the USB stick and the external HD:
http://www.megaupload.com/?d=W9JU89I1
http://www.megaupload.com/?d=7HUSE8K2

Thank you very much.

MajaMee


Report •

#15
October 8, 2011 at 19:29:56

What happens when you tap F8 continuosly when you restart the computer? Does it take you to the Windows Advanced Boot Options Menu where Safe Mode is an option?

If not, what brand name/model is this computer?

From the little German I understand, it looks as if the two reports you provided above are clean and show no viruses. Do you agree, since you fully understand the readings?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#16
October 9, 2011 at 02:06:19

Yes, I agree, there are no viruses found in the two reports from Avira.

On pressing f8 during start-up I can boot into safe mode, or safe mode with networking or a lot of other options. :-)

So, this all looks quite promising, except for the ESET and combofix results.

Thank you very much so far!!!

PS: i will also scan my c:/ drive with avira now, didn't see that I should have done that also.


Report •

#17
October 9, 2011 at 08:10:57

Hello again,

I did the Avira Scan of my Computer.

http://www.megaupload.com/?d=IQ85QVIL

It found three dangerous files.

Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\'
C:\HP\Bin\EndProcess.exe
[FUND] Enthält Erkennungsmuster der Anwendung APPL/KillApp.A
C:\Qoobox\Quarantine\C\ProgramData\6DSS92c31Apgjk.exe.vir
[FUND] Ist das Trojanische Pferd TR/Gendal.kdv.371931.1
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\6163e64e-4f1af206
[0] Archivtyp: ZIP
--> support/Pipe.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/CVE-2010-0840
Beginne mit der Suche in 'D:\' <RECOVERY>
Beginne mit der Suche in 'E:\' <HP_TOOLS>

Beginne mit der Desinfektion:
C:\Users\anwender\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\6163e64e-4f1af206
[FUND] Enthält Erkennungsmuster des Exploits EXP/CVE-2010-0840
[WARNUNG] Die Datei wurde ignoriert.
C:\Qoobox\Quarantine\C\ProgramData\6DSS92c31Apgjk.exe.vir
[FUND] Ist das Trojanische Pferd TR/Gendal.kdv.371931.1
[WARNUNG] Die Datei wurde ignoriert.
C:\HP\Bin\EndProcess.exe
[FUND] Enthält Erkennungsmuster der Anwendung APPL/KillApp.A
[WARNUNG] Die Datei wurde ignoriert.


Since for the previous scanners combofix etc., you asked me to not do anything but to save the reports I didn't let them do the suggested actions (move to quarantaine) but skipped that.

Thank you.


Report •

#18
October 9, 2011 at 09:59:20

majamee,

Do not be concerned about what CF, ESET or AntiVir found.

We will remove those entries gradually.

First, take action to clear your Sun Java cache:
http://www.java.com/en/download/hel...

Next, please download TFC (Temporary File Cleaner) to your Desktop:
http://oldtimer.geekstogo.com/TFC.exe
Save any work in progress!! TFC closes all open applications and will remove any unsaved work.
Right-click TFC.exe and select: Run as Administrator
If prompted, click Yes to reboot.


Next, download Security Check:
http://screen317.changelog.fr/Secur...

Save to the Desktop.
Right-click SecurityCheck.exe and select: Run as Administrator
Follow the on-screen instructions (in the black box.)

When done, a Notepad document opens automatically: ‘checkup.txt’
Please post the contents of checkup.txt in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#19
October 9, 2011 at 11:41:43

ok I'll try not to worry... ;-)

here's the result:

Results of screen317's Security Check version 0.99.7
Windows 7
Internet Explorer 8
[b]``````````````````````````````
[u]Antivirus/Firewall Check:[/u][/b]
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
[b]```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u][/b]
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
[color=red][b]Out of date Java installed![/b][/color]
Adobe Flash Player 10.1.102.64
Adobe Reader 9.1 MUI
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.23)
Mozilla Thunderbird (7.0.1) [color=red][b]Thunderbird Out of Date![/b][/color]
[b]````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u][/b]
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
[b]``````````End of Log````````````[/b]


Report •

#20
October 11, 2011 at 15:27:44

Dear aaflac44,

are you still there? Haven't heard from you in a while now...
Tahnk you very much!

Maja


Report •

#21
October 11, 2011 at 19:04:08

majamee,

My apology! Somehow I overlooked your last reply.

The SecurityCheck shows the following tasks need attention:

Please verify the version of Java you have installed:
http://www.java.com/en/download/ins...

If your version of Java is outdated, it needs to be updated to eliminate security vulnerabilities.
When done, uninstall older versions:
http://www.java.com/en/download/uni...

Out of date Adobe Reader installed!

Please download the latest version from:
http://get.adobe.com/reader/

Once installed, launch it, select Help > Check for Updates, and install any updates.

Then, uninstall earlier versions of Adobe Reader:

Go to Start > Control Panel > Add/Remove Programs, and remove all older versions of Adobe Reader.


There is also the free Foxit PDF Reader if you prefer:
http://www.foxitsoftware.com/pdf/re...


Once you get the above tasks done, any more malware problems?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#22
October 12, 2011 at 02:31:02

Hello,

I tried to install the Java update - without success.

During the process I get the following error messages:

"bin\awt.dll: Old File not Found. However, a file of the same name was found. No update done since file contents do not match."

"Java(TM) cannot save the changes to your system."

and the something about

"a problem concerning the Windows Installer package. A programm of this installation has not been finished succesfully." etc.

This last sentence is a translation from German.

What shall I do?
I have had pop-ups from Java in the past (Almost every day) suggesting updates - either I clicked "no" or I clicked "yes" and then encountered the same problem: that the installation couldn't be finished...

Best regards.
MAja

PS: Adobe Reader updated.


Report •

#23
October 13, 2011 at 06:19:49

majamee,

See if this helps:

Download and install the Windows Installer CleanUp Utility 7.2:
http://majorgeeks.com/Windows_Insta...

Run it to produce a list of your applications installed from an .msi package.
Select the installed Java version that won't update, then click "Remove".

Now try installing the Java update.

Post back on status.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#24
October 13, 2011 at 06:29:46

Hello,

when I run the program, nothing happens.
No "list of applications installed from an .msi package" is produced...

This means I cannot select any installed Java version that won't update, then click "Remove"...

What can I do?

Thank you!
Maja


Report •

#25
October 13, 2011 at 09:23:42

In Control Panel > Programs and Features, you should have: Java(TM) 6 Update 20
from Sun Microsystems

Select the program from the list, and click: Uninstall

Then, install the latest version of Java.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#26
October 13, 2011 at 10:06:30

I did that.
How do I realze if the malware is gone?

I can basically work on my computer with a couple of "workarounds".

Same status as on Saturday / 8th october:
My desktop is black.
The start menu is empty (all shortcuts gone) except for the right hand side (documents, images, music, computer...) and when I click on "All programs" the folders appear but then underneath the word [empty] but not the program startup.
No trashbin on my desktop.

I have found some of the programs in the C:/Programme (x86) directory. Not all though, for example the .exe for MS Word and powerpoint etc. is gone.
I could open a Word document though that was on my desktop.

Can't find the calculator and other features that I always used through startup menu.

Thank you!

Maja


Report •

#27
October 13, 2011 at 15:07:06

majamee,

Give this a whirl...

Please download and save unhide.exe to your Desktop (or anywhere else you can find it, if the Desktop is not showing):
http://download.bleepingcomputer.co...

Right-click the file and select: Run as Administrator.

See if you can find your Programs, and how are the icons on the Desktop looking?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#28
October 13, 2011 at 16:41:23

Only MS Silverlight appeared in the start menu.
I ran the program again with disabled firewall & disabled antivir - now Thunderbird and Solitaire are showing as well. Nothing else...

MajaMee


Report •

#29
October 13, 2011 at 20:25:23

Try the following:

Start Task Manager (right-click the TaskBar) go to File > New Task (Run...)
In the Open area type in: explorer.exe
Click: OK

Restart the computer

Any change?


Other options:
Go to Control Panel \ Personalize (or right-click on the desktop and select Personalize), and then select: “Change Desktop Icons” on the left-hand side.
Check the box next to the Recycle Bin


What happens if you right-click the Desktop > View, check: Show Desktop Icons?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#30
October 14, 2011 at 02:29:24

Icons appear on my desktop, including trashbin.

It's the start menu that contains all the programm folders but not the exe shortcuts - I cannot launch anything from the start menu.

I can work with the computer, but it's a little complicated.

Thank you again!!!
Maja


Report •

#31
October 14, 2011 at 08:51:03

We need to take a look at the Registry key that takes care of application shortcut and functionality.


Please do the following:

Download SystemLook from one of these links:
http://jpshortstuff.247Fixes.com/Sy...
http://images.malwareremoval.com/jp...

Save the file to the Desktop


Right-click SystemLook.exe and select: Run as Administrator
Copy the all of the following text into the open field:

:reg
HKEY_CLASSES_ROOT\Exefile\Shell\Open
HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command

Click the Look button to start the scan.
When finished, a Notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.


Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#32
October 15, 2011 at 04:23:05

SystemLook 30.07.11 by jpshortstuff
Log created at 13:22 on 15/10/2011 by anwender
Administrator - Elevation successful

========== reg ==========

[HKEY_CLASSES_ROOT\Exefile\Shell\Open]
"EditFlags"=00 00 00 00 (REG_BINARY)

[HKEY_CLASSES_ROOT\Exefile\Shell\Open\command]


[HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command]
@=""%1" %*"
"IsolatedCommand"=""%1" %*"


-= EOF =-



Report •

#33
October 15, 2011 at 10:37:48


Try running the EXE option on the link below and let us know of how it goes:
http://www.sevenforums.com/tutorial...

1. Click on the file extension type link listed below for EXE to download it's .reg file.
2. Save the .reg file to the Desktop.
3. Right click on the downloaded .reg file and click on Merge

Restart the computer.

Yes??

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#34
October 17, 2011 at 09:28:12

Bizarre...
I did that and now I found the editor and the calculator, but the programm folders *in the startmenu* are still empty.
I have a shortcut to Excel and Word in the startmenu.

Best regards,
majamee


Report •

#35
October 17, 2011 at 16:00:28

I didn't want to butt in, but when malware removes the entire start menu, it normally makes a copy in the temp folder under %TEMP%\smtmp. By running Combofix and/or TFC, it removed this backup that unhide.exe would normally use to restore the start menu shortcuts. AFAIK, the only way to recover these shortcuts would be to manually re-add each shortcut by hand. Alternately, you could try to restore from a known good backup, but it would have to be from before the infection and would have to include the entire user profile directory.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#36
October 17, 2011 at 20:57:14

@SongCloud:
Thanks for jumping in. Your input is appreciated.

The Temp\smtmp folder did not come to mind until you mentioned it. Then, the lightbulb lit.

ComboFix has a routine built in for that temp\smtmp folder. It will replace it, though, not delete it.

Actually, for Windows 7, under the 'smtmp' folder you can find the folders as 1, 3, and 4.
C:\Users\user_name\AppData\Local\Temp\smtmp\1
C:\Users\user_name\AppData\Local\Temp\smtmp\3
C:\Users\user_name\AppData\Local\Temp\smtmp\4

However, the clencher is that we do not know if the folder existed before the AV and other programs were run in an effort to get rid of the malware. Also, if the \smtmp\ folder existed, the files should have been restored by CF. However, it can only restore what it finds, depending on what is left on the infected computer.

@majamee,

My apology for the delay...another 'one of those days'...rather busy.

Please do the following:

Right click the Windows Orb (Start button) and select: Properties

On the Start Menu Tab there are 2 options:

Store and display recently opened programs in the Start Menu
Store and display recently opened programs in the Start Menu and Taskbar

Are these checked or unchecked?


Next, please download SystemLook from one of the links below:
64-bit System:
http://jpshortstuff.247Fixes.com/Sy...
http://images.malwareremoval.com/jp...


Save the file to the 'Desktop'


Right-click SystemLook.exe and select: Run as Administrator

Copy the following into the open textfield:


:dir
%Temp%\smtmp /s
%temp%


Click the Look button to start the scan.

When finished, a Notepad window opens with the results of the scan.
Please post the 'SystemLook.txt' in your reply.


Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#37
October 18, 2011 at 01:13:50

here we go:


SystemLook 30.07.11 by jpshortstuff
Log created at 10:13 on 18/10/2011 by anwender
Administrator - Elevation successful

========== dir ==========

C:\Users\anwender\AppData\Local\Temp\smtmp - Unable to find folder.

C:\Users\anwender\AppData\Local\Temp - Parameters: "(none)"

---Files---
20111012134454122-1.pdf -ra---- 1240407 bytes [13:26 12/10/2011] [13:26 12/10/2011]
20111012134454122.pdf -ra---- 1240407 bytes [13:26 12/10/2011] [13:26 12/10/2011]
AdobeARM.log --a---- 13083 bytes [13:21 12/10/2011] [08:04 18/10/2011]
AdobeSFX.log --a---- 2022 bytes [09:33 12/10/2011] [09:35 12/10/2011]
AUCHECK_PARSER.txt --a---- 183 bytes [16:54 13/10/2011] [16:54 13/10/2011]
DMIC34E.tmp --a---- 0 bytes [15:52 10/10/2011] [15:52 10/10/2011]
DO7nVyqD.html.part --a---- 0 bytes [11:54 15/10/2011] [11:54 15/10/2011]
e-ticket_7242125153579.pdf -ra---- 179874 bytes [14:45 17/10/2011] [14:45 17/10/2011]
Einladung_RCG_fairringeRn_Cup.pdf -ra---- 1088194 bytes [15:27 13/10/2011] [15:27 13/10/2011]
Facture d'acompte M. MOMMERT.pdf -ra---- 132831 bytes [13:02 13/10/2011] [13:02 13/10/2011]
FXSAPIDebugLogFile.txt --a---- 0 bytes [23:25 06/10/2011] [23:25 06/10/2011]
JAUReg.log --a---- 160 bytes [16:54 13/10/2011] [16:54 13/10/2011]
java_install.log --a---- 28845 bytes [16:53 13/10/2011] [16:53 13/10/2011]
java_install_reg.log --a---- 11439 bytes [08:10 13/10/2011] [16:53 13/10/2011]
java_install_sp.log --a---- 4588 bytes [09:18 12/10/2011] [16:53 13/10/2011]
jinstall.cfg --a---- 1303 bytes [09:18 12/10/2011] [16:52 13/10/2011]
jusched.log --a---- 24914 bytes [18:37 09/10/2011] [08:09 18/10/2011]
MSI476e.LOG --a---- 862 bytes [09:20 12/10/2011] [09:21 12/10/2011]
MSI55987.LOG --a---- 862 bytes [09:24 12/10/2011] [09:24 12/10/2011]
MSI7b2ae.LOG --a---- 862 bytes [09:28 12/10/2011] [09:29 12/10/2011]
MSN284A.exe --a---- 469256 bytes [09:39 12/10/2011] [11:43 07/06/2011]
MSN284A.tmp --a---- 0 bytes [09:39 12/10/2011] [09:39 12/10/2011]
Ticket Maja.pdf -ra---- 483323 bytes [13:30 13/10/2011] [13:30 13/10/2011]
wmplog00.sqm --a---- 1318 bytes [22:02 17/10/2011] [22:02 17/10/2011]
wmplog01.sqm --a---- 1318 bytes [22:02 17/10/2011] [22:02 17/10/2011]
wmsetup.log --a---- 5363 bytes [21:57 09/10/2011] [21:51 17/10/2011]

---Folders---
Adobe d------ [13:27 12/10/2011]
BingBarInstallerLogs d------ [09:39 12/10/2011]
comtypes_cache d------ [18:32 09/10/2011]
Cookies d--hs-- [13:30 12/10/2011]
History d--hs-- [13:30 12/10/2011]
hsperfdata_anwender d------ [09:17 12/10/2011]
lilo.2964 d------ [16:25 17/10/2011]
Low d------ [09:30 12/10/2011]
msohtml d------ [18:38 10/10/2011]
msohtml1 d------ [18:38 10/10/2011]
plugtmp d------ [09:11 12/10/2011]
plugtmp-1 d------ [09:21 12/10/2011]
plugtmp-2 d------ [08:10 18/10/2011]
Temporary Internet Files d--hs-- [13:30 12/10/2011]
VBE d------ [19:29 09/10/2011]
WPDNSE d------ [08:04 18/10/2011]
{9aaef52f-07db-45f3-abad-c23a51b6eda6} d------ [13:24 13/10/2011]

-= EOF =-


Report •

#38
October 18, 2011 at 06:44:21

PS. both options checked in the properties

Report •

#39
October 18, 2011 at 09:32:36

majamee,

Thanks for the info.

Was able to confirm with Experts (at other forums) that, if the \smtmp\ folder had existed at the time ComboFix was run, the files would have been restored by CF.

Main program folders need to be placed in the following locations :
C:\Program Data\Start Menu
C:\Program Data\Desktop

NOTE:Start Menu is a system folder and it is hidden.
Refer to the link below to change the Hidden File settings:
http://www.sevenforums.com/tutorial...

Also, in order to access the 'Start Menu' folder, you may need take ownership of that folder.
Add "Take Ownership" to Explorer Right-Click Menu in Win 7 or Vista:
http://www.howtogeek.com/howto/wind...

Info on 'Organizing the Start menu can make it easier to find your favorite programs and folders':
http://windows.microsoft.com/en-US/...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#40
October 18, 2011 at 15:15:29

Hello,
thank you very much for your continued efforts.


In the C:\Program Data folder I can't find the Desktop folder or the Start Menu folder.
Both are gone, even after making invisible files & folders visible.

I think I could totally live with the empty start menu since I can find the programs somewhere on the computer.

My main question still is the same: is the malware gone from the machine now? Can it still do any harm?

Thanks!
MajaMee


Report •

#41
October 18, 2011 at 17:40:27

majamee,

Will review the entire topic later this evening, and will get back to you tomorrow on where we stand as far as the malware goes.

In the meantime, here is more information which may help you. Reference Images are also included:

Windows 7: Start Menu All Programs in Windows 7 - Restore Default Shortcuts:
http://www.sevenforums.com/tutorial...

To manually recreate the 'All Programs' entries, follow these steps...

Download App Paths:
http://sourceforge.net/projects/app...
Double-click on 'AppPaths.exe' to run the program.
Keep the program open...


In this example an entry for Avast antivirus program is recreated.

Go to Start > All Programs
Right click on Avast entry, select: Properties
Reference Image:
http://209.85.48.8/228/109/upload/p...
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

You will see this window:
Image Reference:
http://209.85.48.8/228/109/upload/p...
Due to the damage caused by the infection, you may find the 'Target" box empty.


Go back to 'AppPaths' window and find the 'Avast' entry.
Right-click on Avast line, and select: Edit
A pop-up window opens:
Image Reference:
http://209.85.48.8/228/109/upload/p...

Highlight everything in the 'Path' box, right-click on it, and select: Copy
Go back to Avast 'Properties' window, right-click inside the 'Target' box, and select: Paste
IMPORTANT! Add quotation marks at the beginning of the path and at the end.
Click: OK
Image Reference:
http://209.85.48.8/228/109/upload/p...


In case the program's link shows as (empty):
Image Reference:
http://209.85.48.8/228/109/upload/p...

Now, open Windows Explorer, navigate to the Avast folder in Program Files
Right click on the Avast.exe file, and select: Create shortcut:
Image Reference:
http://209.85.48.8/228/109/upload/p...


Copy that shortcut, and go back to the 'Start' menu.
Right click on 'avast!Free Antivirus', select: Paste
You will see the Avast shortcut recreated replacing the (empty) entry.


Alternatively....
...you can paste the shortcut in:
Windows 7: C:\Program Data\Start Menu\Programs\Avast

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#42
October 19, 2011 at 08:41:49

majamee,

Took a look at your entire topic, so, let's make sure the malware is gone, which is your main concern.

Be sure your protective software is temporarily disabled while you are running CF!

Now, open Notepad (Start > Run, in the Open field type: notepad)
Click: OK

Copy/paste ALL the following text below to Notepad:

KillAll::
ClearJavaCache::
File::
C:\Users\anwender\Downloads\SoftonicDownloader_fuer_transmac.exe


Save as CFScript.txt
Change the 'Save as type' to: All Files (*.*)

Save it to the Desktop

(Both the 'ComboFix' icon and the 'CFScript.txt' must be on the Desktop!)
http://img.photobucket.com/albums/v...

Left click and drag the 'CFScript.txt' file over to the 'ComboFix' icon. Then, 'drop' it over CF.

This triggers ComboFix to run another scan where it carries out the commands of CFScript.

CF may reboot when it finishes. This is normal.

Do not mouse-click ComboFix while it is running, as iIt may cause a stall!

When finished, a log is produced: ComboFix.txt

Please upload the contents of the new report.


~~~~
Re-enable your security software.
Are you runnin\g a FireWall, or does AntiVir include one?
If not, you can use the Windows FireWall.


~~~~
Run Security Check once again:
Right-click 'SecurityCheck.exe' and select: Run as Administrator
Follow the on-screen instructions (in the black box.)

When done, a Notepad document opens automatically: ‘checkup.txt’
Please post the contents of 'checkup.txt' in your reply.


~~~~
Now, run AntiVir, and post what it finds.
You can plug in your external media, if you want AntiVir to scan it.

Please post:
The new ComboFix report (upload)
The new checkup.txt from SecurityCheck (post here)
The new AntiVir report (post here)

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#43
October 20, 2011 at 15:32:09

Ok, here is the ComboFix Report:

http://www.megaupload.com/?d=RZTPIL4U


Security Check:

Results of screen317's Security Check version 0.99.7
Windows 7
Internet Explorer 8
[b]``````````````````````````````
[u]Antivirus/Firewall Check:[/u][/b]
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
[b]```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u][/b]
Malwarebytes' Anti-Malware
Java(TM) 6 Update 27
[color=red][b]Out of date Java installed![/b][/color]
Adobe Flash Player 10.1.102.64
Adobe Reader X (10.1.1) - Deutsch
Mozilla Firefox (3.6.23)
Mozilla Thunderbird (7.0.1) [color=red][b]Thunderbird Out of Date![/b][/color]
[b]````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u][/b]
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
[b]``````````End of Log````````````[/b]


As for Antivir:

What should I do with the finds this time?
Move to Quarantaine or skip / ignore?

Thanks,
Maja


Report •

#44
October 20, 2011 at 15:37:43

PS. Concerning your suggstion on restoring the shortcuts, I have encountered two problems:

- For some programs, I still cannot find the .exe in their folders.

- When I do find the .exe and I right click on them and select "create shortcut" the system wants to create a "visual" shortcut (icon) in the same folder. This means I cannot copy any link...

In "All Programs", all my programs links show as [empty].
Also, I do not have the entry "Run" in the Start menu...


Report •

#45
October 20, 2011 at 18:52:18

"As for Antivir:
What should I do with the finds this time?
Move to Quarantaine or skip / ignore?"

^^On the above^^...

Can you post what AntiVir is showing?

Thanks.

Will get back to you on the shortcuts. Have to check some options.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#46
October 21, 2011 at 01:50:40

Finds:

(1) Trojan horse in c\Qoobox\Quarantine\c\ProgramData:
6DSS92c31APgjk.exe.vir
TR/Gendal.kdv.371931.1

(2) in c:\HP\Bin:
EndProcess.exe
APPL/KillApp.A

Options I'm given:
- Move to Quarantine
- Ignore
- Delete
- Rename

I'll have to shut down my computer in about four hours, will choose ignore then but can repeat the scan with your suggested option later.


Report •

#47
October 21, 2011 at 03:26:20

here's the complete report:

Avira AntiVir Personal
Erstellungsdatum der Reportdatei: Freitag, 21. Oktober 2011 10:37

Es wird nach 3419255 Virenstämmen gesucht.

Das Programm läuft als uneingeschränkte Vollversion.
Online-Dienste stehen zur Verfügung.

Lizenznehmer : Avira AntiVir Personal - Free Antivirus
Seriennummer : 0000149996-ADJIE-0000001
Plattform : Windows 7 x64
Windowsversion : (Service Pack 1) [6.1.7601]
Boot Modus : Normal gebootet
Benutzername : SYSTEM
Computername : MAJA

Versionsinformationen:
BUILD.DAT : 10.2.0.704 35934 Bytes 28.09.2011 13:14:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 01.07.2011 08:21:54
AVSCAN.DLL : 10.0.5.0 57192 Bytes 01.07.2011 08:21:54
LUKE.DLL : 10.3.0.5 45416 Bytes 01.07.2011 08:21:55
LUKERES.DLL : 10.0.0.0 13672 Bytes 14.01.2010 10:59:47
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 01.07.2011 08:21:55
AVREG.DLL : 10.3.0.9 88833 Bytes 16.07.2011 09:38:06
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 08:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14.12.2010 13:40:34
VBASE002.VDF : 7.11.3.0 1950720 Bytes 09.02.2011 08:51:37
VBASE003.VDF : 7.11.5.225 1980416 Bytes 07.04.2011 08:41:52
VBASE004.VDF : 7.11.8.178 2354176 Bytes 31.05.2011 20:44:53
VBASE005.VDF : 7.11.10.251 1788416 Bytes 07.07.2011 09:35:45
VBASE006.VDF : 7.11.13.60 6411776 Bytes 16.08.2011 09:42:52
VBASE007.VDF : 7.11.15.106 2389504 Bytes 05.10.2011 23:22:25
VBASE008.VDF : 7.11.15.107 2048 Bytes 05.10.2011 23:22:25
VBASE009.VDF : 7.11.15.108 2048 Bytes 05.10.2011 23:22:26
VBASE010.VDF : 7.11.15.109 2048 Bytes 05.10.2011 23:22:26
VBASE011.VDF : 7.11.15.110 2048 Bytes 05.10.2011 23:22:26
VBASE012.VDF : 7.11.15.111 2048 Bytes 05.10.2011 23:22:26
VBASE013.VDF : 7.11.15.144 161792 Bytes 07.10.2011 22:49:38
VBASE014.VDF : 7.11.15.177 130048 Bytes 10.10.2011 17:05:16
VBASE015.VDF : 7.11.15.213 113664 Bytes 11.10.2011 17:05:16
VBASE016.VDF : 7.11.16.1 163328 Bytes 14.10.2011 10:36:38
VBASE017.VDF : 7.11.16.34 187904 Bytes 18.10.2011 22:12:38
VBASE018.VDF : 7.11.16.77 139264 Bytes 20.10.2011 22:12:39
VBASE019.VDF : 7.11.16.78 2048 Bytes 20.10.2011 22:12:39
VBASE020.VDF : 7.11.16.79 2048 Bytes 20.10.2011 22:12:39
VBASE021.VDF : 7.11.16.80 2048 Bytes 20.10.2011 22:12:39
VBASE022.VDF : 7.11.16.81 2048 Bytes 20.10.2011 22:12:39
VBASE023.VDF : 7.11.16.82 2048 Bytes 20.10.2011 22:12:40
VBASE024.VDF : 7.11.16.83 2048 Bytes 20.10.2011 22:12:40
VBASE025.VDF : 7.11.16.84 2048 Bytes 20.10.2011 22:12:40
VBASE026.VDF : 7.11.16.85 2048 Bytes 20.10.2011 22:12:40
VBASE027.VDF : 7.11.16.86 2048 Bytes 20.10.2011 22:12:40
VBASE028.VDF : 7.11.16.87 2048 Bytes 20.10.2011 22:12:40
VBASE029.VDF : 7.11.16.88 2048 Bytes 20.10.2011 22:12:41
VBASE030.VDF : 7.11.16.89 2048 Bytes 20.10.2011 22:12:41
VBASE031.VDF : 7.11.16.96 44032 Bytes 20.10.2011 22:12:41
Engineversion : 8.2.6.84
AEVDF.DLL : 8.1.2.1 106868 Bytes 03.09.2010 14:23:12
AESCRIPT.DLL : 8.1.3.81 467322 Bytes 06.10.2011 23:22:34
AESCN.DLL : 8.1.7.2 127349 Bytes 24.11.2010 12:44:40
AESBX.DLL : 8.2.1.34 323957 Bytes 03.06.2011 19:18:14
AERDL.DLL : 8.1.9.15 639348 Bytes 10.09.2011 06:57:29
AEPACK.DLL : 8.2.10.11 684408 Bytes 02.10.2011 22:10:07
AEOFFICE.DLL : 8.1.2.15 201083 Bytes 19.09.2011 06:46:39
AEHEUR.DLL : 8.1.2.180 3748217 Bytes 13.10.2011 17:05:17
AEHELP.DLL : 8.1.17.7 254327 Bytes 03.08.2011 20:51:22
AEGEN.DLL : 8.1.5.9 401780 Bytes 27.08.2011 21:18:51
AEEMU.DLL : 8.1.3.0 393589 Bytes 24.11.2010 12:44:34
AECORE.DLL : 8.1.23.0 196983 Bytes 27.08.2011 21:18:50
AEBB.DLL : 8.1.1.0 53618 Bytes 27.05.2010 18:38:55
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 10:59:10
AVPREF.DLL : 10.0.3.2 44904 Bytes 01.07.2011 08:21:54
AVREP.DLL : 10.0.0.10 174120 Bytes 17.05.2011 21:58:39
AVARKT.DLL : 10.0.26.1 255336 Bytes 01.07.2011 08:21:54
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 01.07.2011 08:21:54
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 11:57:53
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 14:38:54
NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 13:40:55
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 01.07.2011 08:21:53
RCTEXT.DLL : 10.0.64.0 98664 Bytes 01.07.2011 08:21:53

Konfiguration für den aktuellen Suchlauf:
Job Name..............................: Vollständige Systemprüfung
Konfigurationsdatei...................: C:\program files (x86)\avira\antivir desktop\sysscan.avp
Protokollierung.......................: standard
Primäre Aktion........................: interaktiv
Sekundäre Aktion......................: ignorieren
Durchsuche Masterbootsektoren.........: ein
Durchsuche Bootsektoren...............: ein
Bootsektoren..........................: C:, D:, E:, G:,
Durchsuche aktive Programme...........: ein
Laufende Programme erweitert..........: ein
Durchsuche Registrierung..............: ein
Suche nach Rootkits...................: ein
Integritätsprüfung von Systemdateien..: aus
Datei Suchmodus.......................: Alle Dateien
Durchsuche Archive....................: ein
Rekursionstiefe einschränken..........: 20
Archiv Smart Extensions...............: ein
Makrovirenheuristik...................: ein
Dateiheuristik........................: erweitert
Abweichende Gefahrenkategorien........: +APPL,+PCK,+PFS,+SPR,

Beginn des Suchlaufs: Freitag, 21. Oktober 2011 10:37

Der Suchlauf nach versteckten Objekten wird begonnen.

Der Suchlauf über gestartete Prozesse wird begonnen:
Durchsuche Prozess 'HPSF.exe' - '127' Modul(e) wurden durchsucht
Durchsuche Prozess 'avscan.exe' - '80' Modul(e) wurden durchsucht
Durchsuche Prozess 'avscan.exe' - '30' Modul(e) wurden durchsucht
Durchsuche Prozess 'avcenter.exe' - '105' Modul(e) wurden durchsucht
Durchsuche Prozess 'plugin-container.exe' - '73' Modul(e) wurden durchsucht
Durchsuche Prozess 'firefox.exe' - '120' Modul(e) wurden durchsucht
Durchsuche Prozess 'thunderbird.exe' - '113' Modul(e) wurden durchsucht
Durchsuche Prozess 'mbamservice.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'hpqToaster.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'CLMLSvc.exe' - '65' Modul(e) wurden durchsucht
Durchsuche Prozess 'Com4QLBEx.exe' - '27' Modul(e) wurden durchsucht
Durchsuche Prozess 'hpqwmiex.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'jusched.exe' - '69' Modul(e) wurden durchsucht
Durchsuche Prozess 'avgnt.exe' - '75' Modul(e) wurden durchsucht
Durchsuche Prozess 'hpwuschd2.exe' - '27' Modul(e) wurden durchsucht
Durchsuche Prozess 'QLBCtrl.exe' - '58' Modul(e) wurden durchsucht
Durchsuche Prozess 'DpAgent.exe' - '53' Modul(e) wurden durchsucht
Durchsuche Prozess 'Dropbox.exe' - '71' Modul(e) wurden durchsucht
Durchsuche Prozess 'HPTouchSmartSyncCalReminderApp.exe' - '70' Modul(e) wurden durchsucht
Durchsuche Prozess 'SeaPort.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'RichVideo.exe' - '24' Modul(e) wurden durchsucht
Durchsuche Prozess 'PsiService_2.exe' - '22' Modul(e) wurden durchsucht
Durchsuche Prozess 'HPDrvMntSvc.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '30' Modul(e) wurden durchsucht
Durchsuche Prozess 'GCalService.exe' - '36' Modul(e) wurden durchsucht
Durchsuche Prozess 'avguard.exe' - '69' Modul(e) wurden durchsucht
Durchsuche Prozess 'armsvc.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'sched.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'TabTip32.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'DpHostW.exe' - '70' Modul(e) wurden durchsucht

Der Suchlauf über die Masterbootsektoren wird begonnen:
Masterbootsektor HD0
[INFO] Es wurde kein Virus gefunden!
Masterbootsektor HD1
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'C:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'D:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'E:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'G:\'
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen:
Die Registry wurde durchsucht ( '869' Dateien ).


Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\'
C:\HP\Bin\EndProcess.exe
[FUND] Enthält Erkennungsmuster der Anwendung APPL/KillApp.A
C:\Qoobox\Quarantine\C\ProgramData\6DSS92c31Apgjk.exe.vir
[FUND] Ist das Trojanische Pferd TR/Gendal.kdv.371931.1
Beginne mit der Suche in 'D:\' <RECOVERY>
Beginne mit der Suche in 'E:\' <HP_TOOLS>
Beginne mit der Suche in 'G:\' <Expansion Drive>

Beginne mit der Desinfektion:
C:\Qoobox\Quarantine\C\ProgramData\6DSS92c31Apgjk.exe.vir
[FUND] Ist das Trojanische Pferd TR/Gendal.kdv.371931.1
[WARNUNG] Die Datei wurde ignoriert.
C:\HP\Bin\EndProcess.exe
[FUND] Enthält Erkennungsmuster der Anwendung APPL/KillApp.A
[WARNUNG] Die Datei wurde ignoriert.


Ende des Suchlaufs: Freitag, 21. Oktober 2011 12:25
Benötigte Zeit: 1:39:47 Stunde(n)

Der Suchlauf wurde vollständig durchgeführt.

36400 Verzeichnisse wurden überprüft
668484 Dateien wurden geprüft
2 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
0 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
0 Dateien konnten nicht durchsucht werden
668482 Dateien ohne Befall
3585 Archive wurden durchsucht
2 Warnungen
0 Hinweise
559722 Objekte wurden beim Rootkitscan durchsucht
0 Versteckte Objekte wurden gefunden


Report •

#48
October 21, 2011 at 19:37:24

majamee,

On your comments:

1. "For some programs, I still cannot find the .exe in their folders..."

Programs for which there is no .exe in their folder are candidates for a reinstall.

However, before doing so, viewing of hidden file extensions needs enabled (MS disables by default).
How to show hidden files in Windows 7:
http://www.bleepingcomputer.com/tut...

Also, check any program subfolders for .exe files.

2. "When the .exe is found, right-clicking on it and selecting "create shortcut", creates a
shortcut (icon) in the same folder, and cannot copy any link..."

Did you follow the instructions in Post #41 step by step?
There is an example on how to restore the shortcut for Avast!.

Basically:

•Open Windows Explorer, navigate to 'X Program' folder in Program Files
'X Program' = which ever program you are restoring

•Right click on the 'X Program' .exe file, click 'Create shortcut'

•Copy that shortcut, and, go back to Start menu.

•Right click on 'X Program', and click 'Paste'

•You'll see the 'X Program' shortcut recreated and replacing (empty) entry.

Alternatively....
...paste the shortcut in:

(Vista/7) - C:\Program Data\Start Menu\Programs\'X Program'

3. "In "All Programs", all program links show as [empty]."
Microsoft Windows 7 Home Premium

How to Restore Missing Default Shortcuts in the Windows 7 Start Menu
http://www.sevenforums.com/tutorial...

4. "Also, I do not have the entry "Run" in the Start menu..."

There is no 'Run' command in Windows 7...
You can get to the 'Run' dialog by hitting 'Windows orb' 'R' simultaneously, on the keyboard

Otherwise, you can re-enable the Run command by right-clicking on Start > Properties > Customize
Check the 'Run command' on the list.

Looking at the AntiVir report now....will post back shortly.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#49
October 21, 2011 at 20:01:01

On the first Avira/AntiVir entry:

C:\Qoobox\Quarantine\C\ProgramData\6DSS92c31Apgjk.exe.vir
[FUND] Ist das Trojanische Pferd TR/Gendal.kdv.371931.1
[WARNUNG] Die Datei wurde ignoriert.

The above exists in the ComboFix Quarantine area, and we will clear that out:

This next step is important, as it implements important cleanup procedures, resets your
System Restore by flushing out previous restore points (which may contain infections),
and creates a new Restore Point.

Click 'Start' 'R', and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

ComboFix will uninstall itself from your computer and remove its backups and quarantined files.

When it finishes, you see a dialog box stating that ComboFix is uninstalled.

You can now delete the ComboFix program icon from your Desktop, if still there.

Also remove any programs we have used, and their related reports or folders.

Make sure you also re-enable your security software!

On the second Avira/AntiVir entry:

C:\HP\Bin\EndProcess.exe APPL/KillApp.A
[FUND] Enthält Erkennungsmuster der Anwendung APPL/KillApp.A
[WARNUNG] Die Datei wurde ignoriert.


The EndProcess.exe file can be used to end/kill processes, and it is a tool which can be used for good or evil purposes, however, the AV can't determine intent.

The file is installed by HP, and, it is a tool used when doing an HP restore, etc.

It is best to just exclude it from your AV scans.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •


Ask Question