Welcome to Smokey's Security Forums.
Guests only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Back to school: Warning over phishing scam targeting students

Emails claiming to be from the Student Loan Company are trying to steal personal data and banking information from new and returning students

Back to school: Warning over phishing scam targeting students

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: [INACTIVE] PC goes Standby and runs Windows Calculater by itself  (Read 4894 times)

0 Members and 1 Guest are viewing this topic.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Just one other point.
If the keyboard is connected by wifi..... you may get a conflict with other wifi enabled appliances in the house.

LollleTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 7
Kay,
so I increased it. I have no screen saver set and yes, I have a tower PC.

I'll try your suggestion to use another keyboard. However this might take me some time, because I have no second keyboard right now. I'll post another answer when I've got one and testet it.

Thank you

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Quote
Turn off the display.... 10 mins
Put the computer to sleep.... 30 mins

There's no harm in increasing these a bit.

Do you have a screen saver set?
if so, how long before it kicks in?

Am i right in thinking this is a tower type Pc and not a Laptop?
I had all sorts of strange problems about year ago, Someone suggested to me to try a different keyboard....
and it worked!
Seems a dodgy keyboard can cause all sorts of problems.
If you have a spare one, no harm in trying it.

LollleTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 7
Hey Starbucks,

my plan is set to balanced (recommended)
and the settings are set to:
Turn off the display.... 10 mins
Put the computer to sleep.... 30 mins

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Hi Lollle

Let's check the Power Saving settings on your system:

Right click on the Desktop.
Click Personalize.
Click the Screen Saver icon at the bottom.
Under Power Management section, click Change Power Settings.
You should now see a screen like this:



Mine is set for 'Balanced (Recommended)'
what is yours set to?

If you click on Change Plan Settings, you will see a screen like this



Mine is set to
Turn off the display.... 30 mins
Put the computer to sleep.... 45mins


What are your settings?

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Hi Lollle

Quote
I guess most of them are some cracks again.

Yes, it would seem so.
At least they have all been removed now.
Downloading cracks/Keygens is a very bad practise, they will only harm your system. (plus... very illegal)

Quote
More bad news: my PC went Standby again and muted itself yesterday.

I will have to try and look into this a bit more.
I can't see that it's malware related.
It must either be a setting somewhere or a software/hardware problem.
I'll see if i can dig up anything.

LollleTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 7
Hello Starbuck,

it took me a while to take the scan, because I didn't had both external hard disks at home the same time. So I ran two scan. The first didn't find anything, but in the second had four hits. I guess most of them are some cracks again. I might have forgotten to run the crack-scan with my external hard disk ("E") plugged in, so I ran the CKScanner again, but it gave me almost the same output as it was the last time.

Here are the scans:

2nd ESET:
E:\Images\gespielt\fifa 11.iso   a variant of Win32/Packed.VMProtect.AAD trojan   deleted - quarantined
E:\Images\noch nicht gespielt\Assassins.Creed.III-SKIDROW\AC3-rld_CRACKONLY\Assassins.Creed.III.Proper-RELOADED_CRACKONLY\ubiorbitapi_r2_loader.dll   a variant of Win32/Packed.VMProtect.AAD trojan   deleted - quarantined
E:\Images\noch nicht gespielt\Batman Archam City\sr-bacgoty.iso   multiple threats   deleted - quarantined
E:\Spiele\c&c generals\Cracks und Mods\Mini Server.zip   probably a variant of Win32/Agent.DZSLDTE trojan   deleted - quarantined

And the CKScan:
CKScanner 2.3 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.GFCPNL
 ----- EOF -----


More bad news: my PC went Standby again and muted itself yesterday. My "E" drive wasn't even plugged in. Today I got my "E" drive plugged in again and nothing happened so far.


Thanks for you help

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Hi Lollle

Quote
This seems okay, does it?


Yes, it's showing that there are no cracks/keygens recorded as being on your system.

I take it that the 'E' drive is the external drive you checked?
Quote
E:\Lan\Battlefield 1942\EA.GAMESMultiKeygen97.exe (RiskWare.Tool.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\CoD\Call of Duty 4 - Modern Warfare\rzr-cod4-keygen.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\CoD\Call of Duty 4 - Modern Warfare\rzr-cod4.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\CoD\Call of Duty 4 - Modern Warfare\Crack\rzr-cod4.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\warcraft 3 new ver\TeknoGods_MW2SP.exe (Backdoor.Agent.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\quarantaene\.Trash-999\files\Alcohol.120%\AutoLoader_AxLaUn.exe (Trojan.ExploitDrop.BV) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\quarantaene\Spiele\Rock of Ages\TDU2k.exe (Packer.ModifiedUPX) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Spiele\LIMBO\TDU.exe (Packer.ModifiedUPX) -> Erfolgreich gelöscht und in Quarantäne gestellt.


If so, this will explain why the malware seemed to return.
There were infected files on the drive.
Downloading Cracks/Keygens is always a sure way to get yourself infected.
This is one of the main reasons that these files are free!!

Quote
I find it still wierd that all the mbam scans I ran, before formating my HD didn't found any of these infections.


Normally people run the 'quick scan'.... which is normally enough to check the main drive.
But a quick scan won't check any other drives.... only the 'Full scan' will.
So the previous scans may have been run as a 'quick scan'.
Do you understand what i am trying to say?
This would explain why those files didn't show up before.

I'd like to just run a double check on your system before we finish.

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

  • Click the button.

  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Click , and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the button.
  • Click
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


Note:
It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology




Please let me have a copy of the removed files..... if any.

Thanks

LollleTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 7
Hey Starbucks,

heres to you:

CKScanner 2.3 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.SWAAAH
 ----- EOF -----


This seems okay, does it?

Thanks

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Hi Lollle

Glad to hear that the system is running ok now.
We should check that all of the cracks/Keygens have gone.

Download CKScanner
 
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file has been saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Thanks

LollleTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 7
Hello again,

so, I ran two scans. The first (and more interesting one I guess) was made before my trip and found some cracks and keygens. I deleted all of the infected Programms and Games and ran another scan including my other external HD aswell. So far I had no further problems and my systems is running fine, I think.
I find it still wierd that all the mbam scans I ran, before formating my HD didn't found any of these infections.


Here the logs (unfortunetly in german):

Malwarebytes Anti-Malware 1.75.0.1300
http://www.malwarebytes.orghttp://

Datenbank Version: v2013.05.15.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Thorben :: THORBEN-PC [Administrator]

15.05.2013 22:46:45
mbam-log-2013-05-15 (22-46-45).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 452522
Laufzeit: 1 Stunde(n), 36 Minute(n), 54 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte RegistrierungsschlĂĽssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 8
E:\Lan\Battlefield 1942\EA.GAMESMultiKeygen97.exe (RiskWare.Tool.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\CoD\Call of Duty 4 - Modern Warfare\rzr-cod4-keygen.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\CoD\Call of Duty 4 - Modern Warfare\rzr-cod4.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\CoD\Call of Duty 4 - Modern Warfare\Crack\rzr-cod4.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Lan\warcraft 3 new ver\TeknoGods_MW2SP.exe (Backdoor.Agent.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\quarantaene\.Trash-999\files\Alcohol.120%\AutoLoader_AxLaUn.exe (Trojan.ExploitDrop.BV) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\quarantaene\Spiele\Rock of Ages\TDU2k.exe (Packer.ModifiedUPX) -> Erfolgreich gelöscht und in Quarantäne gestellt.
E:\Spiele\LIMBO\TDU.exe (Packer.ModifiedUPX) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)



Malwarebytes Anti-Malware 1.75.0.1300
http://www.malwarebytes.orghttp://

Datenbank Version: v2013.05.15.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16576
Thorben :: THORBEN-PC [Administrator]

22.05.2013 10:52:50
mbam-log-2013-05-22 (10-52-50).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|F:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 426266
Laufzeit: 2 Stunde(n), 47 Minute(n), 42 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte RegistrierungsschlĂĽssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)


I hope this will be all.


Sincerely

Lolle

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
PM received from Lollle today.
She's had to go away for a short time and will continue when she returns.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Hi Lollle

Quote
Unfortunetly it is in german and I don't think it will help you much


I had to run it through 'Google Translate'.... but i think i got the gist of things.

Quote
The Spyware Terminator, yeah. I just installed it today to run a quick scan, but it didn't find something. I probably should deinstall it again though it didn't cause any trouble yet.


Yes, it is best to remove it..... it may cause problems later.

As you have performed a reinstall..... any malware would have been removed from the hard drive.
But if any malware had been saved or transferred to the external hard drive.... this could well find it's way back onto the system.

Quote
I unplugged my external hard disk and so far non of the problems appeared, coincidence?


We can check your external hard drive for malware.

Now reconnect the external hard to your PC.

Please update MBAM and run a Full scan: (when running a full scan all drives will be checked... including any external drives that are attached)

Start MBAM
Click on the Update tab



Click Check for Updates

The latest Database Version is: v2013.05.15.10

If it says that MBAM needs to close to update it... let it close and then restart.

  • Select the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
.
Don't forget:
Quote
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please submit: 
New MBAM scan report
and then we'll go from there.


Thanks.

LollleTopic starter

  • Member
  • *
  • Offline Offline
  • Posts: 7
Alright,

here is the link to the other forum:    goo.gl/85JMg
Unfortunetly it is in german and I don't think it will help you much, since there are only 5 answers and 3 of them are just telling me I have to delete some cracks until they will help me, which i did. The one kind of usefull post said that I have some malware that steals my passwords aswell as an old BKA/GEMA/GVU-Trojaner (not sure if that helps). Furthermore he advises me to formate my hard disk. I did this aswell. Then the thread was closed.

The Spyware Terminator, yeah. I just installed it today to run a quick scan, but it didn't find something. I probably should deinstall it again though it didn't cause any trouble yet.

Here is the OTL Extra.txt:

OTL Extras logfile created on: 14.05.2013 18:42:37 - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Thorben\Downloads
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 1,64 Gb Available Physical Memory | 54,69% Memory free
5,99 Gb Paging File | 3,88 Gb Available in Paging File | 64,80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465,66 Gb Total Space | 439,23 Gb Free Space | 94,32% Space Free | Partition Type: NTFS
 
Computer Name: THORBEN-PC | User Name: Thorben | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0991E4ED-9CA0-470B-B5D2-B8EA6CD2DF24}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{0B120475-3F3F-453F-875B-E2A584FA04B4}" = rport=139 | protocol=6 | dir=out | app=system |
"{116E2C83-0B29-435E-980C-35932A12B4F3}" = rport=10243 | protocol=6 | dir=out | app=system |
"{29576146-FDA9-4585-89CC-EBCFCEA685EA}" = lport=10243 | protocol=6 | dir=in | app=system |
"{3D0CCFA6-0F33-49A5-BFFB-C6EE5442658B}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{49A23CE6-23ED-42A7-A575-A98FBD528649}" = rport=445 | protocol=6 | dir=out | app=system |
"{53F025E6-A6CF-4D8E-B500-AA476F919102}" = lport=139 | protocol=6 | dir=in | app=system |
"{545E27AA-1DA7-4B49-BCB6-C4ECE0E34415}" = lport=445 | protocol=6 | dir=in | app=system |
"{56E972A7-B1B8-41DF-9BA1-3FC1C0A2A4D1}" = rport=138 | protocol=17 | dir=out | app=system |
"{628EE93C-A069-4416-9E18-C7A2CEEBFC4A}" = lport=137 | protocol=17 | dir=in | app=system |
"{6B496982-39A6-43D3-BF7C-8C1FA96C45F5}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7826122C-B788-42A7-9A0C-6306B65B77E6}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A8CBB477-DCDE-4C7B-857E-6A8E4F5282E9}" = lport=138 | protocol=17 | dir=in | app=system |
"{AF4B2DDC-1844-411F-9D8E-0388A0C9543B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{BE3D93B0-2821-4B33-B861-42EC2FD24244}" = lport=2869 | protocol=6 | dir=in | app=system |
"{C41025E9-E789-4605-86A6-F5355548AD4B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C88C92F4-6D32-4DDC-99E9-8178C00D5D26}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{DDF1B69D-57B3-4CBD-AE56-4CD7392EF7A2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E68FCA17-03A7-4247-9869-AA8FD82280A6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F9441E0E-C98F-4366-BF9B-0400C39F95B6}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{FBE94340-D70A-4414-A538-718690CB407F}" = rport=137 | protocol=17 | dir=out | app=system |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{14EF50E4-6903-40E6-8517-3D2F3F3A14DA}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{24892893-F60A-4785-9844-EDD9C802CFB5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{2B8323BA-96E8-4C4C-9B84-353D9E303307}" = protocol=6 | dir=in | app=c:\program files\spyware terminator\spywareterminatorupdate.exe |
"{35FE2D04-0CEB-4D20-B8C5-3FE03AAF3EE4}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{3769880B-DD5B-42B4-93CB-196179657347}" = protocol=6 | dir=in | app=c:\program files\spyware terminator\spywareterminator.exe |
"{3A4CB67E-2DC4-4421-B94E-C75282DA7858}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{47903D00-2350-463D-98D7-E992C9166635}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{5B28B6EB-F7F0-4FDF-8AA7-E9BF1647B61B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{632F7DB0-E921-432A-AA91-8301F55AB5E7}" = protocol=17 | dir=in | app=c:\program files\spyware terminator\spywareterminatorupdate.exe |
"{66BA63B0-CE64-4DFD-A272-B2714F4ADA16}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{684220FA-BF24-40FA-806B-72F3723F5048}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{6DD5438A-99D6-4BA4-8941-DC5F96F86385}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{763DAEFC-1AEB-49D3-AD5E-20CAA7067BB9}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{7706F597-4B56-4BB0-8629-61F679D4CE74}" = protocol=17 | dir=in | app=c:\program files\spyware terminator\spywareterminator.exe |
"{7A929258-F3C7-4BF1-8AE7-3B4371393F64}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{828AD143-D534-4A4C-8500-A7C9F48CF7F4}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{853F896D-D3FD-4EE3-8F4C-DEE3EC451B15}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8DA342D2-0672-4A3C-8CEA-402A5C956AFC}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{BDEFDC13-D4E7-4394-AE72-A9DFF72945A9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C6F3FFE6-FC27-4BAD-A0F9-80AF3E7312CA}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{D595F5F6-25DE-416B-BF14-496EE2336373}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E227CD55-866B-4C38-BCBD-23E7B3BFD6A0}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{EF944EC6-A37F-4D7A-9013-852D96D94A27}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{FB182B08-3044-4F9F-8A81-796B91E12946}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{FE46E4C3-D67D-461F-88D8-C3E8CA9BDBB2}" = protocol=6 | dir=out | app=system |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B21BB1C-D3C1-56D3-4407-7EFEECA93A9F}" = Catalyst Control Center InstallProxy
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{29869252-8FA3-8A6E-5817-0AB00BB18853}" = AMD AVIVO Codecs
"{2E809E56-7CD0-4815-C253-E5B03F8630FC}" = ccc-utility
"{3371B48C-CA46-97DE-9748-98931E56F0D4}" = Catalyst Control Center Profiles Desktop
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F7A05D4-0253-1611-4563-BA8B2DAFA28A}" = Catalyst Control Center Localization All
"{56736259-613E-4A3B-B428-6235F2E76F44}_is1" = Spyware Terminator 2012
"{62C3CFD3-4B1C-4C8F-8C2E-9B13B66768AB}" = ZyXEL G-220 v2 Wireless Adapter Utility-Programm
"{90157C5D-D791-4D36-8C2B-7553DC01D601}" = ASUS VGA Driver
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{AD612975-0136-455A-0D97-B1A955145185}" = CCC Help German
"{BA0F9EA0-1313-976B-4809-A5535AB8E207}" = HydraVision
"{C889DA3A-6DFE-498A-E2A4-8559478EFF62}" = AMD Accelerated Video Transcoding
"{D1547AA0-FA37-EB04-3099-F2710B90F169}" = Catalyst Control Center
"{D614BF2D-BB61-4A4F-BA09-648AC860C9BE}" = Catalyst Control Center - Branding
"{DEA68BA9-2E17-B419-1049-BBF1529A7E92}" = AMD Catalyst Install Manager
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"ERUNT_is1" = ERUNT 1.1j
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.75.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 20.0.1 (x86 de)" = Mozilla Firefox 20.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Songbird-release-2453" = Songbird 2.2.0 (Build 2453)
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinRAR archiver" = WinRAR 4.20 (32-Bit)
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 09.05.2013 15:20:41 | Computer Name = 37L4247D28-05 | Source = ESENT | ID = 412
Description = Catalog Database (1072)Catalog Database: Die Kopfzeile der Protokolldatei
 C:\Windows\system32\CatRoot2\edb.log konnte nicht gelesen werden. Fehler -546.
 
Error - 09.05.2013 15:20:41 | Computer Name = 37L4247D28-05 | Source = ESENT | ID = 412
Description = Catalog Database (1072)Catalog Database: Die Kopfzeile der Protokolldatei
 C:\Windows\system32\CatRoot2\edb.log konnte nicht gelesen werden. Fehler -546.
 
Error - 09.05.2013 15:20:42 | Computer Name = 37L4247D28-05 | Source = Microsoft-Windows-CAPI2 | ID = 257
Description = Vom Kryptografiedienst konnte die Katalogdatenbank nicht initialisiert
 werden. "ESENT"-Fehler: -546.
 
Error - 09.05.2013 15:36:00 | Computer Name = Thorben-PC | Source = VSS | ID = 8194
Description =
 
Error - 13.05.2013 15:02:54 | Computer Name = Thorben-PC | Source = Application Hang | ID = 1002
Description = Programm rads_user_kernel.exe, Version 0.0.0.0 kann nicht mehr unter
 Windows ausgefĂĽhrt werden und wurde beendet. ĂśberprĂĽfen Sie den Problemverlauf
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: 109c    Startzeit: 01ce500c7242e26f    Endzeit: 2    Anwendungspfad:
C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe    Berichts-ID: b5130dea-bbff-11e2-89a9-00e04c506608

 
[ System Events ]
Error - 09.05.2013 17:20:18 | Computer Name = Thorben-PC | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Windows Modules Installer" wurde mit folgendem Fehler
beendet:   %%16405
 
Error - 09.05.2013 17:21:56 | Computer Name = Thorben-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80242016 fehlgeschlagen: Update fĂĽr Windows 7 (KB2703157)
 
Error - 10.05.2013 05:46:15 | Computer Name = Thorben-PC | Source = Microsoft-Windows-Service Pack Installer | ID = 7
Description = Bei der Service Pack-Installation konnten keine Ă„nderungen an einem
 Update (Update fĂĽr Microsoft Windows (KB976902)) durchgefĂĽhrt werden.       Identität:
     Package_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514       Fehlercode:   0x80070bc9


   Zielstatus: 7
 
Error - 10.05.2013 05:46:15 | Computer Name = Thorben-PC | Source = Microsoft-Windows-Service Pack Installer | ID = 8
Description = Fehler bei der Service Pack-Installation. Fehlercode: 0x80070bc9.
 
Error - 13.05.2013 12:57:26 | Computer Name = Thorben-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?13.?05.?2013 um 18:54:56 unerwartet heruntergefahren.
 
Error - 13.05.2013 12:57:33 | Computer Name = Thorben-PC | Source = BugCheck | ID = 1001
Description =
 
 
< End of report >



One last thing... I unplugged my external hard disk and so far non of the problems appeared, coincidence? :-)


Thank You

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Hi Lollle and welcome to Smokeys.

Quote
Please excuse my grammer as English isn't my first language (I am from Germany).

Not a problem.
I'm sure we'll be able to understand one another.

Please post the reports whenever possible ( instead of adding attachments ) it makes reading/checking them a lot easier.
Thanks.

Unfortunately the 'Extras.txt' is empty.
Could you please post this again.

Quote
I've already asked for help in another forum, posted an OTL-Log, overwrote my MBR, tried to save my data onto my external hard disk, checked the "autorun.inf", as I was told, and finally reformate my internal hard disk.

Could you please post a link to your thread at the other forum.
Looking at the case from the beginning may make things easier to understand.

You seem to be running the version of Spyware Terminator that contains an Anti Virus.
SRV - (ST2012_Svc) -- C:\Programme\Spyware Terminator\st_rsser.exe (Crawler.com)

It is not recommended that you have more than one anti virus product installed and running on your computer at a time.  The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
You need to remove either Avast or Spyware Terminator.

I have never heard of an infection that turns on the Calculator before....
But i'll reserve judgement until you have posted the following:

Link to original thread on another forum.
Extras.txt

Thanks
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle