PDA

View Full Version : Little Christmas gift



Zwiberberg
2007-12-25, 12:57
:santa: Hello Spybot team,

appearently I made one click too much in the internet and caught a nice trojaner virus.
Some suspicious things are meanwhile going on on my PC like windows pooping up which I never had before ("Changes of desktop and other unsusual system settings"), suspiocious files and add-ons, which cannot be removed and are magically been appearing again, like a file named yayawuv.dll or pmnli.exe and pmnli.dll etc.
All happening under the "strong watch" of my standard norton internet safety package, without any notice, that something is obviously going wrong on my PC.
Meanwhile I am convinced, that I cannot solve the problem without your help.
So, I have prepared a recent spybot log file, made Kasperskys online scan (with desasterous results) and also genereted a HJT Log according your guidelines on this forum.
Do you want me to post the 3 log files or send them via email?
Looking forward to your help, hoping to find a workaround for the problem, without making a complete new setup of my PC.

I wish the whole spybot team wonderful Christmas days and hope to hear from you soon, to get this issue on my PC somehow resolved.

Many thanks in advance :red:

Zwiberberg

__RiP_ChAiN_
2007-12-25, 18:12
Hello Zwiberberg,

Please go ahead and post the logs that have been created, I will take a look at them for you :)

Zwiberberg
2007-12-25, 19:32
Hello Rip Chain,

Due to the lenght limitation (20,000 characters) and the fact, that the logs have a total length of over 220,000 characters, please find the log files as .zip attachement:


Hope you are able to work with them.
Looking forward to your advice :alien:,
best regards

Zwiberberg

__RiP_ChAiN_
2007-12-26, 04:45
Hello Zwiberberg,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or HERE (http://subs.geekstogo.com/ComboFix.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Zwiberberg
2007-12-26, 09:39
Good morning Rip Chain,

not the best start into the day:

I started working down the activity list:

Open HijackThis, click Config, click Misc Tools --> OK
Click "Open Uninstall Manager" --> OK
Click "Save List" (generates uninstall_list.txt)
and here starts the trouble already:
:sad: the list has not been generated nor saved to my PC (I have searched all files incl. hidden files...). The best I can offer is a screen shot of the result o the HJThis overview.
Or do you have other suggestions?

Do you want me to run the ComboFix anyways?

I am going to ride my bike for an hour an then I am back for further instructions,

Best regards

Zwiberberg

Zwiberberg
2007-12-26, 09:51
Hello Rip Chain,

one more information from today:
Yesterday I have been updating/adding protection tools for my PC.
Today in the morning I got a continued message from Spywareguard, that a BHO has been added (pmnli.dll, the file which I already mentioned in my fist post).
Unfortunately the "Remove BHO" button did not work, the messages keeps popping up.

I have attached the screenshot of the message for further orientation.

Saludos
Zwiberberg

__RiP_ChAiN_
2007-12-26, 18:19
Hello Zwiberberg,

Thanks for the update, please go ahead and move on to the running of combofix now :)

Zwiberberg
2007-12-27, 00:01
Hello Rip Chain,

got ComboFix completed and ran new logs as attached:

(also included the latest Spyguard log, fater my pc was rebooted.)
Overall it looks to me like the yayawuv.dll is still there and now working together with a mllmn.dll /.exe file instead of teh pmnli.dll/.exe.

But I am better waiting for your professional analysis instead of specuelating:

ComboFix Log:

ComboFix 07-12-21.4 - Jens 2007-12-26 22:40:33.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.608 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\PerfInfo
F:\WINDOWS\PerfInfo\G6iVJdF8c7uc.exe
F:\WINDOWS\PerfInfo\G6iVJdF8c7ud.exe
F:\WINDOWS\system32\ilnmp.ini
F:\WINDOWS\system32\ilnmp.ini2
F:\WINDOWS\system32\pmnli.dll

.
((((((((((((((((((((((( Dateien erstellt von 2007-11-26 bis 2007-12-26 ))))))))))))))))))))))))))))))
.

2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 16:00 . 2007-12-24 16:00 326,656 --a------ F:\WINDOWS\system32\RCX29.tmp
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 08:19 . 2007-12-24 08:19 326,656 --a------ F:\WINDOWS\system32\RCX36.tmp
2007-12-24 08:19 . 2007-12-24 08:19 1,024 --a------ F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
2007-12-24 08:15 . 2007-12-24 08:15 2,048 --a------ F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-26 22:44 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-24 02:02 . 2007-12-24 16:42 <DIR> d-------- F:\VundoFix Backups
2007-12-23 18:39 . 2007-12-23 18:39 326,656 --a------ F:\WINDOWS\system32\RCX43.tmp
2007-12-23 18:39 . 2007-12-24 08:19 15,360 --a------ F:\WINDOWS\system32\ctfmon .exe
2007-12-23 18:30 . 2007-12-24 16:47 143 --a------ F:\WINDOWS\system32\mcrh.tmp
2007-12-23 15:56 . 2007-12-23 15:56 <DIR> d-------- F:\WINDOWS\ppqvmpqr
2007-12-23 15:56 . 2007-12-23 15:56 208,896 --a------ F:\WINDOWS\system32\ndaTqsVqrX.dll
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-23 11:51 . 2007-12-23 11:51 39,936 --------- F:\WINDOWS\system32\yayawuv.dll
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ F:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ F:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ F:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ F:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ F:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ F:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ F:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ F:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ F:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Programme\Free Fire Screensaver
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 09:42 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-26 07:28 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-25 19:51 --------- d-----w F:\Programme\Norton Internet Security
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 17:04 --------- d-----w F:\Programme\iTunes
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-12-06 13:56 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-06 13:56 123,952 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-06 13:56 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-06 13:56 --------- d-----w F:\Programme\Symantec
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-15 20:31 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2007-10-31 12:55 --------- d-----w F:\Programme\Quicken2007
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_16.21.09.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 11:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-10-21 20:40:14 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-10-21 20:40:16 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-26 21:46:42 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_9c0.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6489BD86-DF8B-4A67-900F-8FEADEBFCF34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-23 11:51 39936 --------- F:\WINDOWS\system32\yayawuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-01 23:22 116088 --a------ F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-23 11:51 39936 --------- F:\WINDOWS\system32\yayawuv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" []
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" []
"Polar Sync"="" []
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 08:05]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" []
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" []
"QuickTime Task"="F:\Programme\QuickTime\qttask .exe" []
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" []
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" []
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E85D85-F6EE-4655-A639-E33983612A6E}"= F:\WINDOWS\system32\yayawuv.dll [2007-12-23 11:51 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background

R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 LiveUpdate Notice;LiveUpdate Notice;"F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 SymIMMP;SymIMMP;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-08-31 11:49]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 COH_Mon;COH_Mon;F:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []
S3 SymIM;Symantec Network Security Intermediate Filter Service;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
S3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]

*Newly Created Service* - COMHOST
.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2007-12-26 21:37:29 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 22:47:06
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> F:\WINDOWS\system32\yayawuv.dll
.
Zeit der Fertigstellung: 2007-12-26 22:48:21 - machine was rebooted
.
2007-12-12 14:24:37 --- E O F ---

Zwiberberg
2007-12-27, 00:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:13, on 26.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\msiexec.exe
F:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - F:\WINDOWS\system32\yayawuv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programme\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
O4 - Global Startup: Quicken 2007 Zahlungserinnerung.lnk = F:\Programme\Quicken2007\billmind.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 9464 bytes

Zwiberberg
2007-12-27, 00:08
--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 22:52:34 12.26.2007 a new BHO installation attempt was detected.
BHO: {FD8F13BD-9D87-426D-91E9-A46B700A9ADB}
ProgramID: n/a
File Location: F:\WINDOWS\system32\mllmn.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 22:53:10 12.26.2007 a new BHO installation attempt was detected.
BHO: {FD8F13BD-9D87-426D-91E9-A46B700A9ADB}
ProgramID: n/a
File Location: F:\WINDOWS\system32\mllmn.dll
User Action Taken: KEEP BHO


Remark regarding the last entry:
The Spyguard has not been able to terminate the mllmn.dll file, I got a continuing error message which said that!

Hope you will be able to find a fix for the problem.

I'd appreciate to get a reply from you within the next our or so, that I can take some action.
Due to the time difference (depending wether you are west or east coast USA it's between 6 hours and 10 hours which I am ahead of you) I will go to bed in around an hour (midnight).

Best regards
Zwiberberg

Zwiberberg
2007-12-27, 09:29
Hello Spybot team,

"the thing" which is sitting on my PC keeps on changing its face!
I had to reinstall my norton internet securuty software, after my cccommon.dll was no more available:

After reinstallation I have safed the log.
Norton log:

Prüfungsstatistik:
Prüfungszeit: 2661
Prüfungsoptionen:
Prüfungsziele: C:, F:
Anzahl:
Insgesamt geprüfte Elemente: 265692
- Dateien und Verzeichnisse: 263541
- Registrierungseinträge: 271
- Prozesse und Elemente beim Start: 1745
- Netzwerk- und Browser-Elemente: 131
- Andere: 4

Insgesamt erkannte Sicherheitsrisiken: 5
Insgesamt behobene Elemnte: 5
Elemente insgesamt, die Eingreifen erfordern: 0

Behobene Bedrohungen:
Trojan.Nebuler
Virus-ID: 18150
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
1 Datei
f:\qoobox\quarantine\f\windows\system32\winhoo32.dll.vir - Gelöscht
1 Browser-Cache

Trojan.Vundo
Virus-ID: 28544
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Neustarten erforderlich
-----------
144 Registrierungseinträge
HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Neustarten erforderlich
HKEY_CLASSES_ROOT\MSEvents.MSEvents - Neustarten erforderlich
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\IEpl.IEpl - Neustarten erforderlich
HKEY_CLASSES_ROOT\IEpl.IEPl.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater - Neustarten erforderlich
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib - Neustarten erforderlich
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction - Neustarten erforderlich
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1 - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks->{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\DomainService - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\FCOVM - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\RemoveRP - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->SFCDisable:0 - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->Authentication Packages:... - Neustarten erforderlich
1 Datei
f:\vundofix backups\awtuvvs.dll.bad - Gelöscht
4 Prozesse
F:\Programme\Internet Explorer\iexplore.exe - Beendet
F:\WINDOWS\system32\rundll32.exe - Keine Aktion erforderlich
F:\Programme\Internet Explorer\iexplore.exe - Beendet
F:\WINDOWS\system32\rundll32.exe - Keine Aktion erforderlich
1 Dienst
DomainService - Keine Aktion erforderlich
1 Browser-Cache

W32.Trats!inf
Virus-ID: 40956
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
3 Dateien
f:\vundofix backups\nerocheck.exe.bad - Repariert
f:\VundoFix Backups\pmnli.exe.bad - Gelöscht
1 Browser-Cache



W32.Trats!inf
Virus-ID: 40956
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
4 Dateien
f:\windows\system32\rcx29.tmp - Gelöscht
f:\WINDOWS\system32\RCX36.tmp - Gelöscht
f:\WINDOWS\system32\RCX43.tmp - Gelöscht
f:\WINDOWS\system32\ctfmon.exe.tmp - Repariert
1 Browser-Cache



Trojan.Zlob.N
Virus-ID: 19394
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
1 Datei
f:\windows\system32\ndatqsvqrx.dll - Gelöscht
1 Browser-Cache

Zwiberberg
2007-12-27, 09:30
Along with this, after rebooting I have a new "friend" in Spywareguard (s.also log file): geebx.dll




On 01:45:10 12.27.2007 a new BHO installation attempt was detected.
BHO: {0157B230-5263-44B0-BD87-EDD2364780A0}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 01:45:13 12.27.2007 a new BHO installation attempt was detected.
BHO: {0157B230-5263-44B0-BD87-EDD2364780A0}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 08:06:23 12.27.2007 a new BHO installation attempt was detected.
BHO: {3BAFEEB5-27C0-4333-864F-1E12D9C4FCAC}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 08:06:28 12.27.2007 a new BHO installation attempt was detected.
BHO: {3BAFEEB5-27C0-4333-864F-1E12D9C4FCAC}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 08:06:35 12.27.2007 a new BHO installation attempt was detected.
BHO: {3BAFEEB5-27C0-4333-864F-1E12D9C4FCAC}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO


Hope this helps to get the idea of what's going on.

Is there potentially a chance, to get help from an Euopean based Spybot team member? This would allow easier communication in regards to timing?

Anyway thanks for the continued support,

best regards

Zwiberberg

__RiP_ChAiN_
2007-12-27, 23:22
Hello Zwiberberg,


Is there potentially a chance, to get help from an Euopean based Spybot team member? This would allow easier communication in regards to timing?
Actually, almost everyone helping in the HijackThis forum is not an actual member of the SpyBot team, but a trained volunteer.

Is there potentially a chance, to get help from an Euopean based Spybot team member? This would allow easier communication in regards to timing?
While in theory this would be a good idea, in reality there are too few people to help as it is, much less trying to match people with timezones.

Jotti File Submission:
Please go to Jotti's malware scan (http://virusscan.jotti.org/)

Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

F:\WINDOWS\system32\ctfmon .exe

Click on the submit button

Please post the results in your next reply.

Please follow the above instructions for this file as well:
F:\WINDOWS\system32\NeroCheck .exe


A. Please RUN HijackThis
Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - F:\WINDOWS\system32\yayawuv.dll
O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
O18 - Protocol: haufereader - (no CLSID) - (no file)


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
F:\WINDOWS\system32\ndaTqsVqrX.dll
F:\WINDOWS\system32\RCX29.tmp
F:\WINDOWS\system32\RCX36.tmp
F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
F:\WINDOWS\system32\RCX43.tmp
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\yayawuv.dll
Folder::
F:\VundoFix Backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Zwiberberg
2007-12-28, 01:47
Hello Rip Chain,

have been busy in the last hours and developed an own plan, how to overcome this yayawuv.dll thing.
Looks like it worked:
What I basically did:
- Build a startup cd (with UBCD4WIN)
- started the pc from the built cdrom
- ran Spybot scans, deleted suspicios files incl. yayawuv.dll and others which I already had identified
- ran hijackthis scans
- ran Kaspersky scans, deleted all suspicios files
- ran vundofix after rebooting from hard disk (no more to delete)
everything is "quiet" now.. no more unwanted pop ups etc.

At tleast I got a lot ideas here, how I can identify and isolate the problem, even found a work around.

Many thanks for the inspiration and support!!!!!!

Enclosed the latest HJT scan, hope there is nothing left which you find critical...

Best regards and good night USA (its 1 am here...)

zwiberberg
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:43:59, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
F:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\Internet Explorer\iexplore.exe
F:\Programme\DSL-Manager\DslMgr.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programme\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
O4 - Global Startup: Quicken 2007 Zahlungserinnerung.lnk = F:\Programme\Quicken2007\billmind.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Personal Security Suite V (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 8656 bytes

__RiP_ChAiN_
2007-12-28, 23:09
Hello Zwiberberg :)

It looks like you got a lot done alright, but there are still infected entries in your HJT log. Please follow my advice from the last post I made and post the required logs :)

Zwiberberg
2007-12-29, 00:53
Hello Rip Chain,

ok, looks not everything is cleanded up yet, so here report of your requested actions:

Jotti Check:
ctfmon .exe and nerocheck .exe both were "clean", acording to the Jotti check, by the way, is this of any concern, that I have a ctfmon.exe also in F:\windows\system32\dllcache ?

HJT:
I have "fix checked" the items you listed

ComboFix:
I have applied the script as instructed

In the following both posts you will find the CF Log an the HJT log.

Additionaly, in case it is necessary information you should have:
I have removed norton meanwhile from my computer and running Kaspersky Internet Seciurity 7.0.
(If there are norton files, you think I should get rid of in any reg files , pls. let me know...)

Looking forward to further feedback,

best regards
Zwiberberg

Zwiberberg
2007-12-29, 00:54
ComboFix 07-12-21.4 - Jens 2007-12-28 23:12:42.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.606 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
Command switches used :: F:\Dokumente und Einstellungen\Jens\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE
F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\ndaTqsVqrX.dll
F:\WINDOWS\system32\RCX29.tmp
F:\WINDOWS\system32\RCX36.tmp
F:\WINDOWS\system32\RCX43.tmp
F:\WINDOWS\system32\yayawuv.dll
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\VundoFix Backups
F:\VundoFix Backups\geebx.dll.bad
F:\VundoFix Backups\jjkmp.ini.bad
F:\VundoFix Backups\jjkmp.ini2.bad
F:\VundoFix Backups\NeroCheck.exe.bad
F:\VundoFix Backups\nmllm.ini.bad
F:\VundoFix Backups\nmllm.ini2.bad
F:\VundoFix Backups\xbeeg.ini.bad
F:\VundoFix Backups\xbeeg.ini2.bad
F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
F:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((( Dateien erstellt von 2007-11-28 bis 2007-12-28 ))))))))))))))))))))))))))))))
.

2007-12-28 20:42 . 2007-12-28 23:34 3,551,776 --ahs---- F:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 20:42 . 2007-12-28 23:16 50,708 --ahs---- F:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 20:42 . 2007-12-28 23:18 8,992 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-28 20:42 . 2007-12-28 23:16 1,892 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-28 20:26 . 2007-12-28 20:26 78,415 --a------ F:\WINDOWS\system32\drivers\klif.cab
2007-12-28 13:08 . 2007-12-28 13:08 <DIR> d-------- F:\MapSource
2007-12-28 13:00 . 2007-12-28 13:10 <DIR> d-------- F:\Garmin
2007-12-28 12:19 . 2007-12-28 12:19 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\GARMIN
2007-12-28 11:16 . 2007-12-28 11:16 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2007-12-28 02:06 . 2007-07-30 19:19 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2007-12-28 02:06 . 2007-07-30 19:18 30,072 --a------ F:\WINDOWS\system32\mucltui.dll.mui
2007-12-27 22:40 . 2007-12-28 20:29 <DIR> d-------- F:\Programme\Kaspersky Lab
2007-12-27 22:40 . 2007-12-28 20:49 91,492 --a------ F:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:40 . 2007-12-28 20:49 85,860 --a------ F:\WINDOWS\system32\drivers\klick.dat
2007-12-27 17:06 . 2007-12-27 17:57 <DIR> d-------- F:\Programme\UBCD4Win
2007-12-27 09:37 . 2007-12-27 09:37 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Prevx
2007-12-27 09:36 . 2007-12-27 09:38 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\PrevxCSI
2007-12-27 09:28 . 2007-12-27 18:04 7,646 --ahs---- F:\WINDOWS\system32\nmllm.ini2
2007-12-27 09:28 . 2007-12-27 18:05 7,646 --ahs---- F:\WINDOWS\system32\nmllm.ini
2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2007-12-28 23:34 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-27 09:24 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Programme\Free Fire Screensaver
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 12:10 --------- d-----w F:\Programme\GPS Software
2007-12-28 11:14 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-12-28 11:14 --------- d-----w F:\Programme\Quicken2007
2007-12-28 11:13 --------- d-----w F:\Programme\Gemeinsame Dateien\Lexware
2007-12-28 10:16 --------- d-----w F:\Programme\Google
2007-12-28 01:09 --------- d-----w F:\Programme\iTunes
2007-12-27 15:46 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-27 15:46 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-26 23:32 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-26 23:32 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_16.21.09.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-05-16 19:38:04 3,638 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\ARPPRODUCTICON.exe
+ 2007-12-28 09:21:58 3,638 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\ARPPRODUCTICON.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut1_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:59 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut1_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut10_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut10_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 40,960 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut12_65F9131C16CB40F6BE401B42772C2B44.EXE
+ 2007-12-28 09:21:58 40,960 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut12_65F9131C16CB40F6BE401B42772C2B44.EXE
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut3_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut3_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut4_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:59 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut4_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut8_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut8_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut9_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut9_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionDlx_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionDlx_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionHBiz_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionHBiz_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionReg_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionReg_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:59 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44_1.exe
+ 2007-12-28 09:21:59 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44_1.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlxUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlxUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenHBizUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenHBizUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenRegUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:59 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenRegUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskDlx1_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskDlx1_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskHBiz1_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskHBiz1_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-11-10 16:18:50 102,400 ----a-r F:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
+ 2007-12-28 01:09:18 102,400 ----a-r F:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
- 2006-07-14 01:03:03 16,384 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 19:42:49 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2006-07-14 01:03:03 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 19:42:49 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2006-07-14 01:03:03 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2007-12-28 19:42:49 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2003-09-23 14:42:34 17,024 ----a-w F:\WINDOWS\system32\drivers\grmngen.sys
+ 2007-03-08 15:18:00 18,432 ----a-w F:\WINDOWS\system32\drivers\grmngen.sys
- 2003-09-23 14:42:34 7,296 ----a-w F:\WINDOWS\system32\drivers\grmnusb.sys
+ 2007-03-08 15:18:00 8,320 ----a-w F:\WINDOWS\system32\drivers\grmnusb.sys
+ 2007-04-28 15:51:02 110,360 ----a-w F:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 19:49:42 194,320 ----a-w F:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 13:58:26 24,344 ----a-w F:\WINDOWS\system32\drivers\klim5.sys
- 2000-08-04 12:25:30 49,152 ----a-w F:\WINDOWS\system32\INETWH32.dll
+ 2000-08-04 14:25:30 49,152 ----a-w F:\WINDOWS\system32\INETWH32.dll
+ 2005-05-24 11:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-10-21 20:40:14 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-10-21 20:40:16 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-06-28 11:51:48 206,088 ----a-w F:\WINDOWS\system32\klogon.dll
- 2003-03-18 19:20:00 1,060,864 ----a-w F:\WINDOWS\system32\mfc71.dll
+ 2007-03-21 19:39:00 1,060,864 ----a-w F:\WINDOWS\system32\MFC71.DLL
- 2003-03-18 18:14:52 499,712 ----a-w F:\WINDOWS\system32\msvcp71.dll
+ 2007-03-21 19:33:00 503,808 ----a-w F:\WINDOWS\system32\MSVCP71.DLL
- 2003-02-21 02:42:22 348,160 ----a-w F:\WINDOWS\system32\msvcr71.dll
+ 2007-03-21 19:33:00 348,160 ----a-w F:\WINDOWS\system32\MSVCR71.DLL
+ 2007-07-30 18:18:34 207,736 ----a-w F:\WINDOWS\system32\muweb.dll
- 2002-09-20 21:33:28 1,089,536 ----a-w F:\WINDOWS\system32\ROBOEX32.DLL
+ 2002-09-20 23:33:28 1,089,536 ----a-w F:\WINDOWS\system32\ROBOEX32.DLL
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" []
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" []
"Polar Sync"="" []
"gStart"="F:\MapSource\gStart.exe" [2007-08-23 05:58]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" []
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" []
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-01-30 14:53]
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" []
"AVP"="F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
"DWQueuedReporting"="F:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background

R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;F:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" []
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []

.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2007-12-28 22:21:25 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 23:34:36
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2007-12-28 23:35:42 - machine was rebooted
.
2007-12-12 14:24:37 --- E O F ---

Zwiberberg
2007-12-29, 00:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38:15, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\MapSource\gStart.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\iPod\bin\iPodService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198801773250
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 8220 bytes

__RiP_ChAiN_
2008-01-01, 09:12
Hello Zwiberberg :)

It appears that your infected with the newest version of this nasty vundo virus. We're going to remove the older version of combofix, and download a newer one that is more updated for this newer version of Vundo.



Click START then RUN
Now type Combofix /u in the runbox and click OK


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or HERE (http://subs.geekstogo.com/ComboFix.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Zwiberberg
2008-01-01, 11:35
Good morning Rip Chain,

I wish you a happy and successful new year! A big portion of health for you personally and our computers is also needed ;).

As instructed I have unloaded my previous ComboFix version, downloaded the new one and ran a new scan with CF and also HJT.
Here are the reports:

COMBOFIX:

ComboFix 07-12-31.4 - Jens 2008-01-01 10:13:12.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.592 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\_install.exe nicht gefunden
F:\WINDOWS\system32\nmllm.ini
F:\WINDOWS\system32\nmllm.ini2

.
((((((((((((((((((((((( Dateien erstellt von 2007-12-01 bis 2008-01-01 ))))))))))))))))))))))))))))))
.

2008-01-01 10:12 . 2000-08-31 08:00 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-12-28 20:42 . 2008-01-01 10:16 3,851,040 --ahs---- F:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 20:42 . 2007-12-31 14:43 54,260 --ahs---- F:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 20:42 . 2008-01-01 10:17 28,192 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-28 20:42 . 2007-12-31 14:43 3,452 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-28 20:26 . 2007-12-28 20:26 78,415 --a------ F:\WINDOWS\system32\drivers\klif.cab
2007-12-28 13:08 . 2007-12-28 13:08 <DIR> d-------- F:\MapSource
2007-12-28 13:00 . 2007-12-28 13:10 <DIR> d-------- F:\Garmin
2007-12-28 12:19 . 2007-12-28 12:19 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\GARMIN
2007-12-28 11:16 . 2008-01-01 10:15 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2007-12-28 02:06 . 2007-07-30 19:19 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2007-12-28 02:06 . 2007-07-30 19:18 30,072 --a------ F:\WINDOWS\system32\mucltui.dll.mui
2007-12-27 22:40 . 2007-12-28 20:29 <DIR> d-------- F:\Programme\Kaspersky Lab
2007-12-27 22:40 . 2007-12-28 20:49 91,492 --a------ F:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:40 . 2007-12-28 20:49 85,860 --a------ F:\WINDOWS\system32\drivers\klick.dat
2007-12-27 17:06 . 2007-12-27 17:57 <DIR> d-------- F:\Programme\UBCD4Win
2007-12-27 09:37 . 2007-12-27 09:37 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Prevx
2007-12-27 09:36 . 2007-12-27 09:38 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\PrevxCSI
2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2008-01-01 10:02 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmenü
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-28 23:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 12:10 --------- d-----w F:\Programme\GPS Software
2007-12-28 11:14 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-12-28 11:14 --------- d-----w F:\Programme\Quicken2007
2007-12-28 11:13 --------- d-----w F:\Programme\Gemeinsame Dateien\Lexware
2007-12-28 10:16 --------- d-----w F:\Programme\Google
2007-12-28 01:09 --------- d-----w F:\Programme\iTunes
2007-12-27 15:46 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-27 15:46 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-26 23:32 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-26 23:32 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-11-30 06:42 --------- d-----w F:\Programme\Free Fire Screensaver
2007-11-30 06:42 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2007-10-29 22:42 1,293,312 ----a-w F:\WINDOWS\system32\quartz.dll
2007-10-25 12:41 81,920 ----a-w F:\WINDOWS\system32\LxUISettings10VC8.dll
2007-10-25 12:41 716,800 ----a-w F:\WINDOWS\system32\lxter20VC8.dll
2007-10-25 12:41 65,536 ----a-w F:\WINDOWS\system32\PXTTool65VC8.dll
2007-10-25 12:41 552,960 ----a-w F:\WINDOWS\system32\zvkonline65VC8.dll
2007-10-25 12:41 5,701,632 ----a-w F:\WINDOWS\system32\LxXtreme50VC8.dll
2007-10-25 12:41 319,488 ----a-w F:\WINDOWS\system32\LxImport65VC8.dll
2007-10-25 12:41 27,648 ----a-w F:\WINDOWS\system32\LXTPSW20VC8.dll
2007-10-25 12:41 241,664 ----a-w F:\WINDOWS\system32\LXBtr65VC8.dll
2007-10-25 12:41 180,224 ----a-w F:\WINDOWS\system32\LXDasi65VC8.dll
2007-10-25 12:41 180,224 ----a-w F:\WINDOWS\system32\LxBasics65VC8.dll
2007-10-25 12:41 126,976 ----a-w F:\WINDOWS\system32\LxMail30VC8.dll
2007-10-25 12:41 1,556,480 ----a-w F:\WINDOWS\system32\LxXtreme40VC8.dll
2007-10-25 12:41 1,191,936 ----a-w F:\WINDOWS\system32\LXtool65VC8.dll
2007-10-25 08:28 222,720 ----a-w F:\WINDOWS\system32\wmasf.dll
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.


----a-w 39,792 2007-12-25 10:02:44 F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 45,056 2007-12-24 15:47:28 F:\Programme\ATI Technologies\ATI.ACE\cli .exe
----a-w 163,840 2007-12-25 10:02:50 F:\Programme\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg .exe
----a-w 32,768 2007-12-24 12:01:42 F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ .exe
----a-w 310,272 2007-12-25 10:02:43 F:\Programme\FreePDF_XP\fpassist .exe
----a-w 532,776 2007-12-24 15:47:33 F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager .exe
----a-w 51,048 2007-12-25 17:09:44 F:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp .exe
----a-w 68,856 2007-12-23 22:31:54 F:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 267,048 2007-12-25 10:02:48 F:\Programme\iTunes\iTunesHelper .exe
----a-w 132,496 2007-12-25 10:02:51 F:\Programme\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,694,208 2007-12-23 17:39:58 F:\Programme\Messenger\msmsgs .exe
----a-w 1,460,560 2007-12-25 10:02:53 F:\Programme\Spybot - Search & Destroy\TeaTimer .exe
----a-w 1,003,590 2007-12-24 15:00:59 F:\Programme\Zinio\ZinioDeliveryManager .exe
----a-w 155,648 2007-12-23 22:31:29 F:\WINDOWS\system32\NeroCheck .exe



(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" [ ]
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" [ ]
"Polar Sync"="" []
"gStart"="F:\MapSource\gStart.exe" [2007-08-23 05:58 1891416]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" [ ]
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [ ]
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-01-30 14:53 2732584]
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" [ ]
"AVP"="F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="F:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

F:\Dokumente und Einstellungen\Administrator\Startmen\Programme\Autostart\
DSL-Manager.lnk - F:\Programme\DSL-Manager\DslMgr.exe [2007-10-15 20:02:46]

F:\Dokumente und Einstellungen\Birgit\Startmen\Programme\Autostart\
DSL-Manager.lnk - F:\Programme\DSL-Manager\DslMgr.exe [2007-10-15 20:02:46]

F:\Dokumente und Einstellungen\Default User\Startmen\Programme\Autostart\
DSL-Manager.lnk - F:\Programme\DSL-Manager\DslMgr.exe [2007-10-15 20:02:46]

F:\Dokumente und Einstellungen\Jens\Startmen\Programme\Autostart\
SpywareGuard.lnk - F:\Programme\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

F:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Google Updater.lnk - F:\Programme\Google\Google Updater\GoogleUpdater.exe [2007-12-28 11:16:43]
Quicken 2008 Zahlungserinnerung.lnk - F:\Programme\LEXWARE\Quicken\2008\billmind.exe [2007-04-18 23:29:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background

R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;F:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" []
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []

.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 09:03:42 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
- F:\Programme\Norton Internet Security\Norton AntiVirus\Navw32.exel/TASK:
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 10:17:12
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-01-01 10:17:45
F:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 09:17:43
F:\qoobox\ComboFix2.txt 2007-12-28 22:35:42
.
2007-12-12 14:24:37 --- E O F ---

Zwiberberg
2008-01-01, 11:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:38, on 01.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\iPod\bin\iPodService.exe
F:\WINDOWS\explorer.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198801773250
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 7712 bytes

Zwiberberg
2008-01-01, 11:43
I will be available today for around another 7 more hours to reply and take further action. Afterwards, I will not be able to acsess my computer and this forum until Friday night (because I got to go back to work and I am not working at the same location, where this computer located is!).:sad:
Thanks for your understanding,
best regards
Zwiberberg

__RiP_ChAiN_
2008-01-02, 05:01
Hello Zwiberberg :)

Download RenV.exe by sUBs (http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe) to your desktop


Copy the entire contents of the Code Box below to Notepad.
Name the file as Log.txt (Overwrite the existing one)
Change the Save as Type to All Files
and Save it on the desktop


F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl .exe
F:\Programme\ATI Technologies\ATI.ACE\cli .exe
F:\Programme\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg .exe
F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ .exe
F:\Programme\FreePDF_XP\fpassist .exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager .exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp .exe
F:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
F:\Programme\iTunes\iTunesHelper .exe
F:\Programme\Java\jre1.6.0_03\bin\jusched .exe
F:\Programme\Messenger\msmsgs .exe
F:\Programme\Spybot - Search & Destroy\TeaTimer .exe
F:\Programme\Zinio\ZinioDeliveryManager .exe
F:\WINDOWS\system32\NeroCheck .exe

http://img.photobucket.com/albums/v666/sUBs/RenV.gif


Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.

Zwiberberg
2008-01-04, 22:05
Hello RipChain,

followed your instructions.
In the dos-window it basically said, that none of the applications/files has been found!

I guess that's why the log result is as follows:



Ran on 04.01.2008 - 21:00:10,92

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0


What does this mean now???:scratch:

Looking forward to further information on th weekend.

Mit freundlichen Grüßen

zwiberberg

Zwiberberg
2008-01-04, 22:14
Hello Rip Chain,

in the data you submitted where always spaces/blanks implemented in front of the file extension.
I removed them and reran the RenV.exe thing.
Wonder what:
no messages, that the files have not been found,
however,
the log result is the same (just different time) ;)



Ran on 04.01.2008 - 21:10:26,57

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

__RiP_ChAiN_
2008-01-05, 06:53
Hello Zwiberberg,

Please post a new HijackThis log for review, along with an update on how your computer is running :)

Zwiberberg
2008-01-05, 10:28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:21, on 05.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\MapSource\gStart.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\iPod\bin\iPodService.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198801773250
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 7842 bytes
:D:

Zwiberberg
2008-01-05, 10:32
Good morning RipChain,

to me the machine currently seems to run stable and at an acceptable speed. So to it looks that there is no unwanted background activities like viruses etc. running.
What is your impression, reading the latest scan log results?:bigthumb:?

Best regards

zwiberberg

__RiP_ChAiN_
2008-01-06, 19:39
Hello Zwiberberg :)


in the data you submitted where always spaces/blanks implemented in front of the file extension.
I removed them and reran the RenV.exe thing.
I know, this was done on purpose, you were infected with a new variant of the vundo virus that infects .exe files and then renames the original ones with a space before the extension.


What is your impression, reading the latest scan log results?
I'd like to run a quick Panda scan and make sure there are no more leftovers still present :)

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Zwiberberg
2008-01-07, 06:25
Incident Status Location

Spyware:Cookie/onestat.com Not disinfected F:\Dokumente und Einstellungen\Birgit\Cookies\birgit@stat.onestat[2].txt
Virus:Trj/Dropper.WW Disinfected Persönliche Ordner\Gelöschte Objekte\Re: von Tamara\Foto-001-006__JPG.com
Virus:Trj/MultiJoiner.O Disinfected Persönliche Ordner\Gelöschte Objekte\Von Tamara\Foto-Cannon-M06___JPG.com
Spyware:Cookie/adultfriendfinder Not disinfected F:\Dokumente und Einstellungen\Jens\Cookies\jens@adultfriendfinder[2].txt
Spyware:Cookie/Adverserve Not disinfected F:\Dokumente und Einstellungen\Jens\Cookies\jens@adverserve[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\Wartung Sonstige\Safety\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\Wartung Sonstige\Safety\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\Wartung Sonstige\Safety\VirtumundoBeGone.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Programme\UBCD4Win\BartPE\I386\SYSTEM32\NIRCMD.EXE
Hacktool:Hacktool/AngryScan Not disinfected F:\Programme\UBCD4Win\BartPE\PROGRAMS\IPScan\ipscan.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Programme\UBCD4Win\plugin\AntiVirus\AV7PE\nircmd.exe
Hacktool:Hacktool/AngryScan Not disinfected F:\Programme\UBCD4Win\plugin\Network\ipscan\ipscan.exe
Virus:Bck/Gerzidan.A Disinfected Persönliche Ordner\Gelöschte Objekte\Von Tanja, hallo Petra\Bild-Holger__JPG.com
Virus:Bck/Gerzidan.A Disinfected Persönliche Ordner\Gelöschte Objekte\Von Mareike\Bild-002_(klein)__JPG.com
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\WINDOWS\NirCmd.exe Hello RipChain,

find enclosed the Panda report.
Looking forward to your recommendations,
best regards
Zwiberberg

__RiP_ChAiN_
2008-01-11, 21:09
Hello Zwiberberg :)

Sorry for the delay in replying to you, my workplace has barely left me enough time to sleep and eat lately, it seems.

The panda scan disinfected any last remaining pieces of the malware on your system, it appears.
Please post back with one last HJT log, if it appears clean and your system is still running fine we can go through the last steps to further secure your computer, and you can be on your way :)

Zwiberberg
2008-01-11, 22:35
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:25, on 11.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\MapSource\gStart.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\iPod\bin\iPodService.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
F:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
F:\Programme\Internet Explorer\IEXPLORE.EXE
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198801773250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 8123 bytes

Zwiberberg
2008-01-11, 22:39
Hello RipChain,

nice to hear from you, don't work tooo hard!
I have just posted in th previos post the newest HJT log.

Looking forward to receive new information on the final steps.

So far: thanks for the excellent service!!!:bigthumb::bigthumb::bigthumb:

best regards
from Germany on 21:37

Zwiberberg

__RiP_ChAiN_
2008-01-13, 03:33
Hello Zwiberberg :)

Excellent news, your good to go!

Please delete the following folder:

C:\Qoobox

Go ahead and remove any tools we used during your fix now, as they will no longer be needed.

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Zwiberberg
2008-01-13, 19:27
Hello RipChain,
as a matter of fact, good news, that the machine is clean and running fine!:cool:
I have followed most of your instructions.

On my way down the list I was also to run a windows update, but figured out, that it does not start download and installation.
Acoording to my current knowledge, there seems to be a problem to start the BITS. When I try to start it under "local services" I am getting an error message: "The Service "BITS" on "local computer" cannot be started. Failure 2: The System cannot find the listed file."

I have no idea what to do, can you help.:red:
It seems that this has to do with the removal of some data in the regedit, especially with the netsvcs file?

Lokking forward to your advice,
best regards

Zwiberberg

__RiP_ChAiN_
2008-01-14, 23:20
Hello Zwiberberg :)

Try this:

Do you have a working XP CD?

If so, place it in your CD ROM drive and follow the instructions below: Click on START-->RUN and type sfc /scannow (note the space) (Let this run undisturbed until the window with the blue progress bar goes away)

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

Zwiberberg
2008-01-17, 21:19
Hello Rip Chain,

Update downloading issues is now fixed.

Machine is running, currently no suspect activites.
THANKS A LOT!!!:wav:

In case you do not have any additonal remarks or need a final final log, I guess we both agree, that the thread can be finished.
(Don't worry, " I'll be back" if vundo returns..for futher termination :flame:!!!)

Best regards
and thanx again

Zwiberberg

__RiP_ChAiN_
2008-01-17, 21:40
I have nothing else to say, I am extremely happy you computer is working good again, though. I'm going to go archive this now, since the issues appear to be resolved.