View Full Version : My PC is constantly sending E-Mails which I don't know
Hi Shaba,
Greetings from Germany ;-)
I 've checket out this forum very well, and I am impressed by your competent trobleshooting, given in most of the Threads, initiating the End of Spyware and Trojans in nearly all the cases. Hope you can also help me ;-)
Now here's my Problem: I thought I was safe behind the ZoneAlarm v. 7.0.337.000 Firewall and my neighbour's router, bit I wasn't. Recently, I installed the new G-Data AntiVirusKit 2007 and killed 109 (!!!) viruses, so my System seems to be almost clean now, but now, there often appears a Messagem, that my PC is sending E-Mails, but they are not from me =)
Here's an example of an outgoing E-Mail logged by the AntiVirusKit:
Outgoing mails (SMTP)
Checked: 9 (0 infected)
Last checked: subject: Cambrian Launches, sender: jerame.Hunston AT 4x4holidays.co.uk, Empfänger: dalia.k.h AT wp.pl
These are E-Mail-Adresses I've never seen before, so I think my Computer is sending spam and/or is used as a relay-server. How can I stop this?
I've added the HijackThis Log file, because I knew you would ask about^^
Logfile of HijackThis v1.99.1
Scan saved at 23:37:45, on 22.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programs\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programs\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\ZoneAlarm\zlclient.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programs\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programs\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Firefox 2.003\firefox.exe
F:\Speed Commander 11\SpeedCommander.exe
F:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {29342761-5C6A-4A62-9040-4493A8507436} - C:\WINDOWS\system32\iykwoxsx.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Programs\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\lmqdbtay.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programs\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285} - C:\WINDOWS\inf\entmig.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programs\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programs\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programs\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Programs\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programs\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programs\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\pwvgjpkg.dll",realset
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Syrrel Sneer\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: entmig - C:\WINDOWS\inf\entmig.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programs\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programs\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qgwfjavb.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programs\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programs\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hello MoOsE :)
I'm not Shaba but I'll be happy to help you.
You're infected.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
thank you for your help.
I've done as you said.
Here are the logs, Vundo first, then Hijackthis.
VundoFix V6.5.1
Checking Java version...
Sun Java not detected
Scan started at 20:51:47 26.06.2007
Listing files found while scanning....
C:\Programme\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\inf\entmig.dll
C:\WINDOWS\inf\gimtne.bak1
C:\WINDOWS\inf\gimtne.bak2
C:\WINDOWS\inf\gimtne.ini
C:\WINDOWS\inf\gimtne.ini2
C:\WINDOWS\system32\cvdccgis.dll
C:\WINDOWS\system32\dnqvehtg.dll
C:\WINDOWS\system32\epujukfe.dll
C:\WINDOWS\system32\exhmceka.dll
C:\WINDOWS\system32\fvleowyt.dll
C:\WINDOWS\system32\gkpjgvwp.ini
C:\WINDOWS\system32\gpekaplv.dll
C:\WINDOWS\system32\gufuhoxp.dll
C:\WINDOWS\system32\jdtlknhf.dll
C:\WINDOWS\system32\jkdihyvi.dll
C:\WINDOWS\system32\lmqdbtay.dll
C:\WINDOWS\system32\madpmgir.dll
C:\WINDOWS\system32\nmodpwce.dll
C:\WINDOWS\system32\pwvgjpkg.dll
C:\WINDOWS\system32\sglseeee.dll
C:\WINDOWS\system32\wgaisqgi.dll
C:\WINDOWS\system32\xiainxhh.dll
C:\WINDOWS\system32\xidqjcvh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\inf\gimtne.bak1
C:\WINDOWS\inf\gimtne.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\inf\gimtne.bak2
C:\WINDOWS\inf\gimtne.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\inf\gimtne.ini
C:\WINDOWS\inf\gimtne.ini Has been deleted!
Attempting to delete C:\WINDOWS\inf\gimtne.ini2
C:\WINDOWS\inf\gimtne.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\gkpjgvwp.ini
C:\WINDOWS\system32\gkpjgvwp.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 21:01:51, on 26.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\ZoneAlarm\zlclient.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programme\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Speed Commander 11\SpeedCommander.exe
C:\WINDOWS\system32\wuauclt.exe
F:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {29342761-5C6A-4A62-9040-4493A8507436} - C:\WINDOWS\system32\iykwoxsx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285} - C:\WINDOWS\inf\entmig.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Speedy Gonzalez\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: entmig - C:\WINDOWS\inf\entmig.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qgwfjavb.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hope that helps...waiting for your answer.
Thank you very much,
MoOsE
Ok we'll continue :)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Ok, done so far. First, I report what happened.
I started Combofix, it first scanned and did two registry changes, followed by a reboot. Then the message "C:\ComboFix\CF_anti-viking.bat could not be found" appeared, followed by the message "Scanning for infected files" and "Scan times for badly infected machines may easily double". Then again, some registry changes where made, followed by reboot. Then the message by "Find3M" "Preparing for report" appeared and the program ended.
There were two logs put on C:, which I post now.
COMBOFIX.TXT
"Speedy Gonzalez" - 2007-06-27 20:44:53 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 67860 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOKUME~1\SPEEDY~1\ANWEND~1.\searchtoolbarcorp
C:\DOKUME~1\SPEEDY~1\ANWEND~1.\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\DOKUME~1\SPEEDY~1\ANWEND~1.\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Programme\Gemeinsame Dateien\{4C825~1
C:\Programme\toolbar888
C:\Programme\toolbar888\Uninst.exe
C:\Programme\vsadd-in
C:\WINDOWS\system32\lzx32.sys
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))
2007-06-27 20:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-26 20:51 <DIR> d-------- C:\VundoFix Backups
2007-06-22 23:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-21 23:42 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\G DATA
2007-06-21 23:41 47,184 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys
2007-06-21 23:41 38,096 --a------ C:\WINDOWS\system32\drivers\GDTdiIcpt.sys
2007-06-21 23:41 37,112 --a------ C:\WINDOWS\system32\drivers\HookCentre.sys
2007-06-21 23:41 <DIR> d-------- C:\WINDOWS\gear_dlls
2007-06-21 23:40 <DIR> d-------- C:\Programme\Gemeinsame Dateien\G DATA
2007-06-21 23:39 <DIR> d-------- C:\DOKUME~1\SPEEDY~1\ANWEND~1\InstallShield
2007-06-03 19:20 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-27 18:42:38 83,478 ----a-w C:\WINDOWS\system32\perfc007.dat
2007-06-27 18:42:38 435,686 ----a-w C:\WINDOWS\system32\perfh007.dat
2007-06-27 14:35:58 -------- d-----w C:\DOKUME~1\SPEEDY~1\ANWEND~1\Skype
2007-06-21 22:03:38 -------- d-----w C:\Programme\VVSN
2007-06-21 22:03:38 -------- d-----w C:\Programme\VSToolbar
2007-06-21 21:40:30 -------- d--h--w C:\Programme\InstallShield Installation Information
2007-06-15 13:02:18 -------- d-----w C:\DOKUME~1\SPEEDY~1\ANWEND~1\teamspeak2
2007-05-16 15:11:44 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 07:02:25 253,952 ------w C:\WINDOWS\Setup1.exe
2007-05-12 07:02:24 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-25 14:22:27 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-19 20:50:44 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-04-19 20:26:36 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll
2007-04-18 16:13:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-15 11:48:30 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{055FD26D-3A88-4e15-963D-DC8493744B1D}=F:\ICQToolbar\toolbaru.dll [2006-10-10 11:18]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=F:\Adobe Reader\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{206E52E0-D52E-11D4-AD54-0000E86C26F6}=F:\DOWNLO~1\FRESHD~1\fdcatch.dll [2006-03-20 11:28]
{29342761-5C6A-4A62-9040-4493A8507436}=C:\WINDOWS\system32\iykwoxsx.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programme\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]
{9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285}=C:\WINDOWS\inf\entmig.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 18:01 C:\WINDOWS\SOUNDMAN.EXE]
"D-Link AirPlus G"="F:\D-Link\AirGCFG.exe" [2005-04-22 18:51]
"ANIWZCS2Service"="C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"RemoteControl"="F:\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="F:\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"ISUSPM Startup"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" [2004-06-16 06:03]
"BDNewsAgent"="F:\BitDefender 8.0\bdnagent.exe" [2005-05-09 13:19]
"CloneCDElbyCDFL"="F:\CloneCD\ElbyCheck.exe" [2001-12-06 14:09]
"QuickTime Task"="F:\QuickTime 7\qttask.exe" [2007-02-16 10:54]
"ZoneAlarm Client"="F:\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"AVKTray"="F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe" [2007-01-23 14:15]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:57]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\entmig]
C:\WINDOWS\inf\entmig.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32]
winepi32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"bdss"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\Installer.exe
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 20:48:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-27 20:49:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-27 20:49
--- E O F ---
-------------------------------------------------------------------
here's the second one: ComboFix-quarantined-files.txt
2006-08-23 21:08 34950 --a------ C:\Qoobox\Quarantine\C\Programme\ToolBar888\Uninst.exe.vir
2007-01-15 12:01 0 --a------ C:\Qoobox\Quarantine\C\DOKUME~1\SPEEDY~1\ANWEND~1\SearchToolbarCorp\Toolbar Vision\PageHistory.txt.vir
2007-01-15 12:01 0 --a------ C:\Qoobox\Quarantine\C\DOKUME~1\SPEEDY~1\ANWEND~1\SearchToolbarCorp\Toolbar Vision\WebHistory.txt.vir
2007-03-30 08:17 74620 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lzx32.sys.vir
2007-06-27 20:46 2956 --a------ C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-06-27 20:46 352 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf
2007-06-27 20:46 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
Auflistung der Ordnerpfade fr Volume Windows XP
Volumenummer: 4C82-5CC7
C:\QOOBOX
\---Quarantine
+---C
| +---DOKUME~1
| | \---SPEEDY~1
| | \---ANWEND~1
| | \---SearchToolbarCorp
| | \---Toolbar Vision
| | PageHistory.txt.vir
| | WebHistory.txt.vir
| |
| +---Programme
| | \---ToolBar888
| | Uninst.exe.vir
| |
| \---WINDOWS
| \---system32
| lzx32.sys.vir
|
\---Registry_backups
LEGACY_DOMAINSERVICE.reg.cf
services_DomainService.reg.cf
services_nm.reg.cf
So, what's next?^^
Thank you for your help.
MoOsE
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Do NOT run yet.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Disable the bad services
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to DomainService
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Scroll down to Microsoft authenticate service (MsaSvc)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; DomainService
Answer Yes
Press Delete an NT service again.
Copy the following line to the box and press OK; MsaSvc
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {29342761-5C6A-4A62-9040-4493A8507436} - C:\WINDOWS\system32\iykwoxsx.dll (file missing)
O2 - BHO: (no name) - {9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285} - C:\WINDOWS\inf\entmig.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - Winlogon Notify: entmig - C:\WINDOWS\inf\entmig.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\qgwfjavb.exe
C:\WINDOWS\system32\msasvc.exe
Go to the My Computer and delete the following folders (if present):
C:\Programme\ToolBar888
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\perfc007.dat
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- virustotal results
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
Sorry, little question: in services.msc the Service "DomainService" doesn't exist. I think it has another name in german language. Because I fear disabling the wrong Service, I am asking if you know the German synonyme to "DomainService".
Sometimes, also the small things interrupt the best troubleshooting ever.
Keep up the good work, 'til then ;-)
MoOsE
Hello :)
Ok don't disable that German synonyme, it is a different one. Just skip that part then :bigthumb:
Good that you asked :bigthumb:
OkOk, Mission accomplished ;)
First, there were a little minor things that didn't work:
- In ATFCleaner, I couldn't select "Firefox" at the top, but I performed it anyway. (Empty selected) Is that a Problem?
- I've made a little mistake with AVG Anti-Spyware: I forgot to select "Quarantine" after the scan, so all files were deleted :oops: so I think that's also the reason why I could not save a log. But I've printed the actions made by the program, which I will post underneath.
Now for the Reports:
First, my home-made AVG Report ;) (reason 4 that mentioned above)
http://img505.imageshack.us/img505/3192/reportsj7.th.jpg (http://img505.imageshack.us/my.php?image=reportsj7.jpg)
Ok, and now the new HijackThis-Log:
Logfile of HijackThis v1.99.1
Scan saved at 19:59:20, on 02.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\AVGas\guard.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programme\Cyberlink\Shared files\RichVideo.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
C:\WINDOWS\System32\svchost.exe
F:\Speed Commander 11\SpeedCommander.exe
F:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Speedy Gonzalez\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\AVGas\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
VIRUSTOTAL: I didn't copy&paste the results, because no virus program detected a virus in the perfc007.dat file.
Now finally, here are the SdFix-Results:
SDFix: Version 1.88
Run by Administrator on 02.07.2007 at 18:35
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOKUME~1\ADMINI~1\Desktop\Sdfix\SDFix
Safe Mode:
Checking Services:
Name:
hide_evr2
ImagePath:
\??\C:\WINDOWS\hide_evr2.sys
hide_evr2 - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\NSPRS.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SSPRS.DLL - Deleted
C:\a.bat - Deleted
C:\WINDOWS\system32\TFTP3196 - Deleted
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"F:\\Skype 2.0\\Skype.exe"="F:\\Skype 2.0\\Skype.exe:*:Enabled:Skype"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\DOKUME~1\ADMINI~1\Desktop\Sdfix\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Listing User Accounts:
Administrator Gast Hilfeassistent
Speedy Gonzalez SUPPORT_388945a0
Der Befehl wurde erfolgreich ausgefhrt.
Finished
Am I clean now? :alien:
If this is so, I thank you very much for your help and I hope this website will never go down, even if the internet crashes because of all the Trojans ;)
Now a final question (if we are finished): Is there a way that I can protect my system in a better way in the future? Because these programs have found so many Trojans that I whish I had never entered the internet ;)
Yours sincerely,
MoOsE
Hello :)
Ok looks pretty good now. How is the computer running?
Thanks for your kind words :D
I'll give prevention tips but let's be sure that you're clean first.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Sorry, that didn't work. If I klick on "Kaspersky online scanner" and then on "Accept", nothing happens. Maybe it's because I am not using internet explorer but Firefox 2.0.0.4.
MoOsE
Ok Kaspersky would require IE to run....
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Hello again.
Sorry for my late answer but I was away from my home PC.
Squeezed some Bugs again with DoktorWeb. Now here's the log, followed by the new HijackThis Log:
Process.exe C:\Dokumente und Einstellungen\Administrator\Desktop\Sdfix\SDFix\apps Tool.Prockill Not curable. Moved.
A0088035.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP104 Trojan.Virtumod Deleted.
A0098395.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP107 Trojan.Virtumod Deleted.
A0106200.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106245.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106246.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106404.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106467.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106562.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106678.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106747.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0107974.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP109 Trojan.Virtumod Deleted.
A0109031.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP109 Trojan.Virtumod Deleted.
A0110060.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0110079.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.SaveNow Not curable. Moved.
A0112097.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112103.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.SearchColours Not curable. Moved.
A0112133.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112134.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112135.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112136.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112137.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112138.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112140.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112141.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112142.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112143.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112144.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112146.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112147.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112148.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112149.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Juan Deleted.
A0112150.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112151.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112152.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112153.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112154.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112155.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112157.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112158.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112159.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112160.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112162.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112163.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Juan Deleted.
A0112164.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112165.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112166.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112168.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112169.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112170.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112171.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112174.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112175.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112176.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112178.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112179.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112180.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112181.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112182.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112184.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112185.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112187.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112188.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112189.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112190.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112192.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112193.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112194.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112195.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112196.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112198.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112199.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112200.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112201.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112203.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112204.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112205.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112206.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112207.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112208.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112209.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112210.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112212.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112213.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112214.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112215.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112216.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112217.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112218.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112219.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112220.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112221.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112222.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112223.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112224.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112225.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112226.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112227.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112228.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112229.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112230.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112231.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112233.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112234.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112236.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112237.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112238.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112239.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112240.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112241.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Juan Deleted.
A0112242.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112243.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112244.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0026846.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP43 Trojan.Virtumod Deleted.
A0026847.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP43 Trojan.Virtumod Deleted.
A0030979.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP52 Trojan.Virtumod Deleted.
A0030980.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP52 Trojan.Virtumod Deleted.
A0040343.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP56 Trojan.PWS.Snap Deleted.
A0040916.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040917.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040920.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040921.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040923.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040926.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040927.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040928.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Adware.TopSearch Not curable. Moved.
A0040929.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040930.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040931.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040932.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040933.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040934.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040935.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040936.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040937.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040938.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040939.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040940.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040941.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040942.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040943.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040944.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Not curable. Moved.
A0040946.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040947.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040948.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040949.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040950.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040951.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040952.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0042011.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0050618.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP74 Trojan.Virtumod Deleted.
A0059989.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP88 Trojan.Virtumod Deleted.
A0072753.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP93 Trojan.Virtumod Deleted.
fscax.dll C:\WINDOWS\Downloaded Program Files möglicherweise BINARYRES Not curable. Moved.
sockspy.dll C:\WINDOWS\system32 Tool.SockSpy Not curable. Moved.
mirc.exe F:\Gamers IRC Program.mIRC.621 Not curable. Moved.
A0112308.exe F:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Program.mIRC.621 Not curable. Moved.
A0112602.exe F:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.SaveNow Not curable. Moved.
A0051554.exe F:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP76 Program.mIRC.617 Not curable. Moved.
A0113618.EXE K:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Joke.MenTest Not curable. Moved.
A0042005.EXE K:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Joke.Mona Not curable. Moved.
Logfile of HijackThis v1.99.1
Scan saved at 14:26:56, on 07.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\ZoneAlarm\zlclient.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
F:\AVGas\guard.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programme\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\wuauclt.exe
F:\Speed Commander 11\SpeedCommander.exe
F:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Speedy Gonzalez\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\AVGas\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hope I am clean now ;-)
MoOsE
Hello :)
The log is looking clean now. How is the computer working? Any issues ?
As I can see - everything fine ;-)
No more messages that E-Mails are being sent without my knowledge.
Thank you for enhancing my horizon in tracking malware on my Computer.
So finally could you give me some tips about preventing that these things happen again (i.e. what are the best virus scanners and firewalls I should use?).
I am open for any other tips you could give to me.
Great Forum, keep up the good work! And keep Finland clean :laugh:
Yours,
MoOsE
Hi again, that's great news :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)