virtumonde.dll [Archive] - Safer-Networking Forums

soundtrap

2008-04-19, 04:15

ok, here it goes :sick:

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53:08 p.m., on 18/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\UPHClean\uphclean.exe
C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Programme\HijackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {292BFCA8-2653-482E-9E11-63B8CCF2DCDD} - C:\WINDOWS\system32\geBqOiJc.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE} - C:\WINDOWS\system32\mlJCUOfF.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe" "ZyXEL\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Extract Flash Video with Bytescout... - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {90A5A78A-08CF-43CD-BE87-F8A66DAC6C4A} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {90A5A78A-08CF-43CD-BE87-F8A66DAC6C4A} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: Extract Flash Video with Bytescout... - {A3A9A8C9-D587-4447-8419-1340FF943AF5} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O17 - HKLM\System\CS1\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mlJCUOfF - C:\WINDOWS\SYSTEM32\mlJCUOfF.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Programme\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Programme\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

--
End of file - 6797 bytes

Kapersky Online Scanner:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 18, 2008 9:15:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/04/2008
Kaspersky Anti-Virus database records: 714799
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
Z:\

Scan Statistics:
Total number of scanned objects: 99552
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:52:27

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\Administrator\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Administrator\NTUSER.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\ntuser.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\cert8.db Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\formhistory.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\history.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\key3.db Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\search.sqlite Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\urlclassifier2.sqlite Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\4x9r1xnb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008041820080419\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\ntuser.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{066D9272-9E77-4F29-9D26-BA2212DB5F7F}\RP170\A0123061.exe/WISE0015.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{066D9272-9E77-4F29-9D26-BA2212DB5F7F}\RP170\A0123061.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{066D9272-9E77-4F29-9D26-BA2212DB5F7F}\RP170\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6296D65A-8473-45CF-9AC1-AF5CA14042E4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mlJCUOfF.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Z:\Temp\Perflib_Perfdata_674.dat Object is locked skipped
Z:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

Scan process completed.

-----

OK, thats it... Thx in advance :heart:
soundtrap

pskelley

2008-04-19, 12:52

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

soundtrap

2008-04-19, 19:22

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:18:55 p.m., on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\UPHClean\uphclean.exe
C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\HijackThis\HiJackThis.exe
C:\Dokumente und Einstellungen\Cerrato\Eigene Dateien\P\Div\SimpleScreenshot\SimpleScreenshot.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {292BFCA8-2653-482E-9E11-63B8CCF2DCDD} - C:\WINDOWS\system32\geBqOiJc.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71C130DD-6B32-48DF-B2BA-9A2A25C568FC} - C:\WINDOWS\system32\vtUooMfC.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe" "ZyXEL\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Extract Flash Video with Bytescout... - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {90A5A78A-08CF-43CD-BE87-F8A66DAC6C4A} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {90A5A78A-08CF-43CD-BE87-F8A66DAC6C4A} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: Extract Flash Video with Bytescout... - {A3A9A8C9-D587-4447-8419-1340FF943AF5} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mlJCUOfF - mlJCUOfF.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Programme\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Programme\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

--
End of file - 7508 bytes

ComboFix log:

ComboFix 08-04-18.3 - Cerrato 2008-04-19 13:10:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.1121 [GMT -3:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Cerrato\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\4R3ADS5W\www.broadcaster.com
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\recover.reg
C:\WINDOWS\system32\CfMooUtv.ini
C:\WINDOWS\system32\CfMooUtv.ini2
C:\WINDOWS\system32\cJiOqBeg.ini
C:\WINDOWS\system32\cJiOqBeg.ini2
C:\WINDOWS\system32\DgNUDJjl.ini
C:\WINDOWS\system32\DgNUDJjl.ini2
C:\WINDOWS\system32\mlJCUOfF.dll
C:\WINDOWS\system32\vGfPYcfe.ini
C:\WINDOWS\system32\vGfPYcfe.ini2
C:\WINDOWS\system32\XabIlkkj.ini
C:\WINDOWS\system32\XabIlkkj.ini2

.
((((((((((((((((((((((( Dateien erstellt von 2008-03-19 bis 2008-04-19 ))))))))))))))))))))))))))))))
.

2008-04-18 17:20 . 2006-08-16 07:50 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-04-18 17:20 . 2006-08-17 02:45 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-04-18 17:20 . 2006-08-17 02:45 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-04-18 17:20 . 2006-08-17 02:45 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-04-18 17:20 . 2006-08-17 02:45 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-04-18 17:20 . 2006-08-17 02:45 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-04-18 17:20 . 2006-08-17 02:45 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-04-18 17:20 . 2008-04-18 17:20 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-04-18 17:20 . 2008-04-19 13:09 1,024 --ah----- C:\Dokumente und Einstellungen\Administrator\NTUSER.dat.LOG
2008-04-18 15:25 . 2008-04-18 15:25 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-04-18 13:48 . 2008-04-18 13:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 13:48 . 2008-04-18 13:48 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-04-15 18:12 . 2008-04-15 18:12 <DIR> d-------- C:\Programme\Bytescout Movies Extractor Scout
2008-04-15 18:12 . 2008-04-15 18:12 <DIR> d-------- C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Movies Extractor Scout
2008-04-15 18:12 . 2007-09-17 16:09 688,024 --a------ C:\WINDOWS\system32\SWFToImage.dll
2008-04-15 18:09 . 2008-04-15 18:09 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-04-15 15:08 . 2008-04-15 21:35 239,992,832 --a------ C:\~PST1003.tmp
2008-04-10 13:23 . 2008-04-11 03:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-08 01:20 . 2008-04-15 23:58 <DIR> d-------- C:\Programme\Gothic III
2008-04-07 15:25 . 2008-04-07 15:27 41 ---hs---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\.zreglib
2008-04-07 15:12 . 2008-04-18 17:50 <DIR> d-------- C:\Programme\SlySoft
2008-04-07 15:12 . 2008-04-07 15:25 24 ---hs---- C:\WINDOWS\SB6388C61.tmp
2008-04-07 15:05 . 2008-04-07 15:05 <DIR> d-------- C:\Programme\A-Ray Scanner
2008-04-07 03:08 . 2008-04-07 03:08 <DIR> d-------- C:\Programme\UPHClean
29 Datei(en) . 8,462 C:\ComboFix\Bytes
3 Datei(en) . 525,502 C:\ComboFix\Bytes
1 Datei(en) . 62 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 16:08 --------- d-----w C:\Programme\Mozilla
2008-04-18 03:50 --------- d-----w C:\Programme\Soulseek
2008-04-15 04:46 --------- d-----w C:\Programme\PeerGuardian2
2008-04-14 21:25 --------- d-----w C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Skype
2008-04-11 03:44 --------- d-----w C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\Lavasoft
2008-04-08 04:20 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-04-07 17:53 --------- d-----w C:\Dokumente und Einstellungen\Cerrato\Anwendungsdaten\dvdcss
2008-04-07 07:35 --------- d-----w C:\Programme\QuickTime
2008-04-07 07:32 --------- d-----w C:\Programme\DFÜ-Speed
2008-04-07 07:27 --------- d-----w C:\Programme\MP3 to WAV Decoder
2008-03-30 22:51 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-03-29 23:37 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-03-29 23:35 --------- d-----w C:\Programme\Lineage II
2008-03-26 07:52 --------- d-----w C:\Programme\JoWooD
2008-03-04 17:55 --------- d-----w C:\Programme\IrfanView
2008-03-04 00:54 --------- d-----w C:\Programme\Valve
2008-02-13 23:58 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-15 05:00 343,552 ----a-w C:\Programme\Sorcerer&ShilienKnight.doc
2007-12-14 06:20 213,504 ----a-w C:\Programme\ShillienTempleKnight.doc
2007-12-13 17:07 190,464 ----a-w C:\Programme\nECROsORCER.doc
2007-12-11 23:53 241,664 ----a-w C:\Programme\necrohowler.doc
2007-12-10 06:04 379,102 ----a-w C:\Programme\Shot00003.jpg
2007-12-10 06:04 360,838 ----a-w C:\Programme\Shot00004.jpg
2007-12-10 06:04 329,290 ----a-w C:\Programme\Shot00002.jpg
2007-12-10 05:44 348,515 ----a-w C:\Programme\Shot00001.jpg
2007-12-10 05:43 389,579 ----a-w C:\Programme\Shot00000.jpg
2007-12-07 22:55 89,600 ----a-w C:\Programme\sa.doc
2007-12-04 23:38 245,760 ----a-w C:\Programme\Bishop vs Elder.doc
2007-12-01 19:40 252,416 ----a-w C:\Programme\Spellhowler vs. Spellsinger.doc
2007-12-01 19:40 19,456 ----a-w C:\Programme\characters.doc
2007-04-28 05:30 19,456 ----a-w C:\Programme\Azaghal.doc
2007-04-13 20:51 19,456 ----a-w C:\Programme\sa_lvl8-13.doc
2007-03-25 09:24 45,056 ----a-w C:\Programme\El ABCD del Daguero.doc
2007-03-25 09:23 48,128 ----a-w C:\Programme\subclass.doc
2005-04-13 12:37 13,363,712 ----a-w C:\Programme\Gothic2.exe
2005-04-13 12:34 9,187,328 ----a-w C:\Programme\ar.exe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{292BFCA8-2653-482E-9E11-63B8CCF2DCDD}]
C:\WINDOWS\system32\geBqOiJc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71C130DD-6B32-48DF-B2BA-9A2A25C568FC}]
C:\WINDOWS\system32\vtUooMfC.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:57 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe" [2004-05-12 00:06 233472]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2005-12-08 12:06 16384 C:\WINDOWS\CTHELPER.EXE]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:57 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCUOfF]
mlJCUOfF.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"DiskeeperSystray"="C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\Programme\\Soulseek\\slsk.exe"=
"C:\\Programme\\BitComet\\BitComet.exe"=
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programme\\MSN Messenger\\livecall.exe"=
"C:\\Programme\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Programme\\Real\\RealPlayer\\realplay.exe"=
"C:\\Programme\\SiSoftware Sandra Lite XIIc\\Win32\\RpcDataSrv.exe"=
"C:\\Programme\\SiSoftware Sandra Lite XIIc\\RpcSandraSrv.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23530:TCP"= 23530:TCP:BitComet 23530 TCP
"23530:UDP"= 23530:UDP:BitComet 23530 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-28 23:00]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-12-17 02:17]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:58]
R3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-05-12 00:03]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-05-12 00:03]
R3 CnxTgNL;Conexant AccessRunner ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNL.sys [2004-05-12 00:03]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;C:\WINDOWS\system32\DRIVERS\bcfilter.sys []
S3 BcfilterMP;BcfilterMP;C:\WINDOWS\system32\DRIVERS\bcfilter.sys []
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2007-03-29 01:11]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Inhalt des "geplante Tasks" Ordners
"2008-03-28 22:42:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 13:14:43
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\UPHClean\uphclean.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-04-19 13:17:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 16:17:37

9 Verzeichnis(se), 35,431,206,912 Bytes frei
12 Verzeichnis(se), 35,336,384,512 Bytes frei

192 --- E O F --- 2008-04-12 04:25:10

Thx :D:

soundtrap

2008-04-19, 19:24

It seems to be that i lost all of my firefox bookmarks...:(

Is there a way to recover them?

pskelley

2008-04-19, 19:53

It seems to be that i lost all of my firefox bookmarks...:( Is there a way to recover them?
It is surely best to keep backups of important data, I will see what I can find out before we finish, don't allow me to forget.

Thanks for returning your information, looks like combofix killed the junk in the first run. How is the computer running? Let's clean like this:

1) See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Programme\Java\jre1.6.0_03\ <<< update your Java program

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {292BFCA8-2653-482E-9E11-63B8CCF2DCDD} - C:\WINDOWS\system32\geBqOiJc.dll (file missing)
O2 - BHO: (no name) - {71C130DD-6B32-48DF-B2BA-9A2A25C568FC} - C:\WINDOWS\system32\vtUooMfC.dll (file missing)
O20 - Winlogon Notify: mlJCUOfF - mlJCUOfF.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log.

Thanks

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

soundtrap

2008-04-19, 20:54

OK. Thx for everything already!!! :alien:

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:46:30 p.m., on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\UPHClean\uphclean.exe
C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programme\Mozilla\firefox.exe
C:\Programme\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programme\ZyXEL\AccessRunner ADSL USB\CnxDslTb.exe" "ZyXEL\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Extract Flash Video with Bytescout... - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {90A5A78A-08CF-43CD-BE87-F8A66DAC6C4A} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {90A5A78A-08CF-43CD-BE87-F8A66DAC6C4A} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: Extract Flash Video with Bytescout... - {A3A9A8C9-D587-4447-8419-1340FF943AF5} - C:\Programme\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{055E9BF0-F74B-4C6B-B6E2-BD3667A31567}: NameServer = 200.51.211.7 200.51.212.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Programme\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Programme\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

--
End of file - 6988 bytes

---------------

CF-RC.txt:

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

pskelley

2008-04-19, 21:12

Have a look in these links:
http://www.google.com/search?hl=en&q=restore+firefox+favorites&btnG=Google+Search

How is the computer running?
Is this you? >> http://whois.domaintools.com/200.51.211.7
Besides the check on the Tcpip number, the HJT log looks clean of malware and Recovery Console is installed. That tool may come in very handy one day.

Remove combofix and the C:\Qoobox\Quarantine\ folder from your computer and run a last Kaspersky Online Scan to be sure we missed no malware. We still need to clean infected System Restore files, so expect the scan to locate a couple of items. Use these setting please:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks...Phil

soundtrap

2008-04-19, 23:52

How is the computer running?
very good. no probs at all^^

http://www.google.com/search?hl=en&q...=Google+Search
Thx^^ i could restore a recent backup ! :heart:

And now the Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 19, 2008 5:41:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 640819
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
Z:\

Scan Statistics:
Total number of scanned objects: 105249
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:33:23

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008041920080420\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\ntuser.dat Object is locked skipped
C:\Dokumente und Einstellungen\Cerrato\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{066D9272-9E77-4F29-9D26-BA2212DB5F7F}\RP176\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{066D9272-9E77-4F29-9D26-BA2212DB5F7F}\RP176\change.log Object is locked skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Z:\System Volume Information\_restore{066D9272-9E77-4F29-9D26-BA2212DB5F7F}\RP176\change.log Object is locked skipped
Z:\Temp\Perflib_Perfdata_65c.dat Object is locked skipped
Z:\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
Z:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

Scan process completed.

----

It looks good i think.

thx for all.

*hug* :heart::D:

pskelley

2008-04-19, 23:59

Thanks for returning your "clean" KOS, I thought we had a couple of infected System Restore files? Must have been wrong, won't hurt to read this information anyway:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.