grahamgreen
2008-04-21, 09:43
Problem Description:
my Pc suffered a virus-attack some weeks ago. Since then the network-connection could only be activated infrequently though still using the user-name/pw initially set to do that. Opera sometimes didn't allow me to log on and reported another user. - Therefore - as a pcnewbie - I thought it is likely that my computer is no longer determined in a way I could wish it to be.
My attempts to solve this problem so far:
AVG discovered some viruses and deleted them. Spybot and Adware got rid of some of the spyware. However, this was even before I became aware of the possible problem setting mentioned above.
Today I followed up on the procedure stated in the preliminary steps to malware removal stated in this forum.
I) Kapersky detected at least a virus and a worm (s. below)
Infected Object Name Virus Name Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Desktop\Erweiterte Installationsdaten\Avant Browser\SysHook.dll Infected: not-a-virus:Monitor.Win32.Hooker.j skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Identities\{581F607A-A174-4529-AF0D-6DF1C3E056AE}\Microsoft\Outlook Express\Gelöschte Objekte.dbx/[From hanno@fourtex.de][Date Thu, 20 Sep 2007 08:23:32 +0200]/UNNAMED/information.pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Identities\{581F607A-A174-4529-AF0D-6DF1C3E056AE}\Microsoft\Outlook Express\Gelöschte Objekte.dbx/[From hanno@fourtex.de][Date Thu, 20 Sep 2007 08:23:32 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Identities\{581F607A-A174-4529-AF0D-6DF1C3E056AE}\Microsoft\Outlook Express\Gelöschte Objekte.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\hanno\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{08AC39B9-079B-4C57-95A0-C67602D45994}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_520.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{08AC39B9-079B-4C57-95A0-C67602D45994}\RP1\change.log Object is locked skipped
II) The Spybot used in SafeMode didn't discover any spy-/malware.
(But by using safemode the windows xp entry menu offered me to log on as an administrator next to my standard log-name. I chose the latter not aware til then that it had not been the administrator's log. - I hope nevertheless that running spybot as a non-administrator user was still as effective as it should be and that this administrator-issue has nothing to do with my OS (SP2) having been hijacked. Which brings me to III)...
III) And eventually the hijackthis log file:
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43:34, on 21.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Programme\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\OpenOffice.org 2.3\program\soffice.BIN
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.kuleuven.be/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programme\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 5536 bytes
Ok, I somehow hope you can appreciate that an amateur such as me is posting here... requesting some good advice on how to proceed.
Thank you in advance for attending to this.... Best regards,
gg
my Pc suffered a virus-attack some weeks ago. Since then the network-connection could only be activated infrequently though still using the user-name/pw initially set to do that. Opera sometimes didn't allow me to log on and reported another user. - Therefore - as a pcnewbie - I thought it is likely that my computer is no longer determined in a way I could wish it to be.
My attempts to solve this problem so far:
AVG discovered some viruses and deleted them. Spybot and Adware got rid of some of the spyware. However, this was even before I became aware of the possible problem setting mentioned above.
Today I followed up on the procedure stated in the preliminary steps to malware removal stated in this forum.
I) Kapersky detected at least a virus and a worm (s. below)
Infected Object Name Virus Name Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Desktop\Erweiterte Installationsdaten\Avant Browser\SysHook.dll Infected: not-a-virus:Monitor.Win32.Hooker.j skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Identities\{581F607A-A174-4529-AF0D-6DF1C3E056AE}\Microsoft\Outlook Express\Gelöschte Objekte.dbx/[From hanno@fourtex.de][Date Thu, 20 Sep 2007 08:23:32 +0200]/UNNAMED/information.pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Identities\{581F607A-A174-4529-AF0D-6DF1C3E056AE}\Microsoft\Outlook Express\Gelöschte Objekte.dbx/[From hanno@fourtex.de][Date Thu, 20 Sep 2007 08:23:32 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Identities\{581F607A-A174-4529-AF0D-6DF1C3E056AE}\Microsoft\Outlook Express\Gelöschte Objekte.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\hanno\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\hanno\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped
C:\Programme\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{08AC39B9-079B-4C57-95A0-C67602D45994}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_520.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{08AC39B9-079B-4C57-95A0-C67602D45994}\RP1\change.log Object is locked skipped
II) The Spybot used in SafeMode didn't discover any spy-/malware.
(But by using safemode the windows xp entry menu offered me to log on as an administrator next to my standard log-name. I chose the latter not aware til then that it had not been the administrator's log. - I hope nevertheless that running spybot as a non-administrator user was still as effective as it should be and that this administrator-issue has nothing to do with my OS (SP2) having been hijacked. Which brings me to III)...
III) And eventually the hijackthis log file:
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43:34, on 21.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Programme\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\OpenOffice.org 2.3\program\soffice.BIN
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.kuleuven.be/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programme\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 5536 bytes
Ok, I somehow hope you can appreciate that an amateur such as me is posting here... requesting some good advice on how to proceed.
Thank you in advance for attending to this.... Best regards,
gg