joincyberspace
2010-07-29, 21:37
Hello people out there!
Since ~4 days I have a problem with my Windows XP SP2 PC:
It started with a fake malware removal program. At the same time I discovered that my Symantec/Norton Security was shut down (by itself since I refused to renew), probably thats connected with the problem. Shortly after it's first appearance the internet connection was down.
Anyway I remembered a quite good way to get rid of the virus/trojan since this happened before (funny: 2 days after I installed Symantec). I took both of my hard-discs out of my desktop, connected them to this notebook and searched using MS Forefront (not my choice, from my workplace).
--> it didn t work.
So I checked on Internet and tried with Malwarebyte's Anti-Malware which found some trojans.
---> it didn t work.
So I found a nice page how to recover an infected system: http://saveme.danfischbach.com/
----> it didn t work.
Finally it was only spybot discovering one only trojan "taskman" and it was not possible to remove it (yes, spyboot tried and confirmed the removal but with one more check taskman appeared again.
I tried to remove it manually: http://www.file.net/process/taskman.exe.html
Finally I read that Spyboot does need an update but how is this possible without connection? I connected to internet (aware that there is taskman left) but: my network connections are empty.
My Windows tells me that the card is running normally but all network devices are marked with a "!" on yellow background.
I did 6 steps of MS Windows trouble shooting (http://support.microsoft.com/default.aspx?scid=kb;de-de;825826&Product=winxp#Method_6) but my network card is not responding.
finally I checked the internet for the two strange files, anyhow connected to taskman: "ogix.exe" "ohydy.exe"
there is already a software for removal: http://www.prevx.com/filenames/1586383143755153628-X1/OGIX.EXE.html but I must confess, it sounds strange (first appearance of ogix.exe on the 20th of July 2010, 9 days before today).
Finally I read the introduction here, hope that I did right (checked using search, saved my registry and generated the DDS protocol).
And yes, unfortunately I used a memory stick to exchange data. Hope I am not completely ruined. :sick:
does someone has any ideas how to get a step further (e.g. internet connection to update my protection?)?
best regards from rainy stockholm,
jo in cyberspace
DDS (Ver_10-03-17.01) - NTFSx86
Run by jo at 21:02:48,10 on 29.07.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.3322.2846 [GMT 2:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Avira\AntiVir Desktop\avshadow.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\TaskbarShuffle\taskbarshuffle.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\NETGEAR\WG111T\wlan111t.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
C:\Programme\vghd\VirtuaGirl_downloader.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Dokumente und Einstellungen\jo\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.joachim-schmid.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\programme\vuze_remote\tbVuze.dll
mWinlogon: Taskman=c:\dokumente und einstellungen\jo\anwendungsdaten\ogix.exe
uWinlogon: Shell=c:\dokumente und einstellungen\jo\anwendungsdaten\ogix.exe,c:\dokumente und einstellungen\eingast\anwendungsdaten\ohydy.exe,explorer.exe,c:\dokumente und einstellungen\jo\anwendungsdaten\ohydy.exe
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
BHO: adShotHlpr Object: {3191ac8c-cb91-4740-ab7e-53af503da4f4} - c:\windows\system32\rctcp.dll
BHO: : {93cf95e2-55cd-44ba-88d9-dc96cc37408c} - c:\windows\system32\ajpmbxe.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\programme\vuze_remote\tbVuze.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\programme\vuze_remote\tbVuze.dll
TB: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\programme\gemeinsame dateien\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programme\gemeinsame dateien\ahead\lib\NMBgMonitor.exe"
uRun: [Taskbar Shuffle] c:\programme\taskbarshuffle\taskbarshuffle.exe
uRun: [LockCrypt] "c:\programme\lockcrypt\LockCrypt.exe"
uRun: [swg] c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [jgyo0w] c:\dokume~1\eingast\lokale~1\temp\19aqp.exe
StartupFolder: c:\dokume~1\jo\startm~1\progra~1\autost~1\deskto~1.lnk - c:\programme\vghd\vghd.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\autoca~1.lnk - c:\programme\gemeinsame dateien\autodesk shared\acstart16.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\netgea~1.lnk - c:\programme\netgear\wg111t\wlan111t.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\personal.lnk - c:\programme\personal\bin\Personal.exe
IE: An vorhandenes PDF anfügen - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Auswahl in Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Auswahl in vorhandene PDF-Datei konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\dokume~1\jo\anwend~1\mozilla\firefox\profiles\oby6pnow.default\
FF - prefs.js: browser.startup.homepage - hxxp://derstandard.at/|http://www.google.com/calendar/render?tab=mc&gsessionid=FrpWUOITUYjW6MSfyivkkg
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\firetray@radicalsoft.com\components\firetray.dll
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\programme\nokiasuite\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozillafirefox\plugins\npsnapfish.dll
FF - plugin: c:\programme\personal\bin\np_prsnl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programme\mozillafirefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2010-7-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programme\avira\antivir desktop\sched.exe [2010-7-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2010-7-25 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-25 60936]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S0 offnnnoa;offnnnoa;c:\windows\system32\drivers\offnnnoa.sys --> c:\windows\system32\drivers\offnnnoa.sys [?]
S2 apqioibw;Intel(R) SMBus 2.0 Helper;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"c:\programme\symantec\liveupdate\aluschedulersvc.exe" --> c:\programme\symantec\liveupdate\ALUSchedulerSvc.exe [?]
S2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]
S2 gupdate1c9d60b6df2ae58;Google Update Service (gupdate1c9d60b6df2ae58);c:\programme\google\update\GoogleUpdate.exe [2009-5-16 133104]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S2 SSIPDDP;SSIPDDP: Parallel port device driver;c:\windows\system32\drivers\ssipddp.sys [2008-3-3 55296]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\dnindis5.sys [2008-4-2 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys [2010-4-30 24576]
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-07-29 18:07:13 68120 ----a-w- c:\windows\system32\PxSecure.dll-475234
2010-07-29 18:06:50 45 ----a-w- c:\windows\wininit.ini
2010-07-29 17:52:11 0 d-----w- c:\windows\setup.pss
2010-07-29 17:31:35 19456 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2010-07-29 17:31:35 19456 ----a-w- c:\windows\system32\simptcp.dll
2010-07-29 16:53:52 36864 ----a-w- c:\windows\system32\iprip.dll
2010-07-28 21:01:55 0 d-----w- c:\programme\RunAlyzer
2010-07-28 20:53:48 0 d-----w- c:\windows\pss
2010-07-28 19:07:33 0 d-----w- c:\programme\Spybot_Search&Destroy
2010-07-28 17:51:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 17:51:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 17:51:15 0 d-----w- c:\programme\Malwarebytes_Anti-Malware
2010-07-28 07:38:54 54156 ---ha-w- c:\windows\QTFont.qfn
2010-07-28 07:38:54 1409 ----a-w- c:\windows\QTFont.for
2010-07-27 23:05:18 1904 ------w- c:\windows\system32\SetupBD.din
2010-07-27 20:56:20 7680 --sha-w- c:\windows\Thumbs.db
2010-07-27 20:32:42 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Spybot - Search & Destroy
2010-07-27 20:25:10 0 d-----w- C:\WXPFPP_DE (D)
2010-07-27 19:38:17 131072 --sh--r- c:\dokume~1\jo\anwend~1\ogix.exe
2010-07-25 22:22:57 115712 --sh--r- c:\dokume~1\jo\anwend~1\ohydy.exe
2010-07-25 21:16:22 0 d-s---w- c:\dokumente und einstellungen\jo\UserData
2010-07-25 20:24:10 0 d-----w- c:\dokume~1\jo\anwend~1\Avira
2010-07-25 20:23:09 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-25 20:23:08 0 d-----w- c:\programme\Avira
2010-07-25 20:23:08 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Avira
2010-07-25 19:40:51 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-25 19:40:51 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-07-25 19:40:50 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-25 19:40:50 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-25 19:40:49 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-25 19:40:49 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-25 19:40:17 150 ----a-w- C:\zrpt.xml
2010-07-25 11:47:44 0 d-----w- c:\programme\XPCodecPack
2010-07-16 04:21:36 246784 ----a-w- c:\windows\system32\nctcp.dll
==================== Find3M ====================
2010-07-29 17:33:29 84636 ----a-w- c:\windows\system32\perfc007.dat
2010-07-29 17:33:29 459154 ----a-w- c:\windows\system32\perfh007.dat
2010-06-23 11:50:14 182784 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-06-16 10:08:06 772728 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-06-16 10:08:04 547960 ----a-w- c:\windows\system32\accesor.dll
2010-06-16 09:26:54 129144 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-06-16 08:54:06 1771640 ----a-w- c:\windows\system32\ncscolib.dll
2010-06-13 19:59:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-06-13 19:59:38 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-05-07 15:41:40 265416 ----a-w- c:\windows\system32\Prounstl.exe
============= FINISH: 21:03:08,45 ===============
Since ~4 days I have a problem with my Windows XP SP2 PC:
It started with a fake malware removal program. At the same time I discovered that my Symantec/Norton Security was shut down (by itself since I refused to renew), probably thats connected with the problem. Shortly after it's first appearance the internet connection was down.
Anyway I remembered a quite good way to get rid of the virus/trojan since this happened before (funny: 2 days after I installed Symantec). I took both of my hard-discs out of my desktop, connected them to this notebook and searched using MS Forefront (not my choice, from my workplace).
--> it didn t work.
So I checked on Internet and tried with Malwarebyte's Anti-Malware which found some trojans.
---> it didn t work.
So I found a nice page how to recover an infected system: http://saveme.danfischbach.com/
----> it didn t work.
Finally it was only spybot discovering one only trojan "taskman" and it was not possible to remove it (yes, spyboot tried and confirmed the removal but with one more check taskman appeared again.
I tried to remove it manually: http://www.file.net/process/taskman.exe.html
Finally I read that Spyboot does need an update but how is this possible without connection? I connected to internet (aware that there is taskman left) but: my network connections are empty.
My Windows tells me that the card is running normally but all network devices are marked with a "!" on yellow background.
I did 6 steps of MS Windows trouble shooting (http://support.microsoft.com/default.aspx?scid=kb;de-de;825826&Product=winxp#Method_6) but my network card is not responding.
finally I checked the internet for the two strange files, anyhow connected to taskman: "ogix.exe" "ohydy.exe"
there is already a software for removal: http://www.prevx.com/filenames/1586383143755153628-X1/OGIX.EXE.html but I must confess, it sounds strange (first appearance of ogix.exe on the 20th of July 2010, 9 days before today).
Finally I read the introduction here, hope that I did right (checked using search, saved my registry and generated the DDS protocol).
And yes, unfortunately I used a memory stick to exchange data. Hope I am not completely ruined. :sick:
does someone has any ideas how to get a step further (e.g. internet connection to update my protection?)?
best regards from rainy stockholm,
jo in cyberspace
DDS (Ver_10-03-17.01) - NTFSx86
Run by jo at 21:02:48,10 on 29.07.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.3322.2846 [GMT 2:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Avira\AntiVir Desktop\avshadow.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\TaskbarShuffle\taskbarshuffle.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\NETGEAR\WG111T\wlan111t.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
C:\Programme\vghd\VirtuaGirl_downloader.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Dokumente und Einstellungen\jo\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.joachim-schmid.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\programme\vuze_remote\tbVuze.dll
mWinlogon: Taskman=c:\dokumente und einstellungen\jo\anwendungsdaten\ogix.exe
uWinlogon: Shell=c:\dokumente und einstellungen\jo\anwendungsdaten\ogix.exe,c:\dokumente und einstellungen\eingast\anwendungsdaten\ohydy.exe,explorer.exe,c:\dokumente und einstellungen\jo\anwendungsdaten\ohydy.exe
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
BHO: adShotHlpr Object: {3191ac8c-cb91-4740-ab7e-53af503da4f4} - c:\windows\system32\rctcp.dll
BHO: : {93cf95e2-55cd-44ba-88d9-dc96cc37408c} - c:\windows\system32\ajpmbxe.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\programme\vuze_remote\tbVuze.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\programme\vuze_remote\tbVuze.dll
TB: QuickStores-Toolbar: {10edb994-47f8-43f7-ae96-f2ea63e9f90f} - mscoree.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\programme\gemeinsame dateien\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programme\gemeinsame dateien\ahead\lib\NMBgMonitor.exe"
uRun: [Taskbar Shuffle] c:\programme\taskbarshuffle\taskbarshuffle.exe
uRun: [LockCrypt] "c:\programme\lockcrypt\LockCrypt.exe"
uRun: [swg] c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [jgyo0w] c:\dokume~1\eingast\lokale~1\temp\19aqp.exe
StartupFolder: c:\dokume~1\jo\startm~1\progra~1\autost~1\deskto~1.lnk - c:\programme\vghd\vghd.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\autoca~1.lnk - c:\programme\gemeinsame dateien\autodesk shared\acstart16.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\netgea~1.lnk - c:\programme\netgear\wg111t\wlan111t.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\personal.lnk - c:\programme\personal\bin\Personal.exe
IE: An vorhandenes PDF anfügen - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Auswahl in Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Auswahl in vorhandene PDF-Datei konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\dokume~1\jo\anwend~1\mozilla\firefox\profiles\oby6pnow.default\
FF - prefs.js: browser.startup.homepage - hxxp://derstandard.at/|http://www.google.com/calendar/render?tab=mc&gsessionid=FrpWUOITUYjW6MSfyivkkg
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\firetray@radicalsoft.com\components\firetray.dll
FF - component: c:\dokumente und einstellungen\jo\anwendungsdaten\mozilla\firefox\profiles\oby6pnow.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\programme\nokiasuite\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programme\mozillafirefox\plugins\npsnapfish.dll
FF - plugin: c:\programme\personal\bin\np_prsnl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programme\mozillafirefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programme\mozillafirefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programme\mozillafirefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2010-7-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programme\avira\antivir desktop\sched.exe [2010-7-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2010-7-25 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-25 60936]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S0 offnnnoa;offnnnoa;c:\windows\system32\drivers\offnnnoa.sys --> c:\windows\system32\drivers\offnnnoa.sys [?]
S2 apqioibw;Intel(R) SMBus 2.0 Helper;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"c:\programme\symantec\liveupdate\aluschedulersvc.exe" --> c:\programme\symantec\liveupdate\ALUSchedulerSvc.exe [?]
S2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]
S2 gupdate1c9d60b6df2ae58;Google Update Service (gupdate1c9d60b6df2ae58);c:\programme\google\update\GoogleUpdate.exe [2009-5-16 133104]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S2 SSIPDDP;SSIPDDP: Parallel port device driver;c:\windows\system32\drivers\ssipddp.sys [2008-3-3 55296]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\dnindis5.sys [2008-4-2 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys [2010-4-30 24576]
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-07-29 18:07:13 68120 ----a-w- c:\windows\system32\PxSecure.dll-475234
2010-07-29 18:06:50 45 ----a-w- c:\windows\wininit.ini
2010-07-29 17:52:11 0 d-----w- c:\windows\setup.pss
2010-07-29 17:31:35 19456 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2010-07-29 17:31:35 19456 ----a-w- c:\windows\system32\simptcp.dll
2010-07-29 16:53:52 36864 ----a-w- c:\windows\system32\iprip.dll
2010-07-28 21:01:55 0 d-----w- c:\programme\RunAlyzer
2010-07-28 20:53:48 0 d-----w- c:\windows\pss
2010-07-28 19:07:33 0 d-----w- c:\programme\Spybot_Search&Destroy
2010-07-28 17:51:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 17:51:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 17:51:15 0 d-----w- c:\programme\Malwarebytes_Anti-Malware
2010-07-28 07:38:54 54156 ---ha-w- c:\windows\QTFont.qfn
2010-07-28 07:38:54 1409 ----a-w- c:\windows\QTFont.for
2010-07-27 23:05:18 1904 ------w- c:\windows\system32\SetupBD.din
2010-07-27 20:56:20 7680 --sha-w- c:\windows\Thumbs.db
2010-07-27 20:32:42 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Spybot - Search & Destroy
2010-07-27 20:25:10 0 d-----w- C:\WXPFPP_DE (D)
2010-07-27 19:38:17 131072 --sh--r- c:\dokume~1\jo\anwend~1\ogix.exe
2010-07-25 22:22:57 115712 --sh--r- c:\dokume~1\jo\anwend~1\ohydy.exe
2010-07-25 21:16:22 0 d-s---w- c:\dokumente und einstellungen\jo\UserData
2010-07-25 20:24:10 0 d-----w- c:\dokume~1\jo\anwend~1\Avira
2010-07-25 20:23:09 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-25 20:23:08 0 d-----w- c:\programme\Avira
2010-07-25 20:23:08 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Avira
2010-07-25 19:40:51 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-25 19:40:51 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-07-25 19:40:50 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-25 19:40:50 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-25 19:40:49 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-25 19:40:49 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-25 19:40:17 150 ----a-w- C:\zrpt.xml
2010-07-25 11:47:44 0 d-----w- c:\programme\XPCodecPack
2010-07-16 04:21:36 246784 ----a-w- c:\windows\system32\nctcp.dll
==================== Find3M ====================
2010-07-29 17:33:29 84636 ----a-w- c:\windows\system32\perfc007.dat
2010-07-29 17:33:29 459154 ----a-w- c:\windows\system32\perfh007.dat
2010-06-23 11:50:14 182784 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-06-16 10:08:06 772728 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-06-16 10:08:04 547960 ----a-w- c:\windows\system32\accesor.dll
2010-06-16 09:26:54 129144 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-06-16 08:54:06 1771640 ----a-w- c:\windows\system32\ncscolib.dll
2010-06-13 19:59:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-06-13 19:59:38 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-05-07 15:41:40 265416 ----a-w- c:\windows\system32\Prounstl.exe
============= FINISH: 21:03:08,45 ===============