PDA

View Full Version : "Security Warning: your computer may be infected with harmful or unwanted software!"



flyingdog
2006-11-19, 12:39
Everytime when I reboot, I get the message I typed in the title. Its a little symbol in the task. This is my HijackThis log:

btw I also run Antivir in Windows folder and SB S&D. SB found a lot, but fixxed it all.

Logfile of HijackThis v1.99.1
Scan saved at 11:38:57, on 19.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\{682E7E3C-07DA-1031-0716-05091405002b}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Dokumente und Einstellungen\Benji\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6BC868F2-E712-4F37-93A7-AB906A2F11C6} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Programme\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcog.dll,startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Programme\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Scanner Finder.lnk = C:\Programme\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160914199418
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D32A287-4CB5-4BE4-892C-D3CB1D54286F}: NameServer = 172.27.2.10 172.27.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe

Hope you can help me :oops:

BR flyingdog

Mr_JAk3
2006-11-22, 11:16
Hi flyingdog and welcome to Safer Networking Forums :)

You got some infections there...

C:\WINDOWS\SYSTEM32\antiwpa.dll (have any idea why this is on your system?)
http://www.sophos.com/security/analyses/trojantiwpaa.html

Troj/Antiwpa-A modifies system files in an attempt to disable Windows product activation.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with a fresh HijackThis log

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!

flyingdog
2006-11-24, 09:26
Hello Mr_JAk3,

Thank you for the fast reply! I think I have found the right place for my PC problems :D:


C:\WINDOWS\SYSTEM32\antiwpa.dll (have any idea why this is on your system?)

Yeah, I have! I installed it after a friend told me to do so. He said it is easier then with the key. btw I have the key, so it would be ok to kill this antiwpa sh**

But I have a question to this: What is that antiwpa.dll doing to my system? Just disabling the Product activation, or also some other "unwanted" things?

flyingdog
2006-11-24, 09:32
Benji - 06-11-24 8:05:00,23 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Dokumente und Einstellungen\Benji\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Programme\Gemeinsame Dateien\{382E7E3C-07DA-1031-0716-05091405002b}
C:\Programme\Gemeinsame Dateien\{682E7E3C-07DA-1031-0716-05091405002b}


((((((((((((((((((((((((((((((( Files Created from 2006-10-24 to 2006-11-24 ))))))))))))))))))))))))))))))))))


2006-11-23 11:08 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-11-22 15:13 <DIR> C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Meine Die Schlacht um MittelerdeT II-Dateien
2006-11-22 14:53 <DIR> d-------- C:\Programme\Electronic Arts
2006-11-21 17:54 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2006-11-21 17:54 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\QuickTime
2006-11-21 17:53 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2006-11-21 17:53 <DIR> d-------- C:\Programme\QuickTime
2006-11-21 17:52 94,208 --a------ C:\WINDOWS\system32\TCPreset202.dll
2006-11-21 17:52 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2006-11-21 17:52 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2006-11-21 17:52 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2006-11-21 17:52 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2006-11-21 17:52 <DIR> d-------- C:\Programme\TCWorks
2006-11-21 17:52 <DIR> d-------- C:\Programme\directx
2006-11-21 17:46 299,008 --a------ C:\WINDOWS\unin0407.exe
2006-11-21 13:19 <DIR> d-------- C:\Programme\OpenVideoConverter
2006-11-19 23:28 <DIR> d-------- C:\Tmp
2006-11-19 23:27 <DIR> d-------- C:\Programme\Taksi
2006-11-19 16:28 <DIR> d-------- C:\Programme\Logitech
2006-11-19 16:28 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Logitech
2006-11-19 16:25 <DIR> d-a------ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2006-11-19 16:19 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\BitTorrent
2006-11-19 15:58 <DIR> d-------- C:\Programme\Upload-Tool
2006-11-19 14:47 <DIR> d-------- C:\Programme\Lavasoft
2006-11-19 14:47 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Lavasoft
2006-11-19 14:34 <DIR> d-------- C:\Programme\Powerbullet
2006-11-19 11:06 <DIR> d-------- C:\VundoFix Backups
2006-11-19 11:03 <DIR> d-------- C:\HIJACKTHIS
2006-11-19 11:02 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2006-11-19 11:02 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2006-11-18 15:15 <DIR> d-------- C:\Programme\WinRAR
2006-11-18 14:02 59,392 --a------ C:\WINDOWS\system32\drvcog.dll
2006-11-18 14:02 40,973 ---hs---- C:\WINDOWS\system32\mljighg.dll
2006-11-18 12:23 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2006-11-18 12:10 <DIR> d-------- C:\Programme\Codemasters
2006-11-17 19:38 32,256 --a------ C:\WINDOWS\system32\xqpdai.dll
2006-11-17 17:57 <DIR> d-------- C:\Programme\Wondershare
2006-11-17 17:35 <DIR> d-------- C:\Fraps
2006-11-17 17:23 <DIR> d-------- C:\WINDOWS\Lhsp
2006-11-17 17:20 <DIR> d-------- C:\Programme\BlablaMaker
2006-11-17 17:10 <DIR> d-------- C:\Programme\Basement Softworks
2006-11-17 09:46 <DIR> d-------- C:\Programme\BMP2AVI
2006-11-17 09:45 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-11-17 09:45 249,856 --------- C:\WINDOWS\Setup1.exe
2006-11-15 12:24 22 --a------ C:\Dokumente und Einstellungen\Benji\WWPACK.REG
2006-11-13 15:07 <DIR> d-------- C:\Programme\Xylobot
2006-11-13 14:55 <DIR> d-------- C:\Programme\AC Tool
2006-11-13 14:51 <DIR> d-------- C:\Programme\AutoIt3
2006-11-12 09:11 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Help
2006-11-08 22:07 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Avery
2006-11-08 22:07 <DIR> d-------- C:\Programme\Avery Zweckform Assistent 2.5
2006-11-08 17:27 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2006-11-08 17:25 90,112 -ra------ C:\WINDOWS\system32\CNMCP78.exe
2006-11-08 17:25 328,704 --a------ C:\WINDOWS\IsUn0407.exe
2006-11-08 17:25 <DIR> d-------- C:\WINDOWS\StartHtmico
2006-11-08 17:24 <DIR> d-------- C:\Programme\Canon
2006-11-08 17:12 8,704 --a------ C:\WINDOWS\system32\CNMVS78.DLL
2006-11-08 17:12 140,288 --a------ C:\WINDOWS\system32\CNMLM78.DLL
2006-11-08 17:12 <DIR> d--h----- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonBJ
2006-11-08 17:10 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-11-07 16:24 <DIR> d-------- C:\Programme\David-John Miller
2006-11-04 20:59 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Wireshark
2006-11-04 20:33 <DIR> d-------- C:\Programme\Visual File Splitter
2006-11-04 20:01 <DIR> d-------- C:\Programme\WinPcap
2006-11-04 19:54 <DIR> d-------- C:\Programme\Wireshark
2006-11-04 15:40 <DIR> d-------- C:\Programme\RADVideo
2006-11-02 23:46 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-01 22:52 <DIR> d-------- C:\WINDOWS\Sun
2006-11-01 22:52 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Sun
2006-11-01 22:41 <DIR> d-------- C:\Programme\Java
2006-11-01 22:41 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2006-10-31 18:11 <DIR> d-------- C:\Programme\RAR Password Cracker
2006-10-31 17:39 <DIR> d--h----- C:\WINDOWS\PIF
2006-10-31 17:36 <DIR> d-------- C:\BR
2006-10-29 22:48 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Application Data
2006-10-29 21:43 128,232 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-29 20:17 <DIR> d-------- C:\Programme\Real
2006-10-29 20:17 <DIR> d-------- C:\Programme\Gemeinsame Dateien\xing shared
2006-10-29 20:17 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Real
2006-10-29 20:15 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Real
2006-10-29 20:12 <DIR> d-------- C:\Meine Downloads
2006-10-29 18:09 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Ulead Systems
2006-10-29 17:25 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-29 17:24 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\AdobeUM
2006-10-29 17:23 278,528 --a------ C:\WINDOWS\PhotoShow.scr
2006-10-29 17:22 <DIR> d-------- C:\Programme\Simple Star
2006-10-29 17:22 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Simple Star
2006-10-29 17:21 32,768 --------- C:\WINDOWS\system32\UleadPhotoExplorer8_Res.dll
2006-10-29 17:21 24,576 --------- C:\WINDOWS\system32\Ulead Photo Explorer 8.scr
2006-10-29 17:21 <DIR> d-------- C:\Programme\Ulead Systems
2006-10-29 17:21 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Ulead Systems
2006-10-29 17:21 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ulead Systems
2006-10-29 17:19 98,304 --a------ C:\WINDOWS\system32\MSMD8w.dll
2006-10-29 17:19 73,601 --a------ C:\WINDOWS\system32\MSMD4W.dll
2006-10-29 17:19 72,584 --a------ C:\WINDOWS\system32\MSMCFw.dll
2006-10-29 17:19 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys
2006-10-29 17:19 67,522 --a------ C:\WINDOWS\system32\MSMD9W.dll
2006-10-29 17:19 62,947 --a------ C:\WINDOWS\system32\MSMC1W.dll
2006-10-29 17:19 62,462 --a------ C:\WINDOWS\system32\MSMCEw.dll
2006-10-29 17:19 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys
2006-10-29 17:19 41,733 --a------ C:\WINDOWS\system32\MSMB1W.dll
2006-10-29 17:19 38,215 --a------ C:\WINDOWS\system32\MSM8BW.dll
2006-10-29 17:19 35,906 --a------ C:\WINDOWS\system32\MSMC9W.dll
2006-10-29 17:19 35,906 --a------ C:\WINDOWS\system32\MSMA7W.dll
2006-10-29 17:19 35,563 --a------ C:\WINDOWS\system32\MSMWUD.dll
2006-10-29 17:19 35,246 --a------ C:\WINDOWS\system32\MSMBDW.dll
2006-10-29 17:19 34,720 --a------ C:\WINDOWS\system32\MSMB0W.dll
2006-10-29 17:19 30,565 --a------ C:\WINDOWS\system32\MSMWUD13.dll
2006-10-29 17:19 30,557 --a------ C:\WINDOWS\system32\MSMWUD17.dll
2006-10-29 17:19 30,053 --a------ C:\WINDOWS\system32\MSMWUD11.dll
2006-10-29 17:19 30,030 --a------ C:\WINDOWS\system32\MSMWUD7.dll
2006-10-29 17:19 30,013 --a------ C:\WINDOWS\system32\MSMWUD9.dll
2006-10-29 17:19 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys
2006-10-29 17:19 208,896 --a------ C:\WINDOWS\system32\MSME5w.dll
2006-10-29 17:19 208,896 --a------ C:\WINDOWS\system32\MSM08w.dll
2006-10-29 17:19 204,800 --a------ C:\WINDOWS\system32\MSME6w.dll
2006-10-29 17:19 192,512 --a------ C:\WINDOWS\system32\MSME4W.dll
2006-10-29 17:19 184,320 --a------ C:\WINDOWS\system32\MSM22w.dll
2006-10-29 17:19 15,396 --a------ C:\WINDOWS\system32\Msmusd5.dll
2006-10-29 17:19 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll
2006-10-29 17:19 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll
2006-10-29 17:19 <DIR> d-------- C:\Programme\ScanWizard 5
2006-10-29 17:19 <DIR> d-------- C:\Kpcms
2006-10-28 10:45 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NFS Underground
2006-10-28 10:19 <DIR> d-------- C:\Programme\Gemeinsame Dateien\DirectX
2006-10-28 09:59 52,540,038 --a------ C:\regbackup.reg
2006-10-28 09:51 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\WINDOWS
2006-10-28 09:47 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\My Battle for Middle-earth(tm) II Files
2006-10-27 19:33 <DIR> d-------- C:\Programme\Sacred
2006-10-27 18:16 <DIR> d-------- C:\Programme\Valve
2006-10-27 17:13 <DIR> d-------- C:\Programme\Die Schlacht um Mittelerde II
2006-10-27 15:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2006-10-27 13:05 <DIR> d-------- C:\Programme\Windows XP Optimizer
2006-10-26 18:47 <DIR> d-------- C:\Programme\Easy Graphic Converter
2006-10-26 18:47 <DIR> d-------- C:\ImageOutput
2006-10-26 18:06 5,632 --a------ C:\WINDOWS\system32\antiwpa.dll
2006-10-25 13:39 31,744 --a------ C:\WINDOWS\system32\drivers\AmdTools.sys
2006-10-25 13:39 <DIR> d-------- C:\Programme\AMD
2006-10-25 13:38 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2006-10-24 19:00 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\ATI
2006-10-24 18:57 <DIR> d-------- C:\ATI
2006-10-24 14:06 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\InstallShield
2006-10-24 14:04 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2006-10-24 14:04 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2006-10-24 14:04 <DIR> d---s---- C:\Programme\Xfire
2006-10-24 14:04 <DIR> d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Xfire
2006-10-24 13:59 <DIR> d-------- C:\Programme\Gothic III

flyingdog
2006-11-24, 09:32
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-24 08:06 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-11-24 07:17 -------- d-------- C:\Programme\Steam
2006-11-23 11:08 -------- d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared
2006-11-23 10:07 -------- d-------- C:\Programme\Norton Internet Security
2006-11-21 18:32 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Adobe
2006-11-21 17:52 -------- d-------- C:\Programme\Gemeinsame Dateien\Adobe
2006-11-19 16:19 -------- d-------- C:\Programme\BitTorrent
2006-11-18 15:47 -------- d-------- C:\Programme\Internet Explorer
2006-11-18 12:10 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-11-18 00:06 -------- d-------- C:\Programme\Winamp
2006-11-01 22:26 -------- d-------- C:\Programme\Windows Media Player
2006-11-01 08:18 -------- d-------- C:\Programme\Microsoft Works
2006-11-01 08:18 -------- d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared
2006-11-01 08:16 -------- d-------- C:\Programme\Google
2006-10-29 22:48 -------- d---s---- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Microsoft
2006-10-29 20:08 -------- d-------- C:\Programme\MSN Messenger
2006-10-28 15:05 -------- d-------- C:\Programme\Messenger
2006-10-28 10:22 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-10-28 10:02 -------- d-------- C:\Programme\EA GAMES
2006-10-24 18:58 -------- d-------- C:\Programme\ATI Technologies
2006-10-24 14:05 -------- d-------- C:\Programme\Gemeinsame Dateien\InstallShield
2006-10-22 09:29 -------- d-------- C:\Programme\Microsoft Visual Studio
2006-10-22 09:29 -------- d-------- C:\Programme\Microsoft Office
2006-10-22 09:29 -------- d-------- C:\Programme\Gemeinsame Dateien\System
2006-10-22 09:29 -------- d-------- C:\Programme\Gemeinsame Dateien\DESIGNER
2006-10-22 09:28 -------- d-------- C:\Programme\Microsoft.NET
2006-10-21 22:41 -------- d-------- C:\Programme\UZTool
2006-10-21 13:55 -------- d-------- C:\Programme\Gemeinsame Dateien\LightScribe
2006-10-21 13:55 -------- d-------- C:\Programme\Ahead
2006-10-21 13:53 -------- d-------- C:\Programme\Gemeinsame Dateien\Nero
2006-10-21 13:52 -------- d-------- C:\Programme\Gemeinsame Dateien\Ahead
2006-10-21 01:59 40960 --a------ C:\WINDOWS\system32\frapsvid.dll
2006-10-19 18:45 737280 --a------ C:\WINDOWS\iun6002.exe
2006-10-19 07:00 -------- d-------- C:\Programme\Outlook Express
2006-10-18 19:45 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\CyberLink
2006-10-18 19:42 -------- d-------- C:\Programme\CyberLink
2006-10-16 17:01 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\DivX
2006-10-16 16:54 -------- d-------- C:\Programme\DivX
2006-10-16 11:00 -------- d-------- C:\Programme\Movie Maker
2006-10-16 10:59 -------- d-------- C:\Programme\Windows NT
2006-10-16 10:59 -------- d-------- C:\Programme\NetMeeting
2006-10-15 17:36 -------- d-------- C:\Programme\Anti-Leech
2006-10-15 13:35 -------- d-------- C:\Programme\GTA San Andreas
2006-10-13 20:53 -------- d-------- C:\Programme\Hauppauge
2006-10-13 19:12 -------- d--h----- C:\Programme\WindowsUpdate
2006-10-13 17:15 -------- d-------- C:\Programme\Symantec
2006-10-13 17:14 -------- d-------- C:\Programme\SymNetDrv
2006-10-13 13:35 146432 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-12 22:49 -------- d-------- C:\Programme\Shutdown4U
2006-10-12 22:24 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Macromedia
2006-10-12 22:18 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Google
2006-10-12 21:42 -------- d-------- C:\Programme\Ubisoft
2006-10-12 21:20 -------- d-------- C:\Programme\MindArk
2006-10-12 16:45 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Symantec
2006-10-12 16:39 -------- d-------- C:\Programme\Adobe
2006-10-12 16:39 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\InterTrust
2006-10-12 16:33 -------- d-------- C:\Programme\AvRack
2006-10-12 15:46 -------- d--h----- C:\Programme\Uninstall Information
2006-10-12 15:46 -------- d-------- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\Identities
2006-10-12 15:43 0 -rahs---- C:\MSDOS.SYS
2006-10-12 15:43 0 -rahs---- C:\IO.SYS
2006-10-12 15:43 0 --a------ C:\CONFIG.SYS
2006-10-12 15:43 0 --a------ C:\AUTOEXEC.BAT
2006-10-12 15:43 -------- d-------- C:\Programme\xerox
2006-10-12 15:43 -------- d-------- C:\Programme\microsoft frontpage
2006-10-12 15:42 -------- d-------- C:\Programme\Online-Dienste
2006-10-12 15:41 -------- d-------- C:\Programme\Gemeinsame Dateien\MSSoap
2006-10-12 15:41 -------- d-------- C:\Programme\Gemeinsame Dateien\Dienste
2006-10-12 15:41 -------- d-------- C:\Programme\ComPlus Applications
2006-10-12 15:40 -------- d-------- C:\Programme\Online Services
2006-10-12 15:40 -------- d-------- C:\Programme\MSN Gaming Zone
2006-10-12 15:40 -------- d-------- C:\Programme\MSN
2006-10-12 15:34 -------- d-------- C:\Programme\Gemeinsame Dateien\SpeechEngines
2006-10-12 15:34 -------- d-------- C:\Programme\Gemeinsame Dateien\ODBC
2006-10-12 15:33 62 --ahs---- C:\Dokumente und Einstellungen\Benji\Anwendungsdaten\desktop.ini
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 20:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 20:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-28 15:05 2414360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-09-28 15:05 237848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-09-28 15:04 68888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-09-28 15:03 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-09-15 21:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-13 06:02 1084416 --------- C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:46 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 04:47 129784 --------- C:\WINDOWS\system32\pxafs.dll
2006-08-25 04:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Programme\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Steam"="\"C:\\Programme\\Steam\\Steam.exe\" -silent"
"MsnMsgr"="\"C:\\Programme\\MSN Messenger\\MsnMsgr.Exe\" /background"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ccApp"="\"C:\\Programme\\Gemeinsame Dateien\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\GEMEIN~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Programme\\Gemeinsame Dateien\\InstallShield\\UpdateService\\issch.exe\" -start"
"ATICCC"="\"C:\\Programme\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"amd_dc_opt"="\"C:\\Programme\\AMD\\amd_dc_opt\\amd_dc_opt.exe\""
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Easy-PrintToolBox"="C:\\Programme\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvcog.dll,startup"
@=""
"Launch LGDCore"="\"C:\\Programme\\Logitech\\G-series Software\\LGDCore.exe\" /SHOWHIDE"
"Launch LCDMon"="\"C:\\Programme\\Logitech\\G-series Software\\LCDMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Benji.job

Completion time: 06-11-24 8:06:29.82
C:\ComboFix.txt ... 06-11-24 08:06

flyingdog
2006-11-24, 09:35
SmitFraudFix v2.123

Scan done at 8:11:02,56, 24.11.2006
Run from C:\Dokumente und Einstellungen\Benji\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\drvcog.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Benji


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Benji\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

flyingdog
2006-11-24, 09:36
Logfile of HijackThis v1.99.1
Scan saved at 08:13:26, on 24.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\Programme\Logitech\G-series Software\LGDCore.exe
C:\Programme\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Steam\Steam.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Programme\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Programme\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Programme\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Programme\Logitech\G-series Software\Applets\LCDClock.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Dokumente und Einstellungen\Benji\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6BC868F2-E712-4F37-93A7-AB906A2F11C6} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Programme\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcog.dll,startup
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programme\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programme\Logitech\G-series Software\LCDMon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Programme\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Scanner Finder.lnk = C:\Programme\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160914199418
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D32A287-4CB5-4BE4-892C-D3CB1D54286F}: NameServer = 172.27.2.10 172.27.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe

flyingdog
2006-11-24, 09:40
Thank you very much for the amount of time you invest in my computer n00bness :)

Here I have 2 pics made them with paint^^:

http://img95.imageshack.us/img95/1983/malwarehu9.th.jpg (http://img95.imageshack.us/my.php?image=malwarehu9.jpg)

http://img80.imageshack.us/img80/7204/malware2kx5.th.jpg (http://img80.imageshack.us/my.php?image=malware2kx5.jpg)

Big Regards

fly

Mr_JAk3
2006-11-24, 13:17
Hi again, we'll continue :)

If you have legitimate Windows, you don't need that Antiwpa thingy. But you have an illegal windows - :sick:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcog.dll,startup

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\drvcog.dll
C:\WINDOWS\system32\mljighg.dll
C:\WINDOWS\system32\xqpdai.dll

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

flyingdog
2006-11-27, 12:51
Hello Mr_JAk3,

Now the "Security Warning: your computer may be infected with harmful or unwanted software!" doesn't pop up when I start my machine, so I think my PC is clean. Big big thx to you! :crowned:

But to be sure, that I'm clean (Hope that it is no problem, that its German :):

---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 11:31:55 27.11.2006

+ Scan-Ergebnis:



C:\System Volume Information\_restore{09A47A1F-9C32-431D-84E6-BFA719483795}\RP84\A0030301.exe -> Adware.Softomate : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\System Volume Information\_restore{09A47A1F-9C32-431D-84E6-BFA719483795}\RP84\A0030305.dll -> Adware.Softomate : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\System Volume Information\_restore{09A47A1F-9C32-431D-84E6-BFA719483795}\RP84\A0030306.exe -> Adware.Softomate : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\WINDOWS\system32\mljighg.dll -> Adware.Virtumonde : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\System Volume Information\_restore{09A47A1F-9C32-431D-84E6-BFA719483795}\RP87\A0030534.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Mit Backup gesäubert (unter Quarantäne gestellt).


::Berichtende

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 11:45:53, on 27.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\Programme\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Steam\Steam.exe
C:\Programme\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Programme\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Programme\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Programme\Logitech\G-series Software\Applets\LCDClock.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Benji\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6BC868F2-E712-4F37-93A7-AB906A2F11C6} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Programme\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programme\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programme\Logitech\G-series Software\LCDMon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Programme\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Scanner Finder.lnk = C:\Programme\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160914199418
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D32A287-4CB5-4BE4-892C-D3CB1D54286F}: NameServer = 172.27.2.10 172.27.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tyvm again for your amount of time you invested in my problem. :bigthumb:
btw: I really have a legal cd and key at home :angel: I know you wouldn't care if I have one or not, but if there is a way of proving it, I would do it. The thing with the antiwpa was something like an experiment :red:

So long

BR flyingdog

Mr_JAk3
2006-11-27, 16:32
Hi again, it is looking clean now :)

Fix the following leftover with HijackThis:

O2 - BHO: (no name) - {6BC868F2-E712-4F37-93A7-AB906A2F11C6} - C:\WINDOWS\system32\ssqpp.dll (file missing)

You can also fix the antiwpa.dll and remove the file if you don't need it ;)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Mr_JAk3
2006-12-06, 16:49
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: