-
Little Christmas gift
Hello Spybot team,
appearently I made one click too much in the internet and caught a nice trojaner virus.
Some suspicious things are meanwhile going on on my PC like windows pooping up which I never had before ("Changes of desktop and other unsusual system settings"), suspiocious files and add-ons, which cannot be removed and are magically been appearing again, like a file named yayawuv.dll or pmnli.exe and pmnli.dll etc.
All happening under the "strong watch" of my standard norton internet safety package, without any notice, that something is obviously going wrong on my PC.
Meanwhile I am convinced, that I cannot solve the problem without your help.
So, I have prepared a recent spybot log file, made Kasperskys online scan (with desasterous results) and also genereted a HJT Log according your guidelines on this forum.
Do you want me to post the 3 log files or send them via email?
Looking forward to your help, hoping to find a workaround for the problem, without making a complete new setup of my PC.
I wish the whole spybot team wonderful Christmas days and hope to hear from you soon, to get this issue on my PC somehow resolved.
Many thanks in advance
Zwiberberg
-
Emeritus- Malware Team
Hello Zwiberberg,
Please go ahead and post the logs that have been created, I will take a look at them for you
-
Logs as requested (HJT, Kaspersky, Spybot)
Hello Rip Chain,
Due to the lenght limitation (20,000 characters) and the fact, that the logs have a total length of over 220,000 characters, please find the log files as .zip attachement:
Hope you are able to work with them.
Looking forward to your advice ,
best regards
Zwiberberg
-
Emeritus- Malware Team
Hello Zwiberberg,
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Please download ComboFix by sUBs from HERE or HERE- You must download it to and run it from your Desktop
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
- Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
-
Activities 071226
Good morning Rip Chain,
not the best start into the day:
I started working down the activity list:
Open HijackThis, click Config, click Misc Tools --> OK
Click "Open Uninstall Manager" --> OK
Click "Save List" (generates uninstall_list.txt)
and here starts the trouble already:
the list has not been generated nor saved to my PC (I have searched all files incl. hidden files...). The best I can offer is a screen shot of the result o the HJThis overview.
Or do you have other suggestions?
Do you want me to run the ComboFix anyways?
I am going to ride my bike for an hour an then I am back for further instructions,
Best regards
Zwiberberg
-
One more information...
Hello Rip Chain,
one more information from today:
Yesterday I have been updating/adding protection tools for my PC.
Today in the morning I got a continued message from Spywareguard, that a BHO has been added (pmnli.dll, the file which I already mentioned in my fist post).
Unfortunately the "Remove BHO" button did not work, the messages keeps popping up.
I have attached the screenshot of the message for further orientation.
Saludos
Zwiberberg
-
Emeritus- Malware Team
Hello Zwiberberg,
Thanks for the update, please go ahead and move on to the running of combofix now
-
New Logs after ComboFix
Hello Rip Chain,
got ComboFix completed and ran new logs as attached:
(also included the latest Spyguard log, fater my pc was rebooted.)
Overall it looks to me like the yayawuv.dll is still there and now working together with a mllmn.dll /.exe file instead of teh pmnli.dll/.exe.
But I am better waiting for your professional analysis instead of specuelating:
ComboFix Log:
ComboFix 07-12-21.4 - Jens 2007-12-26 22:40:33.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.608 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\WINDOWS\PerfInfo
F:\WINDOWS\PerfInfo\G6iVJdF8c7uc.exe
F:\WINDOWS\PerfInfo\G6iVJdF8c7ud.exe
F:\WINDOWS\system32\ilnmp.ini
F:\WINDOWS\system32\ilnmp.ini2
F:\WINDOWS\system32\pmnli.dll
.
((((((((((((((((((((((( Dateien erstellt von 2007-11-26 bis 2007-12-26 ))))))))))))))))))))))))))))))
.
2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 16:00 . 2007-12-24 16:00 326,656 --a------ F:\WINDOWS\system32\RCX29.tmp
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 08:19 . 2007-12-24 08:19 326,656 --a------ F:\WINDOWS\system32\RCX36.tmp
2007-12-24 08:19 . 2007-12-24 08:19 1,024 --a------ F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
2007-12-24 08:15 . 2007-12-24 08:15 2,048 --a------ F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-26 22:44 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-24 02:02 . 2007-12-24 16:42 <DIR> d-------- F:\VundoFix Backups
2007-12-23 18:39 . 2007-12-23 18:39 326,656 --a------ F:\WINDOWS\system32\RCX43.tmp
2007-12-23 18:39 . 2007-12-24 08:19 15,360 --a------ F:\WINDOWS\system32\ctfmon .exe
2007-12-23 18:30 . 2007-12-24 16:47 143 --a------ F:\WINDOWS\system32\mcrh.tmp
2007-12-23 15:56 . 2007-12-23 15:56 <DIR> d-------- F:\WINDOWS\ppqvmpqr
2007-12-23 15:56 . 2007-12-23 15:56 208,896 --a------ F:\WINDOWS\system32\ndaTqsVqrX.dll
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-23 11:51 . 2007-12-23 11:51 39,936 --------- F:\WINDOWS\system32\yayawuv.dll
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ F:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ F:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ F:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ F:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ F:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ F:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ F:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ F:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ F:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Programme\Free Fire Screensaver
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 09:42 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-26 07:28 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-25 19:51 --------- d-----w F:\Programme\Norton Internet Security
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 17:04 --------- d-----w F:\Programme\iTunes
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-12-06 13:56 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-06 13:56 123,952 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-06 13:56 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-06 13:56 --------- d-----w F:\Programme\Symantec
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-15 20:31 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2007-10-31 12:55 --------- d-----w F:\Programme\Quicken2007
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_16.21.09.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 11:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-10-21 20:40:14 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-10-21 20:40:16 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-26 21:46:42 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_9c0.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6489BD86-DF8B-4A67-900F-8FEADEBFCF34}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-23 11:51 39936 --------- F:\WINDOWS\system32\yayawuv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-01 23:22 116088 --a------ F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-23 11:51 39936 --------- F:\WINDOWS\system32\yayawuv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" []
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" []
"Polar Sync"="" []
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 08:05]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" []
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" []
"QuickTime Task"="F:\Programme\QuickTime\qttask .exe" []
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" []
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" []
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E85D85-F6EE-4655-A639-E33983612A6E}"= F:\WINDOWS\system32\yayawuv.dll [2007-12-23 11:51 39936]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background
R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 LiveUpdate Notice;LiveUpdate Notice;"F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 SymIMMP;SymIMMP;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-08-31 11:49]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 COH_Mon;COH_Mon;F:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []
S3 SymIM;Symantec Network Security Intermediate Filter Service;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
S3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]
*Newly Created Service* - COMHOST
.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2007-12-26 21:37:29 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 22:47:06
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: F:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> F:\WINDOWS\system32\yayawuv.dll
.
Zeit der Fertigstellung: 2007-12-26 22:48:21 - machine was rebooted
.
2007-12-12 14:24:37 --- E O F ---
-
HJT Log after ComboFix
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:13, on 26.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\msiexec.exe
F:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - F:\WINDOWS\system32\yayawuv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programme\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
O4 - Global Startup: Quicken 2007 Zahlungserinnerung.lnk = F:\Programme\Quicken2007\billmind.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/act...a/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe
--
End of file - 9464 bytes
-
...and finally the SpywareGuard log after ComboFix, HJT and reboot
--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 22:52:34 12.26.2007 a new BHO installation attempt was detected.
BHO: {FD8F13BD-9D87-426D-91E9-A46B700A9ADB}
ProgramID: n/a
File Location: F:\WINDOWS\system32\mllmn.dll
User Action Taken: REMOVE BHO
--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 22:53:10 12.26.2007 a new BHO installation attempt was detected.
BHO: {FD8F13BD-9D87-426D-91E9-A46B700A9ADB}
ProgramID: n/a
File Location: F:\WINDOWS\system32\mllmn.dll
User Action Taken: KEEP BHO
Remark regarding the last entry:
The Spyguard has not been able to terminate the mllmn.dll file, I got a continuing error message which said that!
Hope you will be able to find a fix for the problem.
I'd appreciate to get a reply from you within the next our or so, that I can take some action.
Due to the time difference (depending wether you are west or east coast USA it's between 6 hours and 10 hours which I am ahead of you) I will go to bed in around an hour (midnight).
Best regards
Zwiberberg
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules