Little Christmas gift

Zwiberberg

New member
:santa: Hello Spybot team,

appearently I made one click too much in the internet and caught a nice trojaner virus.
Some suspicious things are meanwhile going on on my PC like windows pooping up which I never had before ("Changes of desktop and other unsusual system settings"), suspiocious files and add-ons, which cannot be removed and are magically been appearing again, like a file named yayawuv.dll or pmnli.exe and pmnli.dll etc.
All happening under the "strong watch" of my standard norton internet safety package, without any notice, that something is obviously going wrong on my PC.
Meanwhile I am convinced, that I cannot solve the problem without your help.
So, I have prepared a recent spybot log file, made Kasperskys online scan (with desasterous results) and also genereted a HJT Log according your guidelines on this forum.
Do you want me to post the 3 log files or send them via email?
Looking forward to your help, hoping to find a workaround for the problem, without making a complete new setup of my PC.

I wish the whole spybot team wonderful Christmas days and hope to hear from you soon, to get this issue on my PC somehow resolved.

Many thanks in advance :red:

Zwiberberg
 
Logs as requested (HJT, Kaspersky, Spybot)

Hello Rip Chain,

Due to the lenght limitation (20,000 characters) and the fact, that the logs have a total length of over 220,000 characters, please find the log files as .zip attachement:


Hope you are able to work with them.
Looking forward to your advice :alien:,
best regards

Zwiberberg
 
Hello Zwiberberg,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Activities 071226

Good morning Rip Chain,

not the best start into the day:

I started working down the activity list:

Open HijackThis, click Config, click Misc Tools --> OK
Click "Open Uninstall Manager" --> OK
Click "Save List" (generates uninstall_list.txt)
and here starts the trouble already:
:sad: the list has not been generated nor saved to my PC (I have searched all files incl. hidden files...). The best I can offer is a screen shot of the result o the HJThis overview.
Or do you have other suggestions?

Do you want me to run the ComboFix anyways?


I am going to ride my bike for an hour an then I am back for further instructions,

Best regards

Zwiberberg
 
One more information...

Hello Rip Chain,

one more information from today:
Yesterday I have been updating/adding protection tools for my PC.
Today in the morning I got a continued message from Spywareguard, that a BHO has been added (pmnli.dll, the file which I already mentioned in my fist post).
Unfortunately the "Remove BHO" button did not work, the messages keeps popping up.

I have attached the screenshot of the message for further orientation.

Saludos
Zwiberberg
 
New Logs after ComboFix

Hello Rip Chain,

got ComboFix completed and ran new logs as attached:

(also included the latest Spyguard log, fater my pc was rebooted.)
Overall it looks to me like the yayawuv.dll is still there and now working together with a mllmn.dll /.exe file instead of teh pmnli.dll/.exe.

But I am better waiting for your professional analysis instead of specuelating:

ComboFix Log:

ComboFix 07-12-21.4 - Jens 2007-12-26 22:40:33.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.608 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\PerfInfo
F:\WINDOWS\PerfInfo\G6iVJdF8c7uc.exe
F:\WINDOWS\PerfInfo\G6iVJdF8c7ud.exe
F:\WINDOWS\system32\ilnmp.ini
F:\WINDOWS\system32\ilnmp.ini2
F:\WINDOWS\system32\pmnli.dll

.
((((((((((((((((((((((( Dateien erstellt von 2007-11-26 bis 2007-12-26 ))))))))))))))))))))))))))))))
.

2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 16:00 . 2007-12-24 16:00 326,656 --a------ F:\WINDOWS\system32\RCX29.tmp
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 08:19 . 2007-12-24 08:19 326,656 --a------ F:\WINDOWS\system32\RCX36.tmp
2007-12-24 08:19 . 2007-12-24 08:19 1,024 --a------ F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
2007-12-24 08:15 . 2007-12-24 08:15 2,048 --a------ F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-26 22:44 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-24 02:02 . 2007-12-24 16:42 <DIR> d-------- F:\VundoFix Backups
2007-12-23 18:39 . 2007-12-23 18:39 326,656 --a------ F:\WINDOWS\system32\RCX43.tmp
2007-12-23 18:39 . 2007-12-24 08:19 15,360 --a------ F:\WINDOWS\system32\ctfmon .exe
2007-12-23 18:30 . 2007-12-24 16:47 143 --a------ F:\WINDOWS\system32\mcrh.tmp
2007-12-23 15:56 . 2007-12-23 15:56 <DIR> d-------- F:\WINDOWS\ppqvmpqr
2007-12-23 15:56 . 2007-12-23 15:56 208,896 --a------ F:\WINDOWS\system32\ndaTqsVqrX.dll
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-23 11:51 . 2007-12-23 11:51 39,936 --------- F:\WINDOWS\system32\yayawuv.dll
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ F:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ F:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ F:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ F:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ F:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ F:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ F:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ F:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ F:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Programme\Free Fire Screensaver
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 09:42 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-26 07:28 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-25 19:51 --------- d-----w F:\Programme\Norton Internet Security
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 17:04 --------- d-----w F:\Programme\iTunes
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-12-06 13:56 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-06 13:56 123,952 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-06 13:56 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-06 13:56 --------- d-----w F:\Programme\Symantec
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-15 20:31 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2007-10-31 12:55 --------- d-----w F:\Programme\Quicken2007
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_16.21.09.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 11:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-10-21 20:40:14 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-10-21 20:40:16 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-26 21:46:42 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_9c0.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6489BD86-DF8B-4A67-900F-8FEADEBFCF34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-23 11:51 39936 --------- F:\WINDOWS\system32\yayawuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-01 23:22 116088 --a------ F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-23 11:51 39936 --------- F:\WINDOWS\system32\yayawuv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" []
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" []
"Polar Sync"="" []
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 08:05]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" []
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" []
"QuickTime Task"="F:\Programme\QuickTime\qttask .exe" []
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" []
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" []
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E85D85-F6EE-4655-A639-E33983612A6E}"= F:\WINDOWS\system32\yayawuv.dll [2007-12-23 11:51 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background

R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 LiveUpdate Notice;LiveUpdate Notice;"F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 SymIMMP;SymIMMP;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-08-31 11:49]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 COH_Mon;COH_Mon;F:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []
S3 SymIM;Symantec Network Security Intermediate Filter Service;F:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
S3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]

*Newly Created Service* - COMHOST
.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2007-12-26 21:37:29 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 22:47:06
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> F:\WINDOWS\system32\yayawuv.dll
.
Zeit der Fertigstellung: 2007-12-26 22:48:21 - machine was rebooted
.
2007-12-12 14:24:37 --- E O F ---
 
HJT Log after ComboFix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:13, on 26.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\msiexec.exe
F:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - F:\WINDOWS\system32\yayawuv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - F:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programme\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
O4 - Global Startup: Quicken 2007 Zahlungserinnerung.lnk = F:\Programme\Quicken2007\billmind.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - F:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 9464 bytes
 
...and finally the SpywareGuard log after ComboFix, HJT and reboot

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 22:52:34 12.26.2007 a new BHO installation attempt was detected.
BHO: {FD8F13BD-9D87-426D-91E9-A46B700A9ADB}
ProgramID: n/a
File Location: F:\WINDOWS\system32\mllmn.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 22:53:10 12.26.2007 a new BHO installation attempt was detected.
BHO: {FD8F13BD-9D87-426D-91E9-A46B700A9ADB}
ProgramID: n/a
File Location: F:\WINDOWS\system32\mllmn.dll
User Action Taken: KEEP BHO


Remark regarding the last entry:
The Spyguard has not been able to terminate the mllmn.dll file, I got a continuing error message which said that!

Hope you will be able to find a fix for the problem.

I'd appreciate to get a reply from you within the next our or so, that I can take some action.
Due to the time difference (depending wether you are west or east coast USA it's between 6 hours and 10 hours which I am ahead of you) I will go to bed in around an hour (midnight).

Best regards
Zwiberberg
 
New faces

Hello Spybot team,

"the thing" which is sitting on my PC keeps on changing its face!
I had to reinstall my norton internet securuty software, after my cccommon.dll was no more available:

After reinstallation I have safed the log.
Norton log:

Prüfungsstatistik:
Prüfungszeit: 2661
Prüfungsoptionen:
Prüfungsziele: C:, F:
Anzahl:
Insgesamt geprüfte Elemente: 265692
- Dateien und Verzeichnisse: 263541
- Registrierungseinträge: 271
- Prozesse und Elemente beim Start: 1745
- Netzwerk- und Browser-Elemente: 131
- Andere: 4

Insgesamt erkannte Sicherheitsrisiken: 5
Insgesamt behobene Elemnte: 5
Elemente insgesamt, die Eingreifen erfordern: 0

Behobene Bedrohungen:
Trojan.Nebuler
Virus-ID: 18150
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
1 Datei
f:\qoobox\quarantine\f\windows\system32\winhoo32.dll.vir - Gelöscht
1 Browser-Cache

Trojan.Vundo
Virus-ID: 28544
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Neustarten erforderlich
-----------
144 Registrierungseinträge
HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Neustarten erforderlich
HKEY_CLASSES_ROOT\MSEvents.MSEvents - Neustarten erforderlich
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\IEpl.IEpl - Neustarten erforderlich
HKEY_CLASSES_ROOT\IEpl.IEPl.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater - Neustarten erforderlich
HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib - Neustarten erforderlich
HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1 - Neustarten erforderlich
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction - Neustarten erforderlich
HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1 - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks->{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\WindowsUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\SysUpd - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Neustarten erforderlich
HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\DomainService - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\aldd - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\rdfa - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\CAC - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-500\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-19\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-20\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1004\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\.DEFAULT\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_USERS\S-1-5-21-2052111302-1580818891-839522115-1005\Software\Microsoft\affltid - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\FCOVM - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\RemoveRP - Neustarten erforderlich
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->SFCDisable:0 - Neustarten erforderlich
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->Authentication Packages:... - Neustarten erforderlich
1 Datei
f:\vundofix backups\awtuvvs.dll.bad - Gelöscht
4 Prozesse
F:\Programme\Internet Explorer\iexplore.exe - Beendet
F:\WINDOWS\system32\rundll32.exe - Keine Aktion erforderlich
F:\Programme\Internet Explorer\iexplore.exe - Beendet
F:\WINDOWS\system32\rundll32.exe - Keine Aktion erforderlich
1 Dienst
DomainService - Keine Aktion erforderlich
1 Browser-Cache

W32.Trats!inf
Virus-ID: 40956
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
3 Dateien
f:\vundofix backups\nerocheck.exe.bad - Repariert
f:\VundoFix Backups\pmnli.exe.bad - Gelöscht
1 Browser-Cache



W32.Trats!inf
Virus-ID: 40956
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
4 Dateien
f:\windows\system32\rcx29.tmp - Gelöscht
f:\WINDOWS\system32\RCX36.tmp - Gelöscht
f:\WINDOWS\system32\RCX43.tmp - Gelöscht
f:\WINDOWS\system32\ctfmon.exe.tmp - Repariert
1 Browser-Cache



Trojan.Zlob.N
Virus-ID: 19394
Typ: Anomalie
Risiko: Hoch (Hoch Stealth, Hoch Entfernen, Hoch Leistung, Hoch Datenschutz)
Kategorien: Virus
Status: Vollständig behoben
-----------
1 Datei
f:\windows\system32\ndatqsvqrx.dll - Gelöscht
1 Browser-Cache
 
PC still in trouble!

Along with this, after rebooting I have a new "friend" in Spywareguard (s.also log file): geebx.dll




On 01:45:10 12.27.2007 a new BHO installation attempt was detected.
BHO: {0157B230-5263-44B0-BD87-EDD2364780A0}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 01:45:13 12.27.2007 a new BHO installation attempt was detected.
BHO: {0157B230-5263-44B0-BD87-EDD2364780A0}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 08:06:23 12.27.2007 a new BHO installation attempt was detected.
BHO: {3BAFEEB5-27C0-4333-864F-1E12D9C4FCAC}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 08:06:28 12.27.2007 a new BHO installation attempt was detected.
BHO: {3BAFEEB5-27C0-4333-864F-1E12D9C4FCAC}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 08:06:35 12.27.2007 a new BHO installation attempt was detected.
BHO: {3BAFEEB5-27C0-4333-864F-1E12D9C4FCAC}
ProgramID: n/a
File Location: F:\WINDOWS\system32\geebx.dll
User Action Taken: REMOVE BHO


Hope this helps to get the idea of what's going on.

Is there potentially a chance, to get help from an Euopean based Spybot team member? This would allow easier communication in regards to timing?

Anyway thanks for the continued support,

best regards

Zwiberberg
 
Hello Zwiberberg,

Is there potentially a chance, to get help from an Euopean based Spybot team member? This would allow easier communication in regards to timing?
Actually, almost everyone helping in the HijackThis forum is not an actual member of the SpyBot team, but a trained volunteer.
Is there potentially a chance, to get help from an Euopean based Spybot team member? This would allow easier communication in regards to timing?
While in theory this would be a good idea, in reality there are too few people to help as it is, much less trying to match people with timezones.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • F:\WINDOWS\system32\ctfmon .exe
  • Click on the submit button
  • Please post the results in your next reply.
  • Please follow the above instructions for this file as well:
  • F:\WINDOWS\system32\NeroCheck .exe

A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
    O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
    O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - F:\WINDOWS\system32\yayawuv.dll
    O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
    O18 - Protocol: haufereader - (no CLSID) - (no file)


  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
F:\WINDOWS\system32\ndaTqsVqrX.dll
F:\WINDOWS\system32\RCX29.tmp
F:\WINDOWS\system32\RCX36.tmp
F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
F:\WINDOWS\system32\RCX43.tmp
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\yayawuv.dll
Folder::
F:\VundoFix Backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Looks like the pc is cleaned up know

Hello Rip Chain,

have been busy in the last hours and developed an own plan, how to overcome this yayawuv.dll thing.
Looks like it worked:
What I basically did:
- Build a startup cd (with UBCD4WIN)
- started the pc from the built cdrom
- ran Spybot scans, deleted suspicios files incl. yayawuv.dll and others which I already had identified
- ran hijackthis scans
- ran Kaspersky scans, deleted all suspicios files
- ran vundofix after rebooting from hard disk (no more to delete)
everything is "quiet" now.. no more unwanted pop ups etc.

At tleast I got a lot ideas here, how I can identify and isolate the problem, even found a work around.

Many thanks for the inspiration and support!!!!!!

Enclosed the latest HJT scan, hope there is nothing left which you find critical...

Best regards and good night USA (its 1 am here...)

zwiberberg
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:43:59, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
F:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\Internet Explorer\iexplore.exe
F:\Programme\DSL-Manager\DslMgr.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - -{6489BD86-DF8B-4A67-900F-8FEADEBFCF34} - (no file)
O2 - BHO: (no name) - -{B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programme\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Lexware Info Service.lnk = F:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Temp\TMP21.tmp
O4 - Global Startup: Quicken 2007 Zahlungserinnerung.lnk = F:\Programme\Quicken2007\billmind.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Personal Security Suite V (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 8656 bytes
 
Hello Zwiberberg :)

It looks like you got a lot done alright, but there are still infected entries in your HJT log. Please follow my advice from the last post I made and post the required logs :)
 
Actions -->

Hello Rip Chain,

ok, looks not everything is cleanded up yet, so here report of your requested actions:

Jotti Check:

ctfmon .exe and nerocheck .exe both were "clean", acording to the Jotti check, by the way, is this of any concern, that I have a ctfmon.exe also in F:\windows\system32\dllcache ?

HJT:
I have "fix checked" the items you listed

ComboFix:
I have applied the script as instructed

In the following both posts you will find the CF Log an the HJT log.

Additionaly, in case it is necessary information you should have:
I have removed norton meanwhile from my computer and running Kaspersky Internet Seciurity 7.0.
(If there are norton files, you think I should get rid of in any reg files , pls. let me know...)

Looking forward to further feedback,

best regards
Zwiberberg
 
Cf Log:

ComboFix 07-12-21.4 - Jens 2007-12-28 23:12:42.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.606 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
Command switches used :: F:\Dokumente und Einstellungen\Jens\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE
F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\ndaTqsVqrX.dll
F:\WINDOWS\system32\RCX29.tmp
F:\WINDOWS\system32\RCX36.tmp
F:\WINDOWS\system32\RCX43.tmp
F:\WINDOWS\system32\yayawuv.dll
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\VundoFix Backups
F:\VundoFix Backups\geebx.dll.bad
F:\VundoFix Backups\jjkmp.ini.bad
F:\VundoFix Backups\jjkmp.ini2.bad
F:\VundoFix Backups\NeroCheck.exe.bad
F:\VundoFix Backups\nmllm.ini.bad
F:\VundoFix Backups\nmllm.ini2.bad
F:\VundoFix Backups\xbeeg.ini.bad
F:\VundoFix Backups\xbeeg.ini2.bad
F:\WINDOWS\system32\drivers\4BE93C14-F537-47D5-BFA5-403A93771860.cxv
F:\WINDOWS\system32\drivers\532AA62E-4949-4503-A766-3A58A68F9937.cxv
F:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((( Dateien erstellt von 2007-11-28 bis 2007-12-28 ))))))))))))))))))))))))))))))
.

2007-12-28 20:42 . 2007-12-28 23:34 3,551,776 --ahs---- F:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 20:42 . 2007-12-28 23:16 50,708 --ahs---- F:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 20:42 . 2007-12-28 23:18 8,992 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-28 20:42 . 2007-12-28 23:16 1,892 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-28 20:26 . 2007-12-28 20:26 78,415 --a------ F:\WINDOWS\system32\drivers\klif.cab
2007-12-28 13:08 . 2007-12-28 13:08 <DIR> d-------- F:\MapSource
2007-12-28 13:00 . 2007-12-28 13:10 <DIR> d-------- F:\Garmin
2007-12-28 12:19 . 2007-12-28 12:19 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\GARMIN
2007-12-28 11:16 . 2007-12-28 11:16 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2007-12-28 02:06 . 2007-07-30 19:19 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2007-12-28 02:06 . 2007-07-30 19:18 30,072 --a------ F:\WINDOWS\system32\mucltui.dll.mui
2007-12-27 22:40 . 2007-12-28 20:29 <DIR> d-------- F:\Programme\Kaspersky Lab
2007-12-27 22:40 . 2007-12-28 20:49 91,492 --a------ F:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:40 . 2007-12-28 20:49 85,860 --a------ F:\WINDOWS\system32\drivers\klick.dat
2007-12-27 17:06 . 2007-12-27 17:57 <DIR> d-------- F:\Programme\UBCD4Win
2007-12-27 09:37 . 2007-12-27 09:37 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Prevx
2007-12-27 09:36 . 2007-12-27 09:38 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\PrevxCSI
2007-12-27 09:28 . 2007-12-27 18:04 7,646 --ahs---- F:\WINDOWS\system32\nmllm.ini2
2007-12-27 09:28 . 2007-12-27 18:05 7,646 --ahs---- F:\WINDOWS\system32\nmllm.ini
2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2007-12-28 23:34 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-27 09:24 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Programme\Free Fire Screensaver
2007-11-30 07:42 . 2007-11-30 07:42 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 12:10 --------- d-----w F:\Programme\GPS Software
2007-12-28 11:14 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-12-28 11:14 --------- d-----w F:\Programme\Quicken2007
2007-12-28 11:13 --------- d-----w F:\Programme\Gemeinsame Dateien\Lexware
2007-12-28 10:16 --------- d-----w F:\Programme\Google
2007-12-28 01:09 --------- d-----w F:\Programme\iTunes
2007-12-27 15:46 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-27 15:46 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-26 23:32 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-26 23:32 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_16.21.09.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-05-16 19:38:04 3,638 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\ARPPRODUCTICON.exe
+ 2007-12-28 09:21:58 3,638 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\ARPPRODUCTICON.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut1_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:59 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut1_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut10_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut10_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 40,960 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut12_65F9131C16CB40F6BE401B42772C2B44.EXE
+ 2007-12-28 09:21:58 40,960 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut12_65F9131C16CB40F6BE401B42772C2B44.EXE
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut3_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut3_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut4_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:59 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut4_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut8_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut8_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut9_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\NewShortcut9_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionDlx_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionDlx_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionHBiz_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionHBiz_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionReg_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\OpinionReg_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:59 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44_1.exe
+ 2007-12-28 09:21:59 761,856 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlx2_65F9131C16CB40F6BE401B42772C2B44_1.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlxUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenDlxUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenHBizUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:58 65,536 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenHBizUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenRegUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
+ 2007-12-28 09:21:59 93,184 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickenRegUrl_15411A8C34CC41BBA48C52E3C052F20F.exe
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskDlx1_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskDlx1_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-05-16 19:38:04 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskHBiz1_65F9131C16CB40F6BE401B42772C2B44.exe
+ 2007-12-28 09:21:58 45,056 ----a-r F:\WINDOWS\Installer\{15411A8C-34CC-41BB-A48C-52E3C052F20F}\QuickEntryDeskHBiz1_65F9131C16CB40F6BE401B42772C2B44.exe
- 2007-11-10 16:18:50 102,400 ----a-r F:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
+ 2007-12-28 01:09:18 102,400 ----a-r F:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
- 2006-07-14 01:03:03 16,384 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 19:42:49 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2006-07-14 01:03:03 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 19:42:49 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2006-07-14 01:03:03 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2007-12-28 19:42:49 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2003-09-23 14:42:34 17,024 ----a-w F:\WINDOWS\system32\drivers\grmngen.sys
+ 2007-03-08 15:18:00 18,432 ----a-w F:\WINDOWS\system32\drivers\grmngen.sys
- 2003-09-23 14:42:34 7,296 ----a-w F:\WINDOWS\system32\drivers\grmnusb.sys
+ 2007-03-08 15:18:00 8,320 ----a-w F:\WINDOWS\system32\drivers\grmnusb.sys
+ 2007-04-28 15:51:02 110,360 ----a-w F:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 19:49:42 194,320 ----a-w F:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 13:58:26 24,344 ----a-w F:\WINDOWS\system32\drivers\klim5.sys
- 2000-08-04 12:25:30 49,152 ----a-w F:\WINDOWS\system32\INETWH32.dll
+ 2000-08-04 14:25:30 49,152 ----a-w F:\WINDOWS\system32\INETWH32.dll
+ 2005-05-24 11:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-10-21 20:40:14 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-10-21 20:40:16 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-06-28 11:51:48 206,088 ----a-w F:\WINDOWS\system32\klogon.dll
- 2003-03-18 19:20:00 1,060,864 ----a-w F:\WINDOWS\system32\mfc71.dll
+ 2007-03-21 19:39:00 1,060,864 ----a-w F:\WINDOWS\system32\MFC71.DLL
- 2003-03-18 18:14:52 499,712 ----a-w F:\WINDOWS\system32\msvcp71.dll
+ 2007-03-21 19:33:00 503,808 ----a-w F:\WINDOWS\system32\MSVCP71.DLL
- 2003-02-21 02:42:22 348,160 ----a-w F:\WINDOWS\system32\msvcr71.dll
+ 2007-03-21 19:33:00 348,160 ----a-w F:\WINDOWS\system32\MSVCR71.DLL
+ 2007-07-30 18:18:34 207,736 ----a-w F:\WINDOWS\system32\muweb.dll
- 2002-09-20 21:33:28 1,089,536 ----a-w F:\WINDOWS\system32\ROBOEX32.DLL
+ 2002-09-20 23:33:28 1,089,536 ----a-w F:\WINDOWS\system32\ROBOEX32.DLL
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" []
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" []
"Polar Sync"="" []
"gStart"="F:\MapSource\gStart.exe" [2007-08-23 05:58]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" []
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" []
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-01-30 14:53]
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" []
"AVP"="F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
"DWQueuedReporting"="F:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background

R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;F:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" []
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []

.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2007-12-28 22:21:25 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 23:34:36
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2007-12-28 23:35:42 - machine was rebooted
.
2007-12-12 14:24:37 --- E O F ---
 
HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38:15, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\MapSource\gStart.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\iPod\bin\iPodService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198801773250
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 8220 bytes
 
Hello Zwiberberg :)

It appears that your infected with the newest version of this nasty vundo virus. We're going to remove the older version of combofix, and download a newer one that is more updated for this newer version of Vundo.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Happy New Year

Good morning Rip Chain,

I wish you a happy and successful new year! A big portion of health for you personally and our computers is also needed ;).

As instructed I have unloaded my previous ComboFix version, downloaded the new one and ran a new scan with CF and also HJT.
Here are the reports:

COMBOFIX:

ComboFix 07-12-31.4 - Jens 2008-01-01 10:13:12.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.592 [GMT 1:00]
ausgeführt von:: F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\_install.exe nicht gefunden
F:\WINDOWS\system32\nmllm.ini
F:\WINDOWS\system32\nmllm.ini2

.
((((((((((((((((((((((( Dateien erstellt von 2007-12-01 bis 2008-01-01 ))))))))))))))))))))))))))))))
.

2008-01-01 10:12 . 2000-08-31 08:00 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-12-28 20:42 . 2008-01-01 10:16 3,851,040 --ahs---- F:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 20:42 . 2007-12-31 14:43 54,260 --ahs---- F:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 20:42 . 2008-01-01 10:17 28,192 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-28 20:42 . 2007-12-31 14:43 3,452 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-28 20:26 . 2007-12-28 20:26 78,415 --a------ F:\WINDOWS\system32\drivers\klif.cab
2007-12-28 13:08 . 2007-12-28 13:08 <DIR> d-------- F:\MapSource
2007-12-28 13:00 . 2007-12-28 13:10 <DIR> d-------- F:\Garmin
2007-12-28 12:19 . 2007-12-28 12:19 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\GARMIN
2007-12-28 11:16 . 2008-01-01 10:15 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2007-12-28 02:06 . 2007-07-30 19:19 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2007-12-28 02:06 . 2007-07-30 19:18 30,072 --a------ F:\WINDOWS\system32\mucltui.dll.mui
2007-12-27 22:40 . 2007-12-28 20:29 <DIR> d-------- F:\Programme\Kaspersky Lab
2007-12-27 22:40 . 2007-12-28 20:49 91,492 --a------ F:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:40 . 2007-12-28 20:49 85,860 --a------ F:\WINDOWS\system32\drivers\klick.dat
2007-12-27 17:06 . 2007-12-27 17:57 <DIR> d-------- F:\Programme\UBCD4Win
2007-12-27 09:37 . 2007-12-27 09:37 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Prevx
2007-12-27 09:36 . 2007-12-27 09:38 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\PrevxCSI
2007-12-25 20:37 . 2007-12-25 21:50 <DIR> d-------- F:\Programme\Windows Defender
2007-12-25 20:33 . 2007-12-26 08:13 <DIR> d-------- F:\Programme\SpywareGuard
2007-12-25 20:30 . 2007-12-25 20:32 <DIR> d-------- F:\Programme\SpywareBlaster
2007-12-25 20:30 . 2005-08-25 18:19 115,920 --a------ F:\WINDOWS\system32\MSINET.OCX
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-12-24 17:03 . 2008-01-01 10:02 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-12-24 16:06 . 2007-12-24 16:06 250 --a------ F:\WINDOWS\gmer.ini
2007-12-24 09:15 . 2007-12-24 09:21 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-24 02:42 . 2006-07-14 01:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr------- F:\Dokumente und Einstellungen\Administrator\Startmenü
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-12-24 02:42 . 2007-12-28 23:35 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d-------- F:\Dokumente und Einstellungen\Administrator\Favoriten
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> d--h----- F:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-12-24 02:42 . 2006-07-15 00:41 <DIR> dr-h----- F:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-12-24 02:33 . 2007-12-24 02:33 <DIR> d-------- F:\Programme\Trend Micro
2007-12-23 15:55 . 2007-12-23 23:31 155,648 --a------ F:\WINDOWS\system32\NeroCheck .exe
2007-12-23 11:58 . 2007-12-23 11:59 <DIR> d-------- F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2007-12-19 19:51 . 2007-12-19 19:51 114,496 --a------ F:\WINDOWS\system32\drivers\prodrv04.sys
2007-12-19 19:51 . 1999-06-23 17:13 86,016 --a------ F:\WINDOWS\unvise32.exe
2007-12-01 12:50 . 2007-12-01 12:50 <DIR> d-------- F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\T-Online

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 12:10 --------- d-----w F:\Programme\GPS Software
2007-12-28 11:14 --------- d--h--w F:\Programme\InstallShield Installation Information
2007-12-28 11:14 --------- d-----w F:\Programme\Quicken2007
2007-12-28 11:13 --------- d-----w F:\Programme\Gemeinsame Dateien\Lexware
2007-12-28 10:16 --------- d-----w F:\Programme\Google
2007-12-28 01:09 --------- d-----w F:\Programme\iTunes
2007-12-27 15:46 --------- d-----w F:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-27 15:46 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-26 23:32 805 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-26 23:32 10,740 ----a-w F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 19:51 --------- d-----w F:\Programme\FreePDF_XP
2007-12-25 08:16 --------- d-----w F:\Programme\QuickTime
2007-12-24 15:07 --------- d-----w F:\Programme\Zinio
2007-12-24 01:28 --------- d-----w F:\Programme\Java
2007-12-20 17:04 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\ContentGuard
2007-12-08 12:02 --------- d-----w F:\Programme\Free Metronome
2007-11-30 06:42 --------- d-----w F:\Programme\Free Fire Screensaver
2007-11-30 06:42 --------- d-----w F:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software
2007-11-17 12:29 --------- d-----w F:\Programme\ModPlug
2007-11-13 10:25 20,480 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 17:34 --------- d-----w F:\Programme\Obtiv
2007-11-10 16:18 --------- d-----w F:\Programme\iPod
2007-11-02 19:02 --------- d-----w F:\Dokumente und Einstellungen\Birgit\Anwendungsdaten\Symantec
2007-11-01 22:24 --------- d-----w F:\Dokumente und Einstellungen\Jens\Anwendungsdaten\Symantec
2007-11-01 22:22 --------- d-----w F:\Programme\Windows Sidebar
2007-10-29 22:42 1,293,312 ----a-w F:\WINDOWS\system32\quartz.dll
2007-10-25 12:41 81,920 ----a-w F:\WINDOWS\system32\LxUISettings10VC8.dll
2007-10-25 12:41 716,800 ----a-w F:\WINDOWS\system32\lxter20VC8.dll
2007-10-25 12:41 65,536 ----a-w F:\WINDOWS\system32\PXTTool65VC8.dll
2007-10-25 12:41 552,960 ----a-w F:\WINDOWS\system32\zvkonline65VC8.dll
2007-10-25 12:41 5,701,632 ----a-w F:\WINDOWS\system32\LxXtreme50VC8.dll
2007-10-25 12:41 319,488 ----a-w F:\WINDOWS\system32\LxImport65VC8.dll
2007-10-25 12:41 27,648 ----a-w F:\WINDOWS\system32\LXTPSW20VC8.dll
2007-10-25 12:41 241,664 ----a-w F:\WINDOWS\system32\LXBtr65VC8.dll
2007-10-25 12:41 180,224 ----a-w F:\WINDOWS\system32\LXDasi65VC8.dll
2007-10-25 12:41 180,224 ----a-w F:\WINDOWS\system32\LxBasics65VC8.dll
2007-10-25 12:41 126,976 ----a-w F:\WINDOWS\system32\LxMail30VC8.dll
2007-10-25 12:41 1,556,480 ----a-w F:\WINDOWS\system32\LxXtreme40VC8.dll
2007-10-25 12:41 1,191,936 ----a-w F:\WINDOWS\system32\LXtool65VC8.dll
2007-10-25 08:28 222,720 ----a-w F:\WINDOWS\system32\wmasf.dll
2004-03-11 11:27 40,960 ----a-w F:\Programme\Uninstall_CDS.exe
.
Code:
----a-w            39,792 2007-12-25 10:02:44  F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            45,056 2007-12-24 15:47:28  F:\Programme\ATI Technologies\ATI.ACE\cli .exe
----a-w           163,840 2007-12-25 10:02:50  F:\Programme\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg .exe
----a-w            32,768 2007-12-24 12:01:42  F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ .exe
----a-w           310,272 2007-12-25 10:02:43  F:\Programme\FreePDF_XP\fpassist .exe
----a-w           532,776 2007-12-24 15:47:33  F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager .exe
----a-w            51,048 2007-12-25 17:09:44  F:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp .exe
----a-w            68,856 2007-12-23 22:31:54  F:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           267,048 2007-12-25 10:02:48  F:\Programme\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-25 10:02:51  F:\Programme\Java\jre1.6.0_03\bin\jusched .exe
----a-w         1,694,208 2007-12-23 17:39:58  F:\Programme\Messenger\msmsgs .exe
----a-w         1,460,560 2007-12-25 10:02:53  F:\Programme\Spybot - Search & Destroy\TeaTimer .exe
----a-w         1,003,590 2007-12-24 15:00:59  F:\Programme\Zinio\ZinioDeliveryManager .exe
----a-w           155,648 2007-12-23 22:31:29  F:\WINDOWS\system32\NeroCheck .exe


(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"H/PC Connection Agent"="F:\Programme\Microsoft ActiveSync\wcescomm.exe" [ ]
"Zinio DLM"="F:\Programme\Zinio\ZinioDeliveryManager.exe" [ ]
"Polar Sync"="" []
"gStart"="F:\MapSource\gStart.exe" [2007-08-23 05:58 1891416]
"UninstallAbility"="F:\Programme\UninstallAbility\uability .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" [ ]
"RemoteControl"="F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [ ]
"iTunesHelper"="F:\Programme\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"LexwareInfoService"="F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-01-30 14:53 2732584]
"Windows Defender"="F:\Programme\Windows Defender\MSASCui.exe" [ ]
"AVP"="F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="F:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

F:\Dokumente und Einstellungen\Administrator\Startmen\Programme\Autostart\
DSL-Manager.lnk - F:\Programme\DSL-Manager\DslMgr.exe [2007-10-15 20:02:46]

F:\Dokumente und Einstellungen\Birgit\Startmen\Programme\Autostart\
DSL-Manager.lnk - F:\Programme\DSL-Manager\DslMgr.exe [2007-10-15 20:02:46]

F:\Dokumente und Einstellungen\Default User\Startmen\Programme\Autostart\
DSL-Manager.lnk - F:\Programme\DSL-Manager\DslMgr.exe [2007-10-15 20:02:46]

F:\Dokumente und Einstellungen\Jens\Startmen\Programme\Autostart\
SpywareGuard.lnk - F:\Programme\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

F:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Google Updater.lnk - F:\Programme\Google\Google Updater\GoogleUpdater.exe [2007-12-28 11:16:43]
Quicken 2008 Zahlungserinnerung.lnk - F:\Programme\LEXWARE\Quicken\2008\billmind.exe [2007-04-18 23:29:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
F:\Programme\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
2005-06-16 14:36 3627520 --a------ F:\Programme\ASUS\Ai Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Programme\Messenger\msmsgs.exe /background

R1 prodrv04;Star Force copy protection driver v4;F:\WINDOWS\system32\drivers\prodrv04.sys [2007-12-19 19:51]
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;F:\WINDOWS\system32\plcndis5.sys [2004-05-17 10:21]
R3 cjusb;REINER SCT cyberJack pinpad/e-com USB;F:\WINDOWS\system32\DRIVERS\cjusb.sys [2005-10-04 07:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;F:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 TDslMgrService;DSL-Manager;"F:\Programme\DSL-Manager\DslMgrSvc.exe" [2007-08-01 14:36]
R3 TSMPacket;DSL-Manager Service;F:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 11:53]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" []
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 HotSpotFSvc;Hotspot Manager;"F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe" []

.
Inhalt des "geplante Tasks" Ordners
"2007-12-24 07:21:35 F:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- F:\Programme\AntiSpywareApp\AntiSpyware .ex
- F:\Programme\AntiSpywareApp
"2007-10-03 18:44:01 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Programme\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 09:03:42 F:\WINDOWS\Tasks\MP Scheduled Scan.job"
- F:\Programme\Windows Defender\MpCmdRun.exe
"2007-12-24 19:00:03 F:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Jens.job"
- F:\Programme\Norton Internet Security\Norton AntiVirus\Navw32.exel/TASK:
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 10:17:12
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-01-01 10:17:45
F:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 09:17:43
F:\qoobox\ComboFix2.txt 2007-12-28 22:35:42
.
2007-12-12 14:24:37 --- E O F ---
 
Back
Top