Little Christmas gift

and HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:38, on 01.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\iPod\bin\iPodService.exe
F:\WINDOWS\explorer.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198801773250
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 7712 bytes
 
One more comment

I will be available today for around another 7 more hours to reply and take further action. Afterwards, I will not be able to acsess my computer and this forum until Friday night (because I got to go back to work and I am not working at the same location, where this computer located is!).:sad:
Thanks for your understanding,
best regards
Zwiberberg
 
Hello Zwiberberg :)

Download RenV.exe by sUBs to your desktop

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as Log.txt (Overwrite the existing one)
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code:
F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl .exe
F:\Programme\ATI Technologies\ATI.ACE\cli .exe
F:\Programme\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg .exe
F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ .exe
F:\Programme\FreePDF_XP\fpassist .exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager .exe
F:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp .exe
F:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
F:\Programme\iTunes\iTunesHelper .exe
F:\Programme\Java\jre1.6.0_03\bin\jusched .exe
F:\Programme\Messenger\msmsgs .exe
F:\Programme\Spybot - Search & Destroy\TeaTimer .exe
F:\Programme\Zinio\ZinioDeliveryManager .exe
F:\WINDOWS\system32\NeroCheck .exe

RenV.gif



Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.
 
I am back!

Hello RipChain,

followed your instructions.
In the dos-window it basically said, that none of the applications/files has been found!

I guess that's why the log result is as follows:

Code:
Ran on 04.01.2008 - 21:00:10,92

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

What does this mean now???:scratch:

Looking forward to further information on th weekend.

Mit freundlichen Grüßen

zwiberberg
 
Smart, but no difference....

Hello Rip Chain,

in the data you submitted where always spaces/blanks implemented in front of the file extension.
I removed them and reran the RenV.exe thing.
Wonder what:
no messages, that the files have not been found,
however,
the log result is the same (just different time) ;)

Code:
Ran on 04.01.2008 - 21:10:26,57

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0
 
and the latest hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:21, on 05.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\MapSource\gStart.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\Programme\iPod\bin\iPodService.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198801773250
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 7842 bytes
:D:
 
and statement regarding pc status...

Good morning RipChain,

to me the machine currently seems to run stable and at an acceptable speed. So to it looks that there is no unwanted background activities like viruses etc. running.
What is your impression, reading the latest scan log results?:bigthumb:?

Best regards

zwiberberg
 
Hello Zwiberberg :)

in the data you submitted where always spaces/blanks implemented in front of the file extension.
I removed them and reran the RenV.exe thing.
I know, this was done on purpose, you were infected with a new variant of the vundo virus that infects .exe files and then renames the original ones with a space before the extension.

What is your impression, reading the latest scan log results?
I'd like to run a quick Panda scan and make sure there are no more leftovers still present :)

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
 
Panda Scan report

Incident Status Location

Spyware:Cookie/onestat.com Not disinfected F:\Dokumente und Einstellungen\Birgit\Cookies\birgit@stat.onestat[2].txt
Virus:Trj/Dropper.WW Disinfected Persönliche Ordner\Gelöschte Objekte\Re: von Tamara\Foto-001-006__JPG.com
Virus:Trj/MultiJoiner.O Disinfected Persönliche Ordner\Gelöschte Objekte\Von Tamara\Foto-Cannon-M06___JPG.com
Spyware:Cookie/adultfriendfinder Not disinfected F:\Dokumente und Einstellungen\Jens\Cookies\jens@adultfriendfinder[2].txt
Spyware:Cookie/Adverserve Not disinfected F:\Dokumente und Einstellungen\Jens\Cookies\jens@adverserve[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\Wartung Sonstige\Safety\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\Wartung Sonstige\Safety\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected F:\Dokumente und Einstellungen\Jens\Desktop\Wartung Sonstige\Safety\VirtumundoBeGone.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Programme\UBCD4Win\BartPE\I386\SYSTEM32\NIRCMD.EXE
Hacktool:Hacktool/AngryScan Not disinfected F:\Programme\UBCD4Win\BartPE\PROGRAMS\IPScan\ipscan.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\Programme\UBCD4Win\plugin\AntiVirus\AV7PE\nircmd.exe
Hacktool:Hacktool/AngryScan Not disinfected F:\Programme\UBCD4Win\plugin\Network\ipscan\ipscan.exe
Virus:Bck/Gerzidan.A Disinfected Persönliche Ordner\Gelöschte Objekte\Von Tanja, hallo Petra\Bild-Holger__JPG.com
Virus:Bck/Gerzidan.A Disinfected Persönliche Ordner\Gelöschte Objekte\Von Mareike\Bild-002_(klein)__JPG.com
Potentially unwanted tool:Application/NirCmd.A Not disinfected F:\WINDOWS\NirCmd.exe Hello RipChain,

find enclosed the Panda report.
Looking forward to your recommendations,
best regards
Zwiberberg
 
Hello Zwiberberg :)

Sorry for the delay in replying to you, my workplace has barely left me enough time to sleep and eat lately, it seems.

The panda scan disinfected any last remaining pieces of the malware on your system, it appears.
Please post back with one last HJT log, if it appears clean and your system is still running fine we can go through the last steps to further secure your computer, and you can be on your way :)
 
New HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:25, on 11.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\WINDOWS\ATKKBService.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
F:\Programme\iTunes\iTunesHelper.exe
F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\MapSource\gStart.exe
F:\Programme\Google\Google Updater\GoogleUpdater.exe
F:\Programme\SpywareGuard\sgmain.exe
F:\Programme\SpywareGuard\sgbhp.exe
F:\Programme\iPod\bin\iPodService.exe
F:\Programme\DSL-Manager\DslMgrSvc.exe
F:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
F:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
F:\Programme\Internet Explorer\IEXPLORE.EXE
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programme\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LexwareInfoService] F:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "F:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Zinio DLM] F:\Programme\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [gStart] F:\MapSource\gStart.exe
O4 - HKCU\..\Run: [UninstallAbility] "F:\Programme\UninstallAbility\uability .exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = F:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken 2008 Zahlungserinnerung.lnk = F:\Programme\LEXWARE\Quicken\2008\billmind.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.de/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198801773250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - F:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Manager (HotSpotFSvc) - Unknown owner - F:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - F:\Programme\iPod\bin\iPodService.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - F:\Programme\DSL-Manager\DslMgrSvc.exe

--
End of file - 8123 bytes
 
Final steps???

Hello RipChain,

nice to hear from you, don't work tooo hard!
I have just posted in th previos post the newest HJT log.

Looking forward to receive new information on the final steps.

So far: thanks for the excellent service!!!:bigthumb::bigthumb::bigthumb:

best regards
from Germany on 21:37

Zwiberberg
 
Hello Zwiberberg :)

Excellent news, your good to go!

Please delete the following folder:

C:\Qoobox

Go ahead and remove any tools we used during your fix now, as they will no longer be needed.

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  6. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
 
Problems with Windows updates

Hello RipChain,
as a matter of fact, good news, that the machine is clean and running fine!:cool:
I have followed most of your instructions.

On my way down the list I was also to run a windows update, but figured out, that it does not start download and installation.
Acoording to my current knowledge, there seems to be a problem to start the BITS. When I try to start it under "local services" I am getting an error message: "The Service "BITS" on "local computer" cannot be started. Failure 2: The System cannot find the listed file."

I have no idea what to do, can you help.:red:
It seems that this has to do with the removal of some data in the regedit, especially with the netsvcs file?

Lokking forward to your advice,
best regards

Zwiberberg
 
Hello Zwiberberg :)

Try this:

Do you have a working XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
  • Click on START-->RUN and type sfc /scannow (note the space) (Let this run undisturbed until the window with the blue progress bar goes away)

SFC
- Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.
 
Everything ok

Hello Rip Chain,

Update downloading issues is now fixed.

Machine is running, currently no suspect activites.
THANKS A LOT!!!:wav:

In case you do not have any additonal remarks or need a final final log, I guess we both agree, that the thread can be finished.
(Don't worry, " I'll be back" if vundo returns..for futher termination :flame:!!!)

Best regards
and thanx again

Zwiberberg
 
I have nothing else to say, I am extremely happy you computer is working good again, though. I'm going to go archive this now, since the issues appear to be resolved.
 
Back
Top