My PC is constantly sending E-Mails which I don't know

[MoOsE]

Hi Shaba,

Greetings from Germany ;-)
I 've checket out this forum very well, and I am impressed by your competent trobleshooting, given in most of the Threads, initiating the End of Spyware and Trojans in nearly all the cases. Hope you can also help me ;-)

Now here's my Problem: I thought I was safe behind the ZoneAlarm v. 7.0.337.000 Firewall and my neighbour's router, bit I wasn't. Recently, I installed the new G-Data AntiVirusKit 2007 and killed 109 (!!!) viruses, so my System seems to be almost clean now, but now, there often appears a Messagem, that my PC is sending E-Mails, but they are not from me =)

Here's an example of an outgoing E-Mail logged by the AntiVirusKit:

Outgoing mails (SMTP)
Checked: 9 (0 infected)
Last checked: subject: Cambrian Launches, sender: jerame.Hunston AT 4x4holidays.co.uk, Empfänger: dalia.k.h AT wp.pl

These are E-Mail-Adresses I've never seen before, so I think my Computer is sending spam and/or is used as a relay-server. How can I stop this?

I've added the HijackThis Log file, because I knew you would ask about^^

Logfile of HijackThis v1.99.1
Scan saved at 23:37:45, on 22.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programs\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programs\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\ZoneAlarm\zlclient.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programs\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programs\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Firefox 2.003\firefox.exe
F:\Speed Commander 11\SpeedCommander.exe
F:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {29342761-5C6A-4A62-9040-4493A8507436} - C:\WINDOWS\system32\iykwoxsx.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Programs\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\lmqdbtay.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programs\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285} - C:\WINDOWS\inf\entmig.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programs\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programs\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programs\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Programs\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programs\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programs\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\pwvgjpkg.dll",realset
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Syrrel Sneer\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: entmig - C:\WINDOWS\inf\entmig.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programs\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programs\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qgwfjavb.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programs\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programs\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[Mr_JAk3]

Hello MoOsE

I'm not Shaba but I'll be happy to help you.

You're infected.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

[MoOsE]

thank you for your help.
I've done as you said.
Here are the logs, Vundo first, then Hijackthis.


VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 20:51:47 26.06.2007

Listing files found while scanning....

C:\Programme\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\inf\entmig.dll
C:\WINDOWS\inf\gimtne.bak1
C:\WINDOWS\inf\gimtne.bak2
C:\WINDOWS\inf\gimtne.ini
C:\WINDOWS\inf\gimtne.ini2
C:\WINDOWS\system32\cvdccgis.dll
C:\WINDOWS\system32\dnqvehtg.dll
C:\WINDOWS\system32\epujukfe.dll
C:\WINDOWS\system32\exhmceka.dll
C:\WINDOWS\system32\fvleowyt.dll
C:\WINDOWS\system32\gkpjgvwp.ini
C:\WINDOWS\system32\gpekaplv.dll
C:\WINDOWS\system32\gufuhoxp.dll
C:\WINDOWS\system32\jdtlknhf.dll
C:\WINDOWS\system32\jkdihyvi.dll
C:\WINDOWS\system32\lmqdbtay.dll
C:\WINDOWS\system32\madpmgir.dll
C:\WINDOWS\system32\nmodpwce.dll
C:\WINDOWS\system32\pwvgjpkg.dll
C:\WINDOWS\system32\sglseeee.dll
C:\WINDOWS\system32\wgaisqgi.dll
C:\WINDOWS\system32\xiainxhh.dll
C:\WINDOWS\system32\xidqjcvh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\inf\gimtne.bak1
C:\WINDOWS\inf\gimtne.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\inf\gimtne.bak2
C:\WINDOWS\inf\gimtne.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\inf\gimtne.ini
C:\WINDOWS\inf\gimtne.ini Has been deleted!

Attempting to delete C:\WINDOWS\inf\gimtne.ini2
C:\WINDOWS\inf\gimtne.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gkpjgvwp.ini
C:\WINDOWS\system32\gkpjgvwp.ini Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 21:01:51, on 26.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\ZoneAlarm\zlclient.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programme\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Speed Commander 11\SpeedCommander.exe
C:\WINDOWS\system32\wuauclt.exe
F:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {29342761-5C6A-4A62-9040-4493A8507436} - C:\WINDOWS\system32\iykwoxsx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285} - C:\WINDOWS\inf\entmig.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Speedy Gonzalez\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: entmig - C:\WINDOWS\inf\entmig.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qgwfjavb.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope that helps...waiting for your answer.
Thank you very much,
MoOsE

 

[Mr_JAk3]

Ok we'll continue

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[MoOsE]

Ok, done so far. First, I report what happened.
I started Combofix, it first scanned and did two registry changes, followed by a reboot. Then the message "C:\ComboFix\CF_anti-viking.bat could not be found" appeared, followed by the message "Scanning for infected files" and "Scan times for badly infected machines may easily double". Then again, some registry changes where made, followed by reboot. Then the message by "Find3M" "Preparing for report" appeared and the program ended.
There were two logs put on C:, which I post now.

COMBOFIX.TXT

"Speedy Gonzalez" - 2007-06-27 20:44:53 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 67860 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOKUME~1\SPEEDY~1\ANWEND~1.\searchtoolbarcorp
C:\DOKUME~1\SPEEDY~1\ANWEND~1.\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\DOKUME~1\SPEEDY~1\ANWEND~1.\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Programme\Gemeinsame Dateien\{4C825~1
C:\Programme\toolbar888
C:\Programme\toolbar888\Uninst.exe
C:\Programme\vsadd-in
C:\WINDOWS\system32\lzx32.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))


2007-06-27 20:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-26 20:51 <DIR> d-------- C:\VundoFix Backups
2007-06-22 23:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-21 23:42 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\G DATA
2007-06-21 23:41 47,184 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys
2007-06-21 23:41 38,096 --a------ C:\WINDOWS\system32\drivers\GDTdiIcpt.sys
2007-06-21 23:41 37,112 --a------ C:\WINDOWS\system32\drivers\HookCentre.sys
2007-06-21 23:41 <DIR> d-------- C:\WINDOWS\gear_dlls
2007-06-21 23:40 <DIR> d-------- C:\Programme\Gemeinsame Dateien\G DATA
2007-06-21 23:39 <DIR> d-------- C:\DOKUME~1\SPEEDY~1\ANWEND~1\InstallShield
2007-06-03 19:20 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 18:42:38 83,478 ----a-w C:\WINDOWS\system32\perfc007.dat
2007-06-27 18:42:38 435,686 ----a-w C:\WINDOWS\system32\perfh007.dat
2007-06-27 14:35:58 -------- d-----w C:\DOKUME~1\SPEEDY~1\ANWEND~1\Skype
2007-06-21 22:03:38 -------- d-----w C:\Programme\VVSN
2007-06-21 22:03:38 -------- d-----w C:\Programme\VSToolbar
2007-06-21 21:40:30 -------- d--h--w C:\Programme\InstallShield Installation Information
2007-06-15 13:02:18 -------- d-----w C:\DOKUME~1\SPEEDY~1\ANWEND~1\teamspeak2
2007-05-16 15:11:44 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 07:02:25 253,952 ------w C:\WINDOWS\Setup1.exe
2007-05-12 07:02:24 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-25 14:22:27 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-19 20:50:44 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-04-19 20:26:36 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll
2007-04-18 16:13:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-15 11:48:30 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{055FD26D-3A88-4e15-963D-DC8493744B1D}=F:\ICQToolbar\toolbaru.dll [2006-10-10 11:18]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=F:\Adobe Reader\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{206E52E0-D52E-11D4-AD54-0000E86C26F6}=F:\DOWNLO~1\FRESHD~1\fdcatch.dll [2006-03-20 11:28]
{29342761-5C6A-4A62-9040-4493A8507436}=C:\WINDOWS\system32\iykwoxsx.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programme\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]
{9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285}=C:\WINDOWS\inf\entmig.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 18:01 C:\WINDOWS\SOUNDMAN.EXE]
"D-Link AirPlus G"="F:\D-Link\AirGCFG.exe" [2005-04-22 18:51]
"ANIWZCS2Service"="C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"RemoteControl"="F:\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="F:\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"ISUSPM Startup"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" [2004-06-16 06:03]
"BDNewsAgent"="F:\BitDefender 8.0\bdnagent.exe" [2005-05-09 13:19]
"CloneCDElbyCDFL"="F:\CloneCD\ElbyCheck.exe" [2001-12-06 14:09]
"QuickTime Task"="F:\QuickTime 7\qttask.exe" [2007-02-16 10:54]
"ZoneAlarm Client"="F:\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"AVKTray"="F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe" [2007-01-23 14:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\entmig]
C:\WINDOWS\inf\entmig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32]
winepi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"bdss"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\Installer.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 20:48:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 20:49:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-27 20:49

--- E O F ---

-------------------------------------------------------------------

here's the second one: ComboFix-quarantined-files.txt

2006-08-23 21:08      34950    --a------    C:\Qoobox\Quarantine\C\Programme\ToolBar888\Uninst.exe.vir
2007-01-15 12:01      0    --a------    C:\Qoobox\Quarantine\C\DOKUME~1\SPEEDY~1\ANWEND~1\SearchToolbarCorp\Toolbar Vision\PageHistory.txt.vir
2007-01-15 12:01      0    --a------    C:\Qoobox\Quarantine\C\DOKUME~1\SPEEDY~1\ANWEND~1\SearchToolbarCorp\Toolbar Vision\WebHistory.txt.vir
2007-03-30 08:17      74620    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lzx32.sys.vir
2007-06-27 20:46      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-06-27 20:46      352    --a------    C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf
2007-06-27 20:46      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf


Auflistung der Ordnerpfade fr Volume Windows XP
Volumenummer: 4C82-5CC7
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOKUME~1
    |   |   \---SPEEDY~1
    |   |       \---ANWEND~1
    |   |           \---SearchToolbarCorp
    |   |               \---Toolbar Vision
    |   |                       PageHistory.txt.vir
    |   |                       WebHistory.txt.vir
    |   |                       
    |   +---Programme
    |   |   \---ToolBar888
    |   |           Uninst.exe.vir
    |   |           
    |   \---WINDOWS
    |       \---system32
    |               lzx32.sys.vir
    |               
    \---Registry_backups
            LEGACY_DOMAINSERVICE.reg.cf
            services_DomainService.reg.cf
            services_nm.reg.cf

So, what's next?^^

Thank you for your help.
MoOsE

 

[Mr_JAk3]

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download SDFix and save it to your desktop.
Do NOT run yet.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Uncheck "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

==================

Disable the bad services

• Start
• Run
• Type services.msc to the field and press enter.
• A window opens, scroll down to DomainService
• Rightclick it and choose Stop
• Then choose Properties
• Set Startup to Disabled
• Click Apply and OK.
• Scroll down to Microsoft authenticate service (MsaSvc)
• Rightclick it and choose Stop
• Then choose Properties
• Set Startup to Disabled
• Click Apply and OK.

Then, open HijackThis.

• Open the Misc Tools section
• Delete an NT service
• Copy the following line to the box and press OK; DomainService
• Answer Yes
• Press Delete an NT service again.
• Copy the following line to the box and press OK; MsaSvc
• Answer Yes
• Close HIjackThis

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {29342761-5C6A-4A62-9040-4493A8507436} - C:\WINDOWS\system32\iykwoxsx.dll (file missing)
O2 - BHO: (no name) - {9B4F7ED2-DE6B-405B-AFD8-F1D4D7360285} - C:\WINDOWS\inf\entmig.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programme\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - Winlogon Notify: entmig - C:\WINDOWS\inf\entmig.dll (file missing)
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\qgwfjavb.exe
C:\WINDOWS\system32\msasvc.exe

Go to the My Computer and delete the following folders (if present):
C:\Programme\ToolBar888

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\perfc007.dat
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- virustotal results
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

 

[MoOsE]

Sorry, little question: in services.msc the Service "DomainService" doesn't exist. I think it has another name in german language. Because I fear disabling the wrong Service, I am asking if you know the German synonyme to "DomainService".
Sometimes, also the small things interrupt the best troubleshooting ever.

Keep up the good work, 'til then ;-)

MoOsE

 

[Mr_JAk3]

Hello

Ok don't disable that German synonyme, it is a different one. Just skip that part then :bigthumb:

Good that you asked :bigthumb:

 

[MoOsE]

OkOk, Mission accomplished

First, there were a little minor things that didn't work:

- In ATFCleaner, I couldn't select "Firefox" at the top, but I performed it anyway. (Empty selected) Is that a Problem?

- I've made a little mistake with AVG Anti-Spyware: I forgot to select "Quarantine" after the scan, so all files were deleted so I think that's also the reason why I could not save a log. But I've printed the actions made by the program, which I will post underneath.

Now for the Reports:

First, my home-made AVG Report (reason 4 that mentioned above)



Ok, and now the new HijackThis-Log:

Logfile of HijackThis v1.99.1
Scan saved at 19:59:20, on 02.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\AVGas\guard.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programme\Cyberlink\Shared files\RichVideo.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
C:\WINDOWS\System32\svchost.exe
F:\Speed Commander 11\SpeedCommander.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Speedy Gonzalez\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\AVGas\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


VIRUSTOTAL: I didn't copy&paste the results, because no virus program detected a virus in the perfc007.dat file.


Now finally, here are the SdFix-Results:


SDFix: Version 1.88

Run by Administrator on 02.07.2007 at 18:35

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOKUME~1\ADMINI~1\Desktop\Sdfix\SDFix

Safe Mode:
Checking Services:

Name:
hide_evr2

ImagePath:
\??\C:\WINDOWS\hide_evr2.sys

hide_evr2 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\NSPRS.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SSPRS.DLL - Deleted
C:\a.bat - Deleted
C:\WINDOWS\system32\TFTP3196 - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"F:\\Skype 2.0\\Skype.exe"="F:\\Skype 2.0\\Skype.exe:*:Enabled:Skype"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOKUME~1\ADMINI~1\Desktop\Sdfix\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:


Administrator Gast Hilfeassistent
Speedy Gonzalez SUPPORT_388945a0
Der Befehl wurde erfolgreich ausgefhrt.


Finished


Am I clean now?

If this is so, I thank you very much for your help and I hope this website will never go down, even if the internet crashes because of all the Trojans

Now a final question (if we are finished): Is there a way that I can protect my system in a better way in the future? Because these programs have found so many Trojans that I whish I had never entered the internet

Yours sincerely,

MoOsE

 

[Mr_JAk3]

Hello

Ok looks pretty good now. How is the computer running?

Thanks for your kind words
I'll give prevention tips but let's be sure that you're clean first.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

 

[MoOsE]

Sorry, that didn't work. If I klick on "Kaspersky online scanner" and then on "Accept", nothing happens. Maybe it's because I am not using internet explorer but Firefox 2.0.0.4.

MoOsE

 

[Mr_JAk3]

Ok Kaspersky would require IE to run....

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
  
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

 

[MoOsE]

Hello again.

Sorry for my late answer but I was away from my home PC.

Squeezed some Bugs again with DoktorWeb. Now here's the log, followed by the new HijackThis Log:

Process.exe C:\Dokumente und Einstellungen\Administrator\Desktop\Sdfix\SDFix\apps Tool.Prockill Not curable. Moved.
A0088035.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP104 Trojan.Virtumod Deleted.
A0098395.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP107 Trojan.Virtumod Deleted.
A0106200.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106245.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106246.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106404.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106467.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106562.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106678.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0106747.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP108 Trojan.Virtumod Deleted.
A0107974.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP109 Trojan.Virtumod Deleted.
A0109031.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP109 Trojan.Virtumod Deleted.
A0110060.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0110079.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.SaveNow Not curable. Moved.
A0112097.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112103.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.SearchColours Not curable. Moved.
A0112133.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112134.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112135.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112136.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112137.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112138.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112140.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112141.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112142.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112143.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112144.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112146.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112147.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112148.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112149.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Juan Deleted.
A0112150.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112151.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112152.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112153.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112154.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112155.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112157.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112158.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112159.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112160.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112162.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112163.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Juan Deleted.
A0112164.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112165.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112166.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112168.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112169.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112170.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112171.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112174.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112175.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112176.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112178.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112179.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112180.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112181.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112182.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112184.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112185.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112187.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112188.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112189.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112190.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112192.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112193.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112194.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112195.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112196.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112198.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112199.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112200.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112201.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112203.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112204.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112205.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112206.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112207.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112208.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112209.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112210.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112212.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112213.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112214.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112215.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112216.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112217.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112218.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112219.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112220.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112221.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112222.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112223.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112224.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112225.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112226.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112227.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112228.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112229.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112230.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112231.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112233.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112234.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112236.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112237.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112238.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112239.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112240.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112241.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Juan Deleted.
A0112242.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0112243.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.Crew Not curable. Moved.
A0112244.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Trojan.Virtumod Deleted.
A0026846.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP43 Trojan.Virtumod Deleted.
A0026847.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP43 Trojan.Virtumod Deleted.
A0030979.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP52 Trojan.Virtumod Deleted.
A0030980.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP52 Trojan.Virtumod Deleted.
A0040343.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP56 Trojan.PWS.Snap Deleted.
A0040916.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040917.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040920.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040921.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040923.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040926.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040927.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040928.exe C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Adware.TopSearch Not curable. Moved.
A0040929.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040930.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040931.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040932.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040933.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040934.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040935.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040936.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040937.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040938.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040939.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040940.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040941.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040942.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040943.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040944.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Not curable. Moved.
A0040946.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040947.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040948.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Juan Deleted.
A0040949.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040950.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040951.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0040952.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0042011.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Trojan.Virtumod Deleted.
A0050618.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP74 Trojan.Virtumod Deleted.
A0059989.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP88 Trojan.Virtumod Deleted.
A0072753.dll C:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP93 Trojan.Virtumod Deleted.
fscax.dll C:\WINDOWS\Downloaded Program Files möglicherweise BINARYRES Not curable. Moved.
sockspy.dll C:\WINDOWS\system32 Tool.SockSpy Not curable. Moved.
mirc.exe F:\Gamers IRC Program.mIRC.621 Not curable. Moved.
A0112308.exe F:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Program.mIRC.621 Not curable. Moved.
A0112602.exe F:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Adware.SaveNow Not curable. Moved.
A0051554.exe F:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP76 Program.mIRC.617 Not curable. Moved.
A0113618.EXE K:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP110 Joke.MenTest Not curable. Moved.
A0042005.EXE K:\System Volume Information\_restore{EABF8853-0A6D-42F9-80DA-8E1B15E7CD58}\RP58 Joke.Mona Not curable. Moved.

 

[MoOsE]

Logfile of HijackThis v1.99.1
Scan saved at 14:26:56, on 07.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
F:\D-Link\AirGCFG.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
F:\PowerDVD\PDVDServ.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
F:\BitDefender 8.0\bdnagent.exe
F:\ZoneAlarm\zlclient.exe
F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
F:\AVGas\guard.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
C:\Programme\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\wuauclt.exe
F:\Speed Commander 11\SpeedCommander.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.speedproject.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\DOWNLO~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - F:\DOWNLO~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] F:\D-Link\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] F:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] F:\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [BDNewsAgent] "F:\BitDefender 8.0\bdnagent.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime 7\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVKTray] "F:\AVK-AntiVirusKit 2007\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATI Tray Tools.lnk = K:\Treiber\Grafik\Ati Radeon X800\ATI Tray\atitray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQ 5.1\ICQLite.exe
O9 - Extra button: FreshDownload - {F54C9289-144C-44E2-8FB8-E071DCE9C18F} - F:\Download Manager\FreshDownload\fd.exe
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} (F-Secure Online Scanner 2.1 (CD version)) - file://C:\Dokumente und Einstellungen\Speedy Gonzalez\Lokale Einstellungen\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\AVGas\guard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - F:\AVK-AntiVirusKit 2007\AVK\AVKWCtl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope I am clean now ;-)
MoOsE

 

[Mr_JAk3]

Hello

The log is looking clean now. How is the computer working? Any issues ?

 

[MoOsE]

As I can see - everything fine ;-)
No more messages that E-Mails are being sent without my knowledge.
Thank you for enhancing my horizon in tracking malware on my Computer.

So finally could you give me some tips about preventing that these things happen again (i.e. what are the best virus scanners and firewalls I should use?).
I am open for any other tips you could give to me.

Great Forum, keep up the good work! And keep Finland clean :laugh:

Yours,
MoOsE

 

[Mr_JAk3]

Hi again, that's great news

Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove the tools we used.

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster and more secure browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly. How to enable Automatic Updates?
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with you antivirus software.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe