Win32.Agent.p3
- Thread starter Gratefulforhelp
- Start date
Gratefulforhelp
New member
Hi Blade81,
Thanks again for the support and advice.
Spybot successfully fixed the four previous entries. I rebooted and ran spybot again and there were no red items found (ie. neither Win32.Agent.pz nor other nasties were found).
I shall run the other scans I mentioned when I get home from work today and let you know immediately of the results.
Thank you and I look forward to posting again soon.
Frank
Thanks again for the support and advice.
Spybot successfully fixed the four previous entries. I rebooted and ran spybot again and there were no red items found (ie. neither Win32.Agent.pz nor other nasties were found).
I shall run the other scans I mentioned when I get home from work today and let you know immediately of the results.
Thank you and I look forward to posting again soon.
Frank
Gratefulforhelp
New member
Hi Blade81,
I have downloaded the following programs, updated them to the latest version and definition fules and then run a full system scan with each program and selected 'scan all files' and 'deep scan'.
Here are the results of the scans I have run and a fresh hijackthis log.
- Are the results from number 8. Malwarebytes Anti-Malware a concern?
- My Windows XP is at SP2 - is it ok to update to SP3 after this episode with Win32.Agent.pz?
I thank you in advance Blade81 and look forward to your next set of instructions.
Frank.
The results for number 8. Malwarebytes Anti-Malware found two directories of Win32.Agent.pz but the location was different from ususal. (The wsnpoem directory was always in c:\Windows\System32) Whereas Malwarebytes Anti-Malware found them in C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem). Don't know what to make of that.
1. A-squared:
Only 3 minor things found and successfully deleted:
- Detected: Trace.Registry.KaZaA in Key: HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\software\kazaa
- Detected: Riskware.FraudTool.Win32.MalwareProtector.b in C:\Programme\CCleaner\uninst.exe
- Detected Riskware.RiskTool.Win32.Processor.20 in C:\SDFix\apps\Process.exe AND C:\System Volume Information\_restore{992037BD-89F3-4AA5-8986-374239E70998}\RP3\A0000432.exe/Process.exe
2. Spybot: (Run again after the 4 entries successfully fixed from last post)
Congratulations!: No immediate threats were found.
3. Adaware 2008:
Nothing found.
4. Avira Antivir: No viruses or suspicious files found.
Der Suchlauf wurde vollständig durchgeführt.
7071 Verzeichnisse wurden überprüft
356401 Dateien wurden geprüft
0 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
0 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
5. Rootalyzer (http://forums.spybot.info/showthread.php?t=27368)
Nothing found.
6. Blacklight (http://www.f-secure.com/blacklight/)
Nothing found.
7. SUPERantispyware: Only 5 tracking cookies found and successfully deleted.
Scan type : Complete Scan
Total Scan Time : 00:36:28
Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 4707
Registry threats detected : 0
File items scanned : 68703
File threats detected : 0
Adware.Tracking Cookie
.mediaplex.com [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
8. Malwarebytes Anti-Malware:
Malwarebytes' Anti-Malware 1.18
Database version: 883
21:45:56 2008-06-23
mbam-log-6-23-2008 (21-45-56).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103277
Time elapsed: 21 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
9. Kaspersky Online Scan:
Scan Statistics:
Total number of scanned objects: 70262
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:26:15
10. AVG Anti-Spyware:
A V G A n t i - S p y w a r e - S c a n R e p o r t
+ S c a n r e s u l t :
N o t h i n g f o u n d .
: : R e p o r t e n d
11. McAfee Stinger:
Nothing Found
11. HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6087 bytes
I have downloaded the following programs, updated them to the latest version and definition fules and then run a full system scan with each program and selected 'scan all files' and 'deep scan'.
Here are the results of the scans I have run and a fresh hijackthis log.
- Are the results from number 8. Malwarebytes Anti-Malware a concern?
- My Windows XP is at SP2 - is it ok to update to SP3 after this episode with Win32.Agent.pz?
I thank you in advance Blade81 and look forward to your next set of instructions.
Frank.
The results for number 8. Malwarebytes Anti-Malware found two directories of Win32.Agent.pz but the location was different from ususal. (The wsnpoem directory was always in c:\Windows\System32) Whereas Malwarebytes Anti-Malware found them in C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem). Don't know what to make of that.
1. A-squared:
Only 3 minor things found and successfully deleted:
- Detected: Trace.Registry.KaZaA in Key: HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\software\kazaa
- Detected: Riskware.FraudTool.Win32.MalwareProtector.b in C:\Programme\CCleaner\uninst.exe
- Detected Riskware.RiskTool.Win32.Processor.20 in C:\SDFix\apps\Process.exe AND C:\System Volume Information\_restore{992037BD-89F3-4AA5-8986-374239E70998}\RP3\A0000432.exe/Process.exe
2. Spybot: (Run again after the 4 entries successfully fixed from last post)
Congratulations!: No immediate threats were found.
3. Adaware 2008:
Nothing found.
4. Avira Antivir: No viruses or suspicious files found.
Der Suchlauf wurde vollständig durchgeführt.
7071 Verzeichnisse wurden überprüft
356401 Dateien wurden geprüft
0 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
0 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
5. Rootalyzer (http://forums.spybot.info/showthread.php?t=27368)
Nothing found.
6. Blacklight (http://www.f-secure.com/blacklight/)
Nothing found.
7. SUPERantispyware: Only 5 tracking cookies found and successfully deleted.
Scan type : Complete Scan
Total Scan Time : 00:36:28
Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 4707
Registry threats detected : 0
File items scanned : 68703
File threats detected : 0
Adware.Tracking Cookie
.mediaplex.com [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
8. Malwarebytes Anti-Malware:
Malwarebytes' Anti-Malware 1.18
Database version: 883
21:45:56 2008-06-23
mbam-log-6-23-2008 (21-45-56).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103277
Time elapsed: 21 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
9. Kaspersky Online Scan:
Scan Statistics:
Total number of scanned objects: 70262
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:26:15
10. AVG Anti-Spyware:
A V G A n t i - S p y w a r e - S c a n R e p o r t
+ S c a n r e s u l t :
N o t h i n g f o u n d .
: : R e p o r t e n d
11. McAfee Stinger:
Nothing Found
11. HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6087 bytes
Gratefulforhelp
New member
Hi Blade81,
Thank you for the ongoing support and guidance.
I have now completed all of the steps in your post from 22/06/08 21:10pm as well as every single instruction in this whole thread which you advised me to do.
- Is my computer now safe to use for everything except for banking and financial transactions? (Per your information from 22/06/08 19:39pm)
- I have never conducted banking or financial transactions on my computer. Nor have I used it for anything with sensitive information.
- Do I need to change the passwords for my email account (I used Thunderbird) or for my ADSL cable internet provider (in the Router downstairs) or any other passwords for things I use which are not banking, financial transactions related or anything with sensitive information?
- Is there any danger of the passwords from my previous question above having already been stolen and which could be used? Or is there any danger that they could be stolen again (assuming no new infection occurs)?
Thank you again for your time and effort Blade, I really appreciate all your guidance and assistance.
Frank
PS: My computer setup is running:
Windows XP SP3
Firefox 3.0
Zonealarm 7.0.362.000 (I think this is the latest German version on offer)
Avira AntiVir 8
Spybot 1.5.2.20
Thank you for the ongoing support and guidance.
I have now completed all of the steps in your post from 22/06/08 21:10pm as well as every single instruction in this whole thread which you advised me to do.
- Is my computer now safe to use for everything except for banking and financial transactions? (Per your information from 22/06/08 19:39pm)
- I have never conducted banking or financial transactions on my computer. Nor have I used it for anything with sensitive information.
- Do I need to change the passwords for my email account (I used Thunderbird) or for my ADSL cable internet provider (in the Router downstairs) or any other passwords for things I use which are not banking, financial transactions related or anything with sensitive information?
- Is there any danger of the passwords from my previous question above having already been stolen and which could be used? Or is there any danger that they could be stolen again (assuming no new infection occurs)?
Thank you again for your time and effort Blade, I really appreciate all your guidance and assistance.
Frank
PS: My computer setup is running:
Windows XP SP3
Firefox 3.0
Zonealarm 7.0.362.000 (I think this is the latest German version on offer)
Avira AntiVir 8
Spybot 1.5.2.20
Better safe than sorry
I'd change the passwords.If no new infections don't occur then changes for passwords to be stolen again are smaller. As I said above I'd probably change the passwords that I've used while system has been infected.
Gratefulforhelp
New member
Dear Blade81,
This morning I turned on my computer and I received a warning message from my virus program Avira Antivir which stated the following:
In the file C:\WINDOWS\TEMP\2.tmp a virus or unwanted program 'TR/Dropper.Gen' Trojan was found.
I deleted the file as it appeared to be located in the temp directory which to the best of my knowledge only contains unimportant files (eg. web cache from IE).
Could you please kindly advise the best course of action?
Do I scan my computer with the 11 programs from my last post?
Is this a reinfection from the same trojan 'Win32.Agent.pz'?
Thank you again for your kind assistance and the expert advice.
Frank
This morning I turned on my computer and I received a warning message from my virus program Avira Antivir which stated the following:
In the file C:\WINDOWS\TEMP\2.tmp a virus or unwanted program 'TR/Dropper.Gen' Trojan was found.
I deleted the file as it appeared to be located in the temp directory which to the best of my knowledge only contains unimportant files (eg. web cache from IE).
Could you please kindly advise the best course of action?
Do I scan my computer with the 11 programs from my last post?
Is this a reinfection from the same trojan 'Win32.Agent.pz'?
Thank you again for your kind assistance and the expert advice.
Frank
Gratefulforhelp
New member
Hi Blade81,
Thanks for the prompt reply!
I shall scan my computer with Spybot and Malwarebytes Anti-Malware when I return home from work.
I shall do this in safemode, then reboot and also post a fresh hijackthis log for your perusal.
Many thanks and I shall post back immediately today after the scans are complete.
Frank
Thanks for the prompt reply!
I shall scan my computer with Spybot and Malwarebytes Anti-Malware when I return home from work.
I shall do this in safemode, then reboot and also post a fresh hijackthis log for your perusal.
Many thanks and I shall post back immediately today after the scans are complete.
Frank
Gratefulforhelp
New member
Hi Blade81,
Here is the scan result from Spybot (Malware Bytes and a fresh Hijackthis log below).
Is this the same infection? I'm not sure how it managed to come back again after the relatively clean scan results from the 11 anti-spyware programs I ran after following all of your instructions.
I don't think either Spybot or Malwarebytes could remove them all. I clicked 'fix' and 'remove all' in Spybot and malwarebytes, however I don't think it got them all.
I look forward to your next set of instructions. Thanks again so much for your help and guidance.
Frank
--- Report generated: 2008-06-26 17:27 ---
Win32.Agent.pz: [SBI $B40811A5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\system32\ntos.exe,...
Win32.Agent.pz: [SBI $689A946A] Library (File, nothing done)
C:\WINDOWS\system32\wsnpoem\audio.dll
Win32.Agent.pz: [SBI $B74832EE] Program directory (Directory, nothing done)
C:\WINDOWS\system32\wsnpoem\
Win32.Agent.pz: [SBI $D372DFBA] Library (File, nothing done)
C:\WINDOWS\system32\wsnpoem\video.dll
Win32.Agent.pz: [SBI $C8DD69EE] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
MS Office 9.0: Recently used files (142 files) (Directory, nothing done)
C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Office\Zuletzt verwendet\
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\ahead\Nero - Burning Rom\General\OFDLastISODir
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents
MS Office 9.0: [SBI $BCA8814E] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Internet\UseRWHlinkNavigation
MS Office 9.0: [SBI $DE9A4E33] Access recent file (5 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0: [SBI $DE9A4E33] Access recent file (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0 (Word): [SBI $D7B04EDB] Open file history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Öffnen\File Name MRU\Value
MS Office 9.0 (Word): [SBI $5773E477] Save file history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Speichern unter\File Name MRU\Value
MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Word\Data\Settings
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Office 11.0 (Picture Manager): [SBI $2379928F] Last selected folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelection
MS Frontpage: [SBI $852712DF] Recent web list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
MS Frontpage: [SBI $7E259C81] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
RealOne Player 2 (aka RealPlayer 6.0): [SBI $F369C542] Last login time (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime\
Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows.OpenWith: [SBI $5738CAE7] Open with list - .000 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.000\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $F34FE1D0] Open with list - .CUE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUE\OpenWithList
Windows.OpenWith: [SBI $EE2B6116] Open with list - .CXT extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CXT\OpenWithList
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (34 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (172 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (22 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $AA0766B5] Stream history (72 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (11 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (13 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (17 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (202 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (466 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $85C2C910] Last Copy/MoveTo folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
WinRAR: [SBI $0B56E92B] Recent file list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\WinRAR\ArcHistory
WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\WinRAR\General\LastFolder
History: [SBI $49804B54] History (2) (History, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 DS.exe (1.0.0.5)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-18 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-17 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-24 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-25 Includes\Keyloggers.sbi (*)
2008-06-24 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-24 Includes\Malware.sbi (*)
2008-06-24 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-06-24 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-18 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-06-24 Includes\Trojans.sbi (*)
2008-06-25 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Here is the result from Malwarebytes:
Malwarebytes' Anti-Malware 1.18
Database version: 893
19:58:13 2008-06-26
mbam-log-6-26-2008 (19-58-13).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111917
Time elapsed: 1 hour(s), 25 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
Here is a fresh hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:03, on 2008-06-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6487 bytes
Here is the scan result from Spybot (Malware Bytes and a fresh Hijackthis log below).
Is this the same infection? I'm not sure how it managed to come back again after the relatively clean scan results from the 11 anti-spyware programs I ran after following all of your instructions.
I don't think either Spybot or Malwarebytes could remove them all. I clicked 'fix' and 'remove all' in Spybot and malwarebytes, however I don't think it got them all.
I look forward to your next set of instructions. Thanks again so much for your help and guidance.
Frank
--- Report generated: 2008-06-26 17:27 ---
Win32.Agent.pz: [SBI $B40811A5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\system32\ntos.exe,...
Win32.Agent.pz: [SBI $689A946A] Library (File, nothing done)
C:\WINDOWS\system32\wsnpoem\audio.dll
Win32.Agent.pz: [SBI $B74832EE] Program directory (Directory, nothing done)
C:\WINDOWS\system32\wsnpoem\
Win32.Agent.pz: [SBI $D372DFBA] Library (File, nothing done)
C:\WINDOWS\system32\wsnpoem\video.dll
Win32.Agent.pz: [SBI $C8DD69EE] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
MS Office 9.0: Recently used files (142 files) (Directory, nothing done)
C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Office\Zuletzt verwendet\
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\ahead\Nero - Burning Rom\General\OFDLastISODir
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents
MS Office 9.0: [SBI $BCA8814E] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Internet\UseRWHlinkNavigation
MS Office 9.0: [SBI $DE9A4E33] Access recent file (5 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0: [SBI $DE9A4E33] Access recent file (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0 (Word): [SBI $D7B04EDB] Open file history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Öffnen\File Name MRU\Value
MS Office 9.0 (Word): [SBI $5773E477] Save file history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Speichern unter\File Name MRU\Value
MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Word\Data\Settings
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Office 11.0 (Picture Manager): [SBI $2379928F] Last selected folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelection
MS Frontpage: [SBI $852712DF] Recent web list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
MS Frontpage: [SBI $7E259C81] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
RealOne Player 2 (aka RealPlayer 6.0): [SBI $F369C542] Last login time (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime\
Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows.OpenWith: [SBI $5738CAE7] Open with list - .000 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.000\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $F34FE1D0] Open with list - .CUE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUE\OpenWithList
Windows.OpenWith: [SBI $EE2B6116] Open with list - .CXT extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CXT\OpenWithList
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (34 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (172 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (22 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $AA0766B5] Stream history (72 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (11 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (13 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (17 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (202 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (466 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $85C2C910] Last Copy/MoveTo folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
WinRAR: [SBI $0B56E92B] Recent file list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\WinRAR\ArcHistory
WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\WinRAR\General\LastFolder
History: [SBI $49804B54] History (2) (History, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 DS.exe (1.0.0.5)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-18 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-17 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-24 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-25 Includes\Keyloggers.sbi (*)
2008-06-24 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-24 Includes\Malware.sbi (*)
2008-06-24 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-06-24 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-18 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-06-24 Includes\Trojans.sbi (*)
2008-06-25 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Here is the result from Malwarebytes:
Malwarebytes' Anti-Malware 1.18
Database version: 893
19:58:13 2008-06-26
mbam-log-6-26-2008 (19-58-13).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111917
Time elapsed: 1 hour(s), 25 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
Here is a fresh hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:03, on 2008-06-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6487 bytes
Hi
First of all we need to make sure you keep this system disconnected from network now until things are (hopefully) solved for sure. You'll need to use clean system for downloading necessary tools (use usb flash memory or other removable media to transfer files). Before disconnecting you can download (if don't have them already available) tools we will at least need:
-HijackThis
-SDFix
-ComboFix
First task is run SDFix as you did before and after that's ready run ComboFix. Post those two logs with a fresh hjt log.
First of all we need to make sure you keep this system disconnected from network now until things are (hopefully) solved for sure. You'll need to use clean system for downloading necessary tools (use usb flash memory or other removable media to transfer files). Before disconnecting you can download (if don't have them already available) tools we will at least need:
-HijackThis
-SDFix
-ComboFix
First task is run SDFix as you did before and after that's ready run ComboFix. Post those two logs with a fresh hjt log.
Gratefulforhelp
New member
Hi Blade81,
Firstly I'd like to sincerely thank-you for all your time and effort over the last week.
The assistance and guidance you have provided has been timely, expert and extremely useful.
I have re-considered your post concerning the recommended advice from secuity experts like yourself of reformatting and re-installing the software.
Given the reappearance of the Trojan, combined with your advice that 'once the system has been compromised you can never 100% trust it again' I have decided to reformat the computer and start from the beginning again by reinstalling everything.
I hope you are not annoyed at my decision, your wise words in the post I mentioned before have finally convinced me that a reinstall and reformat is the best solution.
I can't thank you enough for your time and effort. It's people like yourself who make a real difference in the world and I hope you are appropriately rewarded in life with success and achievement with your goals and dreams.
I won't take up any more of your valuable time as I am conscious of the fact that security experts like yourself are too few and the newbies like me are too many.
I wish you all the best for the future Blade81. Kiitos paljon, olet todella ystävällinen!
Minun suomenkielen taitoni on huono, täytyy harjoitella enemmän suomenkieltä!
Best wishes and onnea!
Frank
Firstly I'd like to sincerely thank-you for all your time and effort over the last week.
The assistance and guidance you have provided has been timely, expert and extremely useful.
I have re-considered your post concerning the recommended advice from secuity experts like yourself of reformatting and re-installing the software.
Given the reappearance of the Trojan, combined with your advice that 'once the system has been compromised you can never 100% trust it again' I have decided to reformat the computer and start from the beginning again by reinstalling everything.
I hope you are not annoyed at my decision, your wise words in the post I mentioned before have finally convinced me that a reinstall and reformat is the best solution.
I can't thank you enough for your time and effort. It's people like yourself who make a real difference in the world and I hope you are appropriately rewarded in life with success and achievement with your goals and dreams.
I won't take up any more of your valuable time as I am conscious of the fact that security experts like yourself are too few and the newbies like me are too many.
I wish you all the best for the future Blade81. Kiitos paljon, olet todella ystävällinen!
Minun suomenkielen taitoni on huono, täytyy harjoitella enemmän suomenkieltä!
Best wishes and onnea!
Frank
Hi Frank
No, I'm not annoyed at your decision. I think it was a wise choice :bigthumb:
Nice to see some written Finnish here too. :laugh:
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
No, I'm not annoyed at your decision. I think it was a wise choice :bigthumb:
Nice to see some written Finnish here too. :laugh:
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.