Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tr/crypt.xpack.gen


  • Please log in to reply
6 replies to this topic

#1 fatmax7

fatmax7

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 30 March 2008 - 10:17 AM

Hi everyone,

I tried everything. I did an online scan. I the adware thing and spybot scan in safe mode. But AntiVir, the anti-virus program I use, still reports that the trojan horse tr/crypt.xpack.gen is lurking in windows/system32/ssqrpnl.dll. When I start up, I get about 25 alerts from AntiVir saying this trojan horse exists. I also get an alert from AntiVir if I start up any program or if ssqrpnl.dll is scaned by another program (like adware, spybot, etc.) I cannot delete ssqrpnl.dll, even in safe mode.


What to do????? Any ideas???

Thanks!!!!

Fatmax7

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:23, on 30.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
c:ProgrammeHewlett-PackardDrive EncryptionHpFkCrypt.exe
C:WINDOWSSystem32svchost.exe
C:ProgrammeWIDCOMMBluetooth Softwarebinbtwdins.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:WINDOWSsystem32Ati2evxx.exe
C:ProgrammeLavasoftAd-Aware 2007aawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:ProgrammeAviraAntiVir PersonalEdition Classicavguard.exe
C:ProgrammeAviraAntiVir PersonalEdition Classicsched.exe
C:ProgrammeFRITZ!DSLIGDCTRL.EXE
C:ProgrammeGemeinsame DateienInterVideoRegMgriviRegMgr.exe
C:ProgrammeGemeinsame DateienLightScribeLSSrvc.exe
C:ProgrammePDF Completepdfsvc.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:ProgrammeHewlett-PackardSharedhpqwmiex.exe
C:WINDOWSsystem32mqsvc.exe
C:WINDOWSsystem32mqtgsvc.exe
C:WINDOWSExplorer.EXE
C:ProgrammeHewlett-PackardIAMbinasghost.exe
C:ProgrammeAnalog DevicesCoresmax4pnp.exe
C:ProgrammePDF Completepdfsty.exe
C:ProgrammeHewlett-PackardHP ProtectTools Security ManagerPTHOSTTR.EXE
C:ProgrammeSynapticsSynTPSynTPEnh.exe
C:ProgrammeHewlett-PackardHP Wireless AssistantHPWAMain.exe
C:ProgrammeJavajre1.6.0binjusched.exe
C:ProgrammeHewlett-PackardSharedHpqToaster.exe
C:ProgrammeHewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe
C:WINDOWSSMINSTScheduler.exe
C:ProgrammeHpHP Software UpdateHPWuSchd2.exe
C:WINDOWSsystem32AccelerometerSt.exe
C:ProgrammeZone LabsZoneAlarmzlclient.exe
C:ProgrammeGemeinsame DateienRealUpdate_OBrealsched.exe
C:ProgrammeAdobeAcrobat 7.0DistillrAcrotray.exe
C:ProgrammeAviraAntiVir PersonalEdition Classicavgnt.exe
C:WINDOWSsystem32ctfmon.exe
C:ProgrammeATI TechnologiesATI.ACECore-StaticMOM.EXE
C:ProgrammeGemeinsame DateienLightScribeLightScribeControlPanel.exe
C:ProgrammeGemeinsame DateienAheadLibNMBgMonitor.exe
C:ProgrammeGemeinsame DateienAheadLibNMIndexingService.exe
C:ProgrammeGemeinsame DateienAheadLibNMIndexStoreSvr.exe
C:ProgrammeWIDCOMMBluetooth SoftwareBTTray.exe
C:ProgrammeATI TechnologiesATI.ACECore-StaticCCC.exe
C:ProgrammeATI TechnologiesATI.ACECore-Staticccc.exe
C:ProgrammeATI TechnologiesATI.ACECore-Staticccc.exe
C:ProgrammeMozilla Firefoxfirefox.exe
C:Dokumente und EinstellungenAdministratorDesktopHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.hp.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.hp.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = fritz.box;192.168.178.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:ProgrammeYahoo!CompanionInstallscpnyt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:ProgrammeYahoo!CompanionInstallscpnyt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:ProgrammeAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program FilesRealRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3D9122CA-C6DA-46CA-8A2E-5C9728E327D8} - C:WINDOWSsystem32ssqrpnl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:ProgrammeSpybot - Search & DestroySDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:ProgrammeJavajre1.6.0binssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:programmegooglegoogletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll
O2 - BHO: (no name) - {C923EAFF-9112-4A13-8ADF-7841896BBB8F} - C:WINDOWSsystem32pmkjg.dll (file missing)
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:ProgrammeHewlett-PackardIAMBinItIEAddIn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:programmegooglegoogletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:ProgrammeYahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll
O4 - HKLM..Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM..Run: [SoundMAXPnP] C:ProgrammeAnalog DevicesCoresmax4pnp.exe
O4 - HKLM..Run: [SoundMAX] C:ProgrammeAnalog DevicesSoundMAXSmax4.exe /tray
O4 - HKLM..Run: [PDF Complete] "C:ProgrammePDF Completepdfsty.exe"
O4 - HKLM..Run: [PTHOSTTR] C:ProgrammeHewlett-PackardHP ProtectTools Security ManagerPTHOSTTR.EXE /Start
O4 - HKLM..Run: [SynTPEnh] C:ProgrammeSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [hpWirelessAssistant] %ProgramFiles%Hewlett-PackardHP Wireless AssistantHPWAMain.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:ProgrammeJavajre1.6.0binjusched.exe"
O4 - HKLM..Run: [QlbCtrl] %ProgramFiles%Hewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe /Start
O4 - HKLM..Run: [CognizanceTS] rundll32.exe C:PROGRA~1HEWLET~1IAMBinASTSVCC.dll,RegisterModule
O4 - HKLM..Run: [Recguard] C:WINDOWSSminstRecguard.exe
O4 - HKLM..Run: [Reminder] C:WINDOWSCreatorRemind_XP.exe
O4 - HKLM..Run: [Scheduler] C:WINDOWSSMINSTScheduler.exe
O4 - HKLM..Run: [HP Software Update] c:ProgrammeHpHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [Cpqset] C:ProgrammeHewlett-PackardDefault Settingscpqset.exe
O4 - HKLM..Run: [WatchDog] C:ProgrammeInterVideoDVD CheckDVDCheck.exe
O4 - HKLM..Run: [AccelerometerSysTrayApplet] C:WINDOWSsystem32AccelerometerSt.exe
O4 - HKLM..Run: [ZoneAlarm Client] "C:ProgrammeZone LabsZoneAlarmzlclient.exe"
O4 - HKLM..Run: [TkBellExe] "C:ProgrammeGemeinsame DateienRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [Acrobat Assistant 7.0] "C:ProgrammeAdobeAcrobat 7.0DistillrAcrotray.exe"
O4 - HKLM..Run: [NeroFilterCheck] C:ProgrammeGemeinsame DateienAheadLibNeroCheck.exe
O4 - HKLM..Run: [avgnt] "C:ProgrammeAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [StartCCC] C:ProgrammeATI TechnologiesATI.ACECore-StaticCLIStart.exe
O4 - HKCU..Run: [LightScribe Control Panel] C:ProgrammeGemeinsame DateienLightScribeLightScribeControlPanel.exe -hidden
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:ProgrammeGemeinsame DateienAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [SpybotSD TeaTimer] C:ProgrammeSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: CCC.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: CCC.lnk = ? (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:ProgrammeInterVideoDVD CheckDVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:ProgrammeMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:ProgrammeWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:ProgrammeAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:ProgrammeJavajre1.6.0binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:ProgrammeJavajre1.6.0binssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:ProgrammeSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:ProgrammeSpybot - Search & DestroySDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgrammeMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgrammeMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...262/mcfscan.cab
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - C:ProgrammeHewlett-PackardIAMBinASWLNPkg.dll
O20 - Winlogon Notify: ssqrpnl - C:WINDOWSSYSTEM32ssqrpnl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:ProgrammeLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:ProgrammeGemeinsame DateienAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:ProgrammeAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:ProgrammeAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:ProgrammeFRITZ!DSLIGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:ProgrammeWIDCOMMBluetooth Softwarebinbtwdins.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:ProgrammeGemeinsame DateienAVMde_serv.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:ProgrammeGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:ProgrammeHewlett-PackardDrive EncryptionHpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:ProgrammeHewlett-PackardSharedhpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:ProgrammeGemeinsame DateienInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:ProgrammeGemeinsame DateienInterVideoRegMgriviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:ProgrammeGemeinsame DateienLightScribeLSSrvc.exe
O23 - Service: NBService - Nero AG - C:ProgrammeNeroNero 7Nero BackItUpNBService.exe
O23 - Service: NMIndexingService - Nero AG - C:ProgrammeGemeinsame DateienAheadLibNMIndexingService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:WINDOWSSMINSTPCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:ProgrammePDF Completepdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:ProgrammeGemeinsame DateienRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:ProgrammeGemeinsame DateienSureThing Sharedstllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

--
End of file - 13559 bytes

I guess I should say that I turned off antivir while I was running the other programs... :thumbsup:

Edited by Orange Blossom, 30 March 2008 - 11:54 PM.
Merged posts. ~ OB


BC AdBot (Login to Remove)

 


m

#2 fatmax7

fatmax7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 March 2008 - 04:30 AM

In addition to the tr/crypt.xpack.gen problem, I now get an alert about every 10 seconds from Antivir: TR/Vundo.gen is infecting c:\windows\system32\pmkjh.dll . I did an on-line scan without antivir, and somehow things are even more complicated now. Argghh!!!! Help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:12, on 31.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Programme\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Hewlett-Packard\IAM\bin\asghost.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\PDF Complete\pdfsty.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Programme\Hewlett-Packard\Shared\HpqToaster.exe
C:\Programme\Java\jre1.6.0\bin\jusched.exe
C:\Programme\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box;192.168.178.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08D8FA95-20D7-4C0A-BABD-E4BFC4E10ED3} - C:\WINDOWS\system32\pmkjh.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {7e07114f-a077-515a-1df4-49f3d694c5b3} - {3b5c496d-3f94-4fd1-a515-770af41170e7} - C:\WINDOWS\system32\guunqndy.dll (file missing)
O2 - BHO: (no name) - {3D9122CA-C6DA-46CA-8A2E-5C9728E327D8} - C:\WINDOWS\system32\ssqrpnl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C923EAFF-9112-4A13-8ADF-7841896BBB8F} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Programme\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PDF Complete] "C:\Programme\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Programme\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Programme\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programme\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Programme\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: CCC.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: CCC.lnk = ? (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Programme\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...262/mcfscan.cab
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - C:\Programme\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O20 - Winlogon Notify: ssqrpnl - C:\WINDOWS\SYSTEM32\ssqrpnl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Programme\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Programme\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13712 bytes

#3 fatmax7

fatmax7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 March 2008 - 05:04 AM

Got rid of the vundo problem using vundofix which I learned about in another forum!!! Thanks! Now I "just" have the tr/crypt.xpack.gen, which at least does not show up every ten seconds...

Will report back soon (hopefully)

#4 fatmax7

fatmax7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 March 2008 - 05:48 AM

VundoFix V7.0.3

Scan started at 11:32:37 31.03.2008

Listing files found while scanning....


VundoFix V7.0.3

Scan started at 11:39:16 31.03.2008

Listing files found while scanning....

C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini2
C:\windows\system32\pmkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Has been deleted!

Performing Repairs to the registry.
Done!

#5 fatmax7

fatmax7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 March 2008 - 05:53 AM

I tried SDFix (in safe mode) and it didn't seem to work. I got the following error message (translated from German, may not be exact...):

SDFix
C:\Progra~1\Symantec\S32EVNT1.DLL The initialization of the DLL for a virtual device driver has failed. Click "Close" to end.

So I tried clicking "Close" once and I also tried clicking "ignore." The result was the same: SDFix didn't seem to find Tr/crypt.xpack.gen...

#6 fatmax7

fatmax7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 March 2008 - 09:16 AM

Hi, using the recovery console, I was able to delete the offending file. I also went back into the registry and deleted the corresponding references, then went back to Hijackthis and deleted some more things in the registry pertaining to the file in question. Then I re-booted and scanned again and it seems to be gone!!! Actually, everything I needed to know I found somewhere on this forum. Thanks a lot. :thumbsup:

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 03 April 2008 - 03:30 PM

Do you want to post your HijackThis log and I'll take a quick look to make sure you're clean?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users