Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't activate Automatic Windows Update: system32\svchost.exe -k problem?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Karl Fraser

Karl Fraser

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 25 February 2009 - 01:01 PM

Hi guys! my first real virus problem after 10 years - hope you can help!
First noticed a problem when Automatic Update got deactivated and I couldn't turn it on. Computer slowed down, couldn't download files using Firefox, which also crashed a few times unexpectedly. I looked into the services and found the file /system32\svchost.exe -k, which even to my amateur eyes looks suspicious. Searching your forums, I guessed combofix might fix the problem. So I tried that, and it seemed solved - for a day or so! Now I can't turn auto update on again. What should I do?

DDS (Ver_09-02-01.01) - FAT32x86
Run by Thomas at 18:44:42.71 on 25/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.502.200 [GMT 1:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
SVCHOST.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOKUME~1\Thomas\LOKALE~1\Temp\RtkBtMnt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Java\jre6\bin\jucheck.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Dokumente und Einstellungen\Thomas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aceradvantage.com/stdreg
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\programme\gemeinsame dateien\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGvuRIb.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\programme\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {ede8b0d4-c3e4-471e-8007-161b8457c619} - c:\windows\system32\rqRKDtTM.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\programme\gemeinsame dateien\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [AzMixerSel] c:\programme\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [ntiMUI] c:\programme\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [Symantec PIF AlertEng] "c:\programme\gemeinsame dateien\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\programme\gemeinsame dateien\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\programme\gemeinsame dateien\symantec shared\ccApp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adober~1.lnk - c:\programme\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\programme\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bleepingcomputer.com\www
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: hgGvuRIb - hgGvuRIb.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGvuRIb.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKDtTM

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\thomas\anwend~1\mozilla\firefox\profiles\mk4rr8qm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wien.info/wtv/eventdatenbank-d.html|https://login.yahoo.com/config/mail?&.src=ym&.intl=de&.done=http://de.mail.yahoo.com|https://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/ig&followup=http://www.google.com/ig&service=ig&passive=true&cd=US&hl=en&nui=1&ltmpl=default
FF - component: c:\programme\google\google gears\firefox\components\gears.dll
FF - plugin: c:\programme\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 ccEvtMgr;Symantec Event Manager;c:\programme\gemeinsame dateien\symantec shared\ccSvcHst.exe [2007-1-9 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\programme\gemeinsame dateien\symantec shared\ccSvcHst.exe [2007-1-9 108648]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-6-30 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-1-14 4010]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\gemeinsame dateien\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-19 99376]
R3 NAVENG;NAVENG;c:\progra~1\gemein~1\symant~1\virusd~1\20090224.017\NAVENG.SYS [2009-2-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\gemein~1\symant~1\virusd~1\20090224.017\NAVEX15.SYS [2009-2-25 876144]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-9-13 4392]
R3 Symantec Core LC;Symantec Core LC;c:\programme\gemeinsame dateien\symantec shared\ccpd-lc\symlcsvc.exe [2009-2-19 1251720]
S2 gupdate1c99352fcc89558;Google Update Service (gupdate1c99352fcc89558);c:\programme\google\update\GoogleUpdate.exe [2009-2-20 133104]

=============== Created Last 30 ================

2009-02-25 09:34 8,267 a--sh--- c:\windows\system32\MTtDKRqr.ini2
2009-02-25 09:34 8,267 a--sh--- c:\windows\system32\MTtDKRqr.ini
2009-02-25 09:34 237,056 a------- c:\windows\system32\rqRKDtTM.dll
2009-02-24 10:44 502 a--sh--- c:\windows\system32\AJSAdccf.ini2
2009-02-24 10:44 502 a--sh--- c:\windows\system32\AJSAdccf.ini
2009-02-24 10:39 <DIR> a-dshr-- C:\cmdcons
2009-02-24 10:37 161,792 a------- c:\windows\SWREG.exe
2009-02-24 10:37 98,816 a------- c:\windows\sed.exe
2009-02-22 18:01 <DIR> --d-h--- c:\windows\PIF
2009-02-21 00:41 <DIR> --d----- c:\programme\Windows Media Connect 2
2009-02-21 00:36 <DIR> --d----- c:\windows\system32\LogFiles
2009-02-21 00:26 <DIR> --d----- c:\windows\RegisteredPackages
2009-02-19 17:42 23,888 a------- c:\windows\system32\drivers\COH_Mon.sys
2009-02-19 17:42 10,537 a------- c:\windows\system32\drivers\COH_Mon.cat
2009-02-19 17:42 706 a------- c:\windows\system32\drivers\COH_Mon.inf
2009-02-19 17:29 16 a------- c:\windows\system32\coh.cache
2009-02-19 16:44 <DIR> --d----- c:\programme\Norton 360
2009-02-19 16:43 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-19 16:43 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-19 16:43 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-19 16:43 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-19 15:43 47,616 a------- c:\windows\system32\hgGvuRIb.dll
2009-02-16 12:14 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\GoodSync
2009-02-02 16:52 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-01-24 11:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 21:01 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 15:27 395,990 a------- c:\windows\system32\perfh007.dat
2009-01-14 15:27 65,692 a------- c:\windows\system32\perfc007.dat
2009-01-14 00:47 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 23:30 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2008-12-20 23:30 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2008-12-20 23:30 44,544 -------- c:\windows\system32\dllcache\iernonce.dll
2008-12-20 23:30 384,512 -------- c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 23:30 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 23:30 230,400 -------- c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 23:30 153,088 -------- c:\windows\system32\dllcache\ieakeng.dll
2008-12-20 23:30 347,136 -------- c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 23:30 214,528 -------- c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 23:30 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2008-12-20 23:30 124,928 -------- c:\windows\system32\dllcache\advpack.dll
2008-12-20 23:30 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-12-19 10:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 10:09 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 06:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 06:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 11:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-04 19:54 524,288 a------- c:\windows\opuc.dll

============= FINISH: 18:45:27.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:14 PM

Posted 25 February 2009 - 06:08 PM

Hello Karl Fraser,

Posted Image

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Let's get a fresh copy now. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.


Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Karl Fraser

Karl Fraser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 26 February 2009 - 07:56 AM

Thanks for the quick reply!!! here is the new combofix log and hijackthis log. karl

ComboFix 09-02-25.02 - Thomas 2009-02-26 9:47:19.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.502.142 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Thomas\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *disabled*
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aJRAdMoq.ini
c:\windows\system32\aJRAdMoq.ini2
c:\windows\system32\otbfey.dll
c:\windows\system32\qoMdARJa.dll
c:\windows\system32\sajedymt.dll

.
((((((((((((((((((((((( Dateien erstellt von 2009-01-26 bis 2009-02-26 ))))))))))))))))))))))))))))))
.

2009-02-22 18:01 . 2009-02-22 18:01 <DIR> d--h----- c:\windows\PIF
2009-02-21 00:41 . 2009-02-21 00:41 <DIR> d-------- c:\programme\Windows Media Connect 2
2009-02-21 00:36 . 2009-02-21 00:36 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-21 00:36 . 2009-02-21 00:36 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-20 13:01 . 2009-02-20 13:01 <DIR> d-------- c:\programme\Google
2009-02-19 17:42 . 2008-07-30 17:42 23,888 --a------ c:\windows\system32\drivers\COH_Mon.sys
2009-02-19 17:42 . 2008-07-30 17:28 10,537 --a------ c:\windows\system32\drivers\COH_Mon.cat
2009-02-19 17:42 . 2008-07-30 17:28 706 --a------ c:\windows\system32\drivers\COH_Mon.inf
2009-02-19 17:29 . 2009-02-19 17:29 16 --a------ c:\windows\system32\coh.cache
2009-02-19 16:44 . 2009-02-19 16:44 <DIR> d-------- c:\programme\Norton 360
2009-02-19 16:43 . 2009-02-19 17:33 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-19 16:43 . 2009-02-19 17:33 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-19 16:43 . 2009-02-19 17:33 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-19 16:43 . 2009-02-19 17:33 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-19 15:43 . 2009-02-19 15:43 47,616 --a------ c:\windows\system32\hgGvuRIb.dll
2009-02-16 12:14 . 2009-02-16 12:14 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\GoodSync
2009-02-04 14:30 . 2009-02-04 14:30 <DIR> d-------- c:\windows\Sun
2009-02-02 16:58 . 2009-02-02 16:58 <DIR> d-------- c:\dokumente und einstellungen\Terrestra\Anwendungsdaten\GoodSync
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Vorlagen
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> dr------- c:\dokumente und einstellungen\Terrestra\Startmenü
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Netzwerkumgebung
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Lokale Einstellungen
2009-02-02 16:52 . 2009-02-02 16:52 <DIR> dr------- c:\dokumente und einstellungen\Terrestra\Favoriten
2009-02-02 16:52 . 2009-02-02 16:52 <DIR> dr------- c:\dokumente und einstellungen\Terrestra\Eigene Dateien
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Druckumgebung
2009-02-02 16:52 . 2006-08-25 07:51 <DIR> d-------- c:\dokumente und einstellungen\Terrestra\Anwendungsdaten\Acer
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> dr-h----- c:\dokumente und einstellungen\Terrestra\Anwendungsdaten
2009-02-02 16:52 . 2009-02-02 16:52 <DIR> d-------- c:\dokumente und einstellungen\Terrestra
2009-02-02 16:52 . 2008-04-14 03:22 221,184 --a------ c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 10:26 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-24 10:26 --------- d-----w c:\programme\Java
2009-01-21 15:48 --------- d-----w c:\dokumente und einstellungen\Perpetuas Garden\Anwendungsdaten\AdobeUM
2009-01-19 18:22 --------- d-----w c:\dokumente und einstellungen\Ioanna\Anwendungsdaten\Symantec
2009-01-17 13:20 --------- d-----w c:\programme\T-Mobile
2009-01-16 20:01 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 11:29 --------- d-----w c:\dokumente und einstellungen\Ioanna\Anwendungsdaten\Skype
2009-01-16 10:34 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\AdobeUM
2009-01-15 11:19 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\skypePM
2009-01-15 11:17 --------- d-----w c:\programme\Skype
2009-01-15 11:17 --------- d-----w c:\programme\Gemeinsame Dateien\Skype
2009-01-15 11:17 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Skype
2009-01-15 11:16 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-01-14 14:30 --------- d-----w c:\programme\Browser Mouse
2009-01-14 11:36 --------- d-----w c:\programme\MSXML 4.0
2009-01-14 11:03 --------- d-----w c:\dokumente und einstellungen\Perpetuas Garden\Anwendungsdaten\GoodSync
2009-01-14 09:13 --------- d-----w c:\programme\Siber Systems
2009-01-14 09:13 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\GoodSync
2009-01-14 08:40 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\OfficeUpdate12
2009-01-14 08:37 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Office Genuine Advantage
2009-01-14 08:26 --------- d-----w c:\programme\Microsoft.NET
2009-01-14 08:26 --------- d-----w c:\programme\Microsoft ActiveSync
2009-01-13 23:15 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\CyberLink
2009-01-13 22:17 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Symantec
2009-01-13 22:03 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-13 20:33 --------- d-----w c:\programme\Symantec
2009-01-13 20:06 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\CyberLink
2008-12-20 22:30 63,488 ------w c:\windows\system32\dllcache\icardie.dll
2008-12-20 22:30 6,066,688 ------w c:\windows\system32\dllcache\ieframe.dll
2008-12-20 22:30 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
2008-12-20 22:30 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 22:30 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 22:30 347,136 ------w c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 22:30 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
2008-12-20 22:30 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 22:30 214,528 ------w c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 22:30 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
2008-12-20 22:30 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
2008-12-20 22:30 124,928 ------w c:\windows\system32\dllcache\advpack.dll
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 09:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-04 18:54 524,288 ----a-w c:\windows\opuc.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-19 15:43 47616 --a------ c:\windows\system32\hgGvuRIb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"AzMixerSel"="c:\programme\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"Symantec PIF AlertEng"="c:\programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-01-24 136600]
"ccApp"="c:\programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Adobe Reader Speed Launch.lnk - c:\programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\hgGvuRIb.dll" [2009-02-19 47616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGvuRIb]
2009-02-19 15:43 47616 c:\windows\system32\hgGvuRIb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=otbfey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-19 99376]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-09-13 4392]
S2 gupdate1c99352fcc89558;Google Update Service (gupdate1c99352fcc89558);c:\programme\Google\Update\GoogleUpdate.exe [2009-02-20 133104]

--- Andere Dienste/Treiber im Speicher ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0680d010-e498-11dd-816d-0016d41e5db9}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0680d011-e498-11dd-816d-0016d41e5db9}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad510554-e60a-11dd-8170-0016d41e5db9}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Inhalt des "geplante Tasks" Ordners

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-20 13:01]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{9E600C32-E87B-4872-AE3E-ED0B4D2D843A} - c:\windows\system32\qoMdARJa.dll
BHO-{f160285c-efa2-46b2-8ebd-c83a476d0bb4} - c:\windows\system32\otbfey.dll


.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
FF - ProfilePath - c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Mozilla\Firefox\Profiles\mk4rr8qm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wien.info/wtv/eventdatenbank-d.html|https://login.yahoo.com/config/mail?&.src=ym&.intl=de&.done=http://de.mail.yahoo.com|https://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/ig&followup=http://www.google.com/ig&service=ig&passive=true&cd=US&hl=en&nui=1&ltmpl=default
FF - component: c:\programme\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\programme\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 09:51:53
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\hgGvuRIb.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCSVCHST.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\programme\JAVA\JRE6\BIN\JQS.EXE
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\dokume~1\Thomas\LOKALE~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-02-26 9:54:24 - PC wurde neu gestartet
ComboFix2.txt 2009-02-25 18:21:00
ComboFix-quarantined-files.txt 2009-02-26 08:54:22

Vor Suchlauf: 15 Verzeichnis(se), 31,853,772,800 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 31,835,881,472 Bytes frei

213 --- E O F --- 2009-02-25 18:15:30


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:00 AM, on 26/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOKUME~1\Thomas\LOKALE~1\Temp\RtkBtMnt.exe
C:\Dokumente und Einstellungen\Thomas\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programme\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears-Einstellungen - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programme\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: otbfey.dll
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate1c99352fcc89558) (gupdate1c99352fcc89558) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8012 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:14 PM

Posted 26 February 2009 - 04:43 PM

Hello,

You're welcome. :)

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

File::
c:\windows\system32\hgGvuRIb.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGvuRIb]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please also let me know how it's running now. :step4: See if you can update Windows now. Your Norton subscription is outdated? I can make some suggestions on good and free AntiVirus programs if you need them. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Karl Fraser

Karl Fraser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 02 March 2009 - 03:10 PM

Here you go. Seems to be ok now.

ComboFix 09-02-25.02 - Thomas 2009-03-02 19:33:18.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.502.150 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Thomas\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Thomas\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *disabled*
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
c:\windows\system32\hgGvuRIb.dll
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hgGvuRIb.dll

.
((((((((((((((((((((((( Dateien erstellt von 2009-02-02 bis 2009-03-02 ))))))))))))))))))))))))))))))
.

2009-02-22 18:01 . 2009-02-22 18:01 <DIR> d--h----- c:\windows\PIF
2009-02-21 00:41 . 2009-02-21 00:41 <DIR> d-------- c:\programme\Windows Media Connect 2
2009-02-21 00:36 . 2009-02-21 00:36 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-21 00:36 . 2009-02-21 00:36 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-20 13:01 . 2009-02-20 13:01 <DIR> d-------- c:\programme\Google
2009-02-19 17:42 . 2008-07-30 17:42 23,888 --a------ c:\windows\system32\drivers\COH_Mon.sys
2009-02-19 17:42 . 2008-07-30 17:28 10,537 --a------ c:\windows\system32\drivers\COH_Mon.cat
2009-02-19 17:42 . 2008-07-30 17:28 706 --a------ c:\windows\system32\drivers\COH_Mon.inf
2009-02-19 17:29 . 2009-02-19 17:29 16 --a------ c:\windows\system32\coh.cache
2009-02-19 16:44 . 2009-02-19 16:44 <DIR> d-------- c:\programme\Norton 360
2009-02-19 16:43 . 2009-02-19 17:33 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-19 16:43 . 2009-02-19 17:33 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-19 16:43 . 2009-02-19 17:33 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-19 16:43 . 2009-02-19 17:33 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-16 12:14 . 2009-02-16 12:14 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\GoodSync
2009-02-04 14:30 . 2009-02-04 14:30 <DIR> d-------- c:\windows\Sun
2009-02-02 16:58 . 2009-02-02 16:58 <DIR> d-------- c:\dokumente und einstellungen\Terrestra\Anwendungsdaten\GoodSync
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Vorlagen
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> dr------- c:\dokumente und einstellungen\Terrestra\Startmenü
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Netzwerkumgebung
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Lokale Einstellungen
2009-02-02 16:52 . 2009-02-02 16:52 <DIR> dr------- c:\dokumente und einstellungen\Terrestra\Favoriten
2009-02-02 16:52 . 2009-02-02 16:52 <DIR> dr------- c:\dokumente und einstellungen\Terrestra\Eigene Dateien
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> d--h----- c:\dokumente und einstellungen\Terrestra\Druckumgebung
2009-02-02 16:52 . 2006-08-25 07:51 <DIR> d-------- c:\dokumente und einstellungen\Terrestra\Anwendungsdaten\Acer
2009-02-02 16:52 . 2006-08-25 07:12 <DIR> dr-h----- c:\dokumente und einstellungen\Terrestra\Anwendungsdaten
2009-02-02 16:52 . 2009-02-02 16:52 <DIR> d-------- c:\dokumente und einstellungen\Terrestra
2009-02-02 16:52 . 2008-04-14 03:22 221,184 --a------ c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 10:26 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-24 10:26 --------- d-----w c:\programme\Java
2009-01-21 15:48 --------- d-----w c:\dokumente und einstellungen\Perpetuas Garden\Anwendungsdaten\AdobeUM
2009-01-19 18:22 --------- d-----w c:\dokumente und einstellungen\Ioanna\Anwendungsdaten\Symantec
2009-01-17 13:20 --------- d-----w c:\programme\T-Mobile
2009-01-16 20:01 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 11:29 --------- d-----w c:\dokumente und einstellungen\Ioanna\Anwendungsdaten\Skype
2009-01-16 10:34 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\AdobeUM
2009-01-15 11:19 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\skypePM
2009-01-15 11:17 --------- d-----w c:\programme\Skype
2009-01-15 11:17 --------- d-----w c:\programme\Gemeinsame Dateien\Skype
2009-01-15 11:17 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Skype
2009-01-15 11:16 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-01-14 14:30 --------- d-----w c:\programme\Browser Mouse
2009-01-14 11:36 --------- d-----w c:\programme\MSXML 4.0
2009-01-14 11:03 --------- d-----w c:\dokumente und einstellungen\Perpetuas Garden\Anwendungsdaten\GoodSync
2009-01-14 09:13 --------- d-----w c:\programme\Siber Systems
2009-01-14 09:13 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\GoodSync
2009-01-14 08:40 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\OfficeUpdate12
2009-01-14 08:37 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Office Genuine Advantage
2009-01-14 08:26 --------- d-----w c:\programme\Microsoft.NET
2009-01-14 08:26 --------- d-----w c:\programme\Microsoft ActiveSync
2009-01-13 23:15 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\CyberLink
2009-01-13 22:17 --------- d-----w c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Symantec
2009-01-13 22:03 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-13 20:33 --------- d-----w c:\programme\Symantec
2009-01-13 20:06 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\CyberLink
2008-12-20 22:30 63,488 ------w c:\windows\system32\dllcache\icardie.dll
2008-12-20 22:30 6,066,688 ------w c:\windows\system32\dllcache\ieframe.dll
2008-12-20 22:30 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
2008-12-20 22:30 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 22:30 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 22:30 347,136 ------w c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 22:30 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
2008-12-20 22:30 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 22:30 214,528 ------w c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 22:30 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
2008-12-20 22:30 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
2008-12-20 22:30 124,928 ------w c:\windows\system32\dllcache\advpack.dll
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 09:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-04 18:54 524,288 ----a-w c:\windows\opuc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-26_ 9.53.21.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-02 18:36:06 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_5e4.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"AzMixerSel"="c:\programme\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"Symantec PIF AlertEng"="c:\programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-01-24 136600]
"ccApp"="c:\programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Adobe Reader Speed Launch.lnk - c:\programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-19 99376]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-09-13 4392]
S2 gupdate1c99352fcc89558;Google Update Service (gupdate1c99352fcc89558);c:\programme\Google\Update\GoogleUpdate.exe [2009-02-20 133104]

--- Andere Dienste/Treiber im Speicher ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0680d010-e498-11dd-816d-0016d41e5db9}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0680d011-e498-11dd-816d-0016d41e5db9}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad510554-e60a-11dd-8170-0016d41e5db9}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad510555-e60a-11dd-8170-0016d41e5db9}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Inhalt des "geplante Tasks" Ordners

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-02-20 13:01]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
FF - ProfilePath - c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Mozilla\Firefox\Profiles\mk4rr8qm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wien.info/wtv/eventdatenbank-d.html|https://login.yahoo.com/config/mail?&.src=ym&.intl=de&.done=http://de.mail.yahoo.com|https://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/ig&followup=http://www.google.com/ig&service=ig&passive=true&cd=US&hl=en&nui=1&ltmpl=default
FF - component: c:\programme\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\programme\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 19:36:36
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCSVCHST.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\programme\JAVA\JRE6\BIN\JQS.EXE
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\dokume~1\Thomas\LOKALE~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-03-02 19:38:27 - PC wurde neu gestartet
ComboFix3.txt 2009-02-25 18:21:00
ComboFix-quarantined-files.txt 2009-03-02 18:38:26
ComboFix2.txt 2009-02-26 08:54:28

Vor Suchlauf: 15 Verzeichnis(se), 31,796,887,552 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 31,776,866,304 Bytes frei

203 --- E O F --- 2009-02-25 18:15:30


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:05 PM, on 02/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOKUME~1\Thomas\LOKALE~1\Temp\RtkBtMnt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
C:\Dokumente und Einstellungen\Thomas\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programme\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2955889446-849446271-4080665802-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Ioanna')
O4 - HKUS\S-1-5-21-2955889446-849446271-4080665802-1008\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Perpetuas Garden')
O4 - HKUS\S-1-5-21-2955889446-849446271-4080665802-1009\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Terrestra')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programme\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears-Einstellungen - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programme\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate1c99352fcc89558) (gupdate1c99352fcc89558) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9005 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:14 PM

Posted 03 March 2009 - 01:24 AM

Hello,

Looks to be okay too. :thumbup2:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Karl Fraser

Karl Fraser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 March 2009 - 04:08 AM

Thanks so much, Tea, greatly appreciate all your help! Will make a donation to the paypal account. Just need to set up an account first....

karl Fraser

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:14 PM

Posted 03 March 2009 - 12:45 PM

You're most welcome. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:14 PM

Posted 08 March 2009 - 05:05 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users