Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pls Check This Log


  • Please log in to reply
14 replies to this topic

#1 Jessie21

Jessie21

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 July 2007 - 03:14 PM

Hi!
I've had some problems with my PC this weekend, some people helped me to fix it till now, but there are still trojans, unneedet progs I can't delete or whatever on it!
Pls take a look.

Logfile of HijackThis v1.99.1
Scan saved at 22:10:19, on 01.07.2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AntiVir PersonalEdition Classic\avguard.exe
E:\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Opera\Opera.exe
C:\Programme\RogueRemover\RogueRemover.exe
C:\Dokumente und Einstellungen\Auriflora\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url=http://runonce.msn.com/?v=msgrv75]http://runonce.msn.com/?v=msgrv75[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von chello broadband n.v.
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {1d1b60fd-b21f-4b9a-8a5f-64e8544828d7} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Programme\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Ulead Photo Express 5 SE Calendar Checker] C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avgnt] "E:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WA6PU_Check] "C:\Programme\Gemeinsame Dateien\DriveCleaner Free\udcwap.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\tiqprvyr.dll",forkonce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - [url=http://kp.bar.need2find.com/KP/menusearch.html?p=KP]http://kp.bar.need2find.com/KP/menusearch.html?p=KP[/url]
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4C8B7A-D799-4D28-BF65-6611B85C80B5}: NameServer = 195.34.133.21,195.34.133.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - E:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - E:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\phlinqbe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe


I have also a log from RogueRemover, here it is.
RR deleted the progs after rebooting!

Malwarebytes' RogueRemover
Malwarebytes ©2007 [url=http://www.malwarebytes.org]http://www.malwarebytes.org[/url]
5397 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: File
Vendor: WinAntiVirus 2006
Location: C:\WINDOWS\System32\av.cpl
Selected for removal: No

Type: File
Vendor: WinAntiVirus 2006
Location: C:\WINDOWS\System32\stera.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Dokumente und Einstellungen\Auriflora\Desktop\DriveCleaner Free.lnk
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\unins000.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\unins000.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\unins001.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\unins001.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\UDC.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\UDCPChk.dll
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\remnag.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\UDC.xml
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\InstHelp.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\udc6cw.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\pv.exe
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Activate.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\up.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\vbpv.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\lapv.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\bnlink.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\pv.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\license.rtf
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\readme.rtf
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\atl71.dll
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\mfc71.dll
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\msvcp71.dll
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\msvcr71.dll
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\uninstall.ico
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\UDC6U.url
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\support.url
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\manual.url
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\updater.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\err.log
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\AV.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\ResErrors.log
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Schedule.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\sr.log
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\ScanReport.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\UVidStud.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WebFeret.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WebReap.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WinACE.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WinGate.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WinRAR.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WinZIP.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\WiseInst.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\YahooPl.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\ZipMagic.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\pfilelst.xda
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\wordslst.xda
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\AE_CD_Cr.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\AReadr4.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\AReadr5.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\ASDSEEpv.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\ASPack.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\Babylon.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\BDelphi5.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\CatchUp.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\CBuildr5.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\CCGA.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\CManager.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\CuteFTP4.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\CuteHTML.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\DAcceler.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\DiscJug.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\ECDCreat4.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\Far.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\FFTsks.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\FlashFXP.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\FrntPage.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\FrontPEx.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\FtpEXP.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\FtpVoya.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\GetRight.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\GoZilla.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\GravMRU.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\HomeSite.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\HotDogPr.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\H_TxtPad.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\IconExtr.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\iMesh.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\ImgReady3.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\InsShExp.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\JASC_P_P.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\KaZaA.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\LView.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MacDir.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MacDrWea.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MicAng.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MicDes.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MMUnDisk.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MM_CON.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\Morpheus.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MPaint.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MPicPub.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MPImaGal.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MSExplorer.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MSoffice.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MSRegEdit.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MSWMP.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\MSWordPad.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\Nero.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\NetShow.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\NTBackup.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\PhotShel.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\PHPCoder.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\PowerZIP.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\RapidBr.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\RealAuPl.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\RealDown.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\SecurCRT.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\SL_BlWin.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\SmartClr.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\Sonique.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\StuffIt.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\TelepPro.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\UGifAnim.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\UltraEd.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\UMedStud.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\UPhImpV.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\UPhotoEx.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase\VNC.dat
Selected for removal: Yes

Type: File
Vendor: DriveCleaner 2006
Location: C:\Programme\Gemeinsame Dateien\DriveCleaner Free\udcwap.exe
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\unins000.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\unins000.exe
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\reform.exe
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\License.rtf
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\fat.exe
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\worldmap.swf
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\BkSites.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\integrity.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\rbho.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\PGE.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\pv.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\up.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\st.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\lapv.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\forum.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\bnlink.dat
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\WinAV.xml
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007\scnkrnl.dll
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2007\wa7pinst.exe
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2007\uwa7pcw.exe
Selected for removal: Yes

Type: File
Vendor: WinAntiVirus 2007
Location: C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2007\WAPChk.dll
Selected for removal: Yes

Type: Folder
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free
Selected for removal: Yes

Type: Folder
Vendor: DriveCleaner 2006
Location: C:\Programme\DriveCleaner Free\Appbase
Selected for removal: No

Type: Folder
Vendor: DriveCleaner 2006
Location: C:\Programme\Gemeinsame Dateien\DriveCleaner Free
Selected for removal: Yes

Type: Folder
Vendor: WinAntiVirus 2007
Location: C:\Programme\WinAntiVirus Pro 2007
Selected for removal: Yes

Type: Folder
Vendor: WinAntiVirus 2007
Location: C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2007
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_CURRENT_USER\Software\DriveCleaner Free
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_CLASSES_ROOT\CLSID\{943B96A4-9BF6-42fe-8D0B-4BCA71C3632F}
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_CLASSES_ROOT\Interface\{5954B2DB-09A7-4023-847C-107539DC560D}
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_CLASSES_ROOT\TypeLib\{4F43B1F3-0CE8-493B-96D2-990CEC05EDBB}
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_CLASSES_ROOT\UDCPChk.UDCPChk
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_CLASSES_ROOT\UDCPChk.UDCPChk.1
Selected for removal: Yes

Type: Registry Key
Vendor: DriveCleaner 2006
Location: HKEY_LOCAL_MACHINE\SOFTWARE\DriveCleaner Free
Selected for removal: Yes

Type: Registry Key
Vendor: WinAntiVirus 2007
Location: HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiVirus Pro 2007	
Selected for removal: Yes

RogueRemover has found the objects above.

Thx very much, Jessie

Edited by Jessie21, 01 July 2007 - 03:17 PM.


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 01 July 2007 - 03:17 PM

Hello Jessie21 and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 July 2007 - 05:37 PM

Thanks Yourhighness!

It's very nice that you check all this stuff!
Jessie

Edited by Jessie21, 01 July 2007 - 05:39 PM.


#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 02 July 2007 - 02:21 PM

Hallo jessie,

Danke / thanks for joining BleepingComputer as suggested. Makes the rest go easier :thumbsup:

Step #1

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #2

Run HijackThis, press Scan, and put a check mark next to all these entries:

O4 - HKLM\..\Run: [WA6PU_Check] "C:\Programme\Gemeinsame Dateien\DriveCleaner Free\udcwap.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\tiqprvyr.dll",forkonce
O8 - Extra context menu item: &Search - http://kp.bar.need2find .com/KP/menusearch.html?p=KP
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\phlinqbe.exe (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Step #3

Please copy and paste the following text into Notepad:

sc stop DomainService
sc delete DomainService
del services.bat

Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat. Soon it should disappear from your Desktop; this is fine.

Step #4

Please now delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

C:\Programme\Gemeinsame Dateien\DriveCleaner Free\udcwap.exe
C:\WINDOWS\System32\tiqprvyr.dll
C:\WINDOWS\System32\phlinqbe.exe


Step #5

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #5

Since you said that there are some tools on your PC you do not recall installing, please do the following:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location
Now please report back with a fresh HijackThis log and the Uninstall list.

Thanks / Danke Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 02 July 2007 - 03:59 PM

Hi!
Before I start with Step 3, here is the log from Vundofix and Hijack.

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 22:35:02 02.07.2007

Listing files found while scanning....

C:\windows\system32\cbfelrlk.dll
C:\windows\system32\drhckewl.dll
C:\WINDOWS\System32\ejbboapv.dll
C:\WINDOWS\System32\jjkkj.bak1
C:\WINDOWS\System32\jjkkj.bak2
C:\WINDOWS\System32\jjkkj.ini
C:\WINDOWS\System32\jjkkj.ini2
C:\WINDOWS\System32\jkkjj.dll
C:\windows\system32\klrlefbc.ini
C:\windows\system32\lwekchrd.ini
C:\windows\system32\ryvrpqit.ini
C:\windows\system32\tiqprvyr.dll

Beginning removal...

 Attempting to delete C:\windows\system32\cbfelrlk.dll
C:\windows\system32\cbfelrlk.dll Has been deleted!

 Attempting to delete C:\windows\system32\drhckewl.dll
C:\windows\system32\drhckewl.dll Has been deleted!

 Attempting to delete C:\WINDOWS\System32\ejbboapv.dll
C:\WINDOWS\System32\ejbboapv.dll Has been deleted!

 Attempting to delete C:\WINDOWS\System32\jjkkj.bak1
C:\WINDOWS\System32\jjkkj.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\System32\jjkkj.bak2
C:\WINDOWS\System32\jjkkj.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\System32\jjkkj.ini
C:\WINDOWS\System32\jjkkj.ini Has been deleted!

 Attempting to delete C:\WINDOWS\System32\jjkkj.ini2
C:\WINDOWS\System32\jjkkj.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\System32\jkkjj.dll
C:\WINDOWS\System32\jkkjj.dll Has been deleted!

 Attempting to delete C:\windows\system32\klrlefbc.ini
C:\windows\system32\klrlefbc.ini Has been deleted!

 Attempting to delete C:\windows\system32\lwekchrd.ini
C:\windows\system32\lwekchrd.ini Has been deleted!

 Attempting to delete C:\windows\system32\ryvrpqit.ini
C:\windows\system32\ryvrpqit.ini Has been deleted!

 Attempting to delete C:\windows\system32\tiqprvyr.dll
C:\windows\system32\tiqprvyr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 22:58:05, on 02.07.2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AntiVir PersonalEdition Classic\avguard.exe
E:\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\Opera\Opera.exe
C:\Dokumente und Einstellungen\Auriflora\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url=http://runonce.msn.com/?v=msgrv75]http://runonce.msn.com/?v=msgrv75[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von chello broadband n.v.
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {1d1b60fd-b21f-4b9a-8a5f-64e8544828d7} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {20ACCED3-E7BE-4175-9E5C-2BAB955789B5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - (no file)
O2 - BHO: (no name) - {BC5B0C83-56F4-4924-878C-C7035B93FF1B} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O2 - BHO: (no name) - {E710E0BB-FB74-4A43-9F31-E313FFFDE8EF} - C:\WINDOWS\System32\jkkjj.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Programme\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Ulead Photo Express 5 SE Calendar Checker] C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avgnt] "E:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4C8B7A-D799-4D28-BF65-6611B85C80B5}: NameServer = 195.34.133.21,195.34.133.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcbxvu - ddcbxvu.dll (file missing)
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - E:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - E:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

I hope I made everything right till now.

Thank you, Jessie

Edited by Jessie21, 02 July 2007 - 04:02 PM.


#6 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 02 July 2007 - 04:21 PM

Here I am again, I've finished with all steps now,
only two things to say:
I haven't found ANY of these files (Step 4)
C:\Programme\Gemeinsame Dateien\DriveCleaner Free\udcwap.exe
C:\WINDOWS\System32\tiqprvyr.dll
C:\WINDOWS\System32\phlinqbe.exe

and the second ting is, I haven't found these files in the List of Hijack (Step 2)
O4 - HKLM\..\Run: [WA6PU_Check] "C:\Programme\Gemeinsame Dateien\DriveCleaner Free\udcwap.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\tiqprvyr.dll",forkonce

But I'm very tired, maybe I can't see clear anymore *g*

Here is the last Hijack Log an the Uninstall List below!
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
ArcSoft PhotoStudio 5.5
ATI Display Driver
AVG Anti-Spyware 7.5
Avira AntiVir PersonalEdition Classic
Canon CanoScan Toolbox 4.9
Canon iP1600
Canon ScanGear Starter
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (remove only)
CD-Druckerei
chello launcher
DAEMON Tools
Easy-WebPrint
HijackThis 1.99.1
ICQ  Toolbar
ICQ 5.1
J2SE Runtime Environment 5.0 Update 6
JAP
Java 2 Runtime Environment, SE v1.4.2_03
Manual CanoScan LiDE 25
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Mozilla Firefox (2.0.0.4)
MSN Messenger 7.5
MSN Toolbar
Nero - Burning Rom
Nero 7 Premium
Nero Sipps
NVIDIA Drivers
NVIDIA nForce Treiber für Windows 2000/XP
OmniPage SE 2.0
Opera 9.0
PowerDVD
QuickTime
RealPlayer
RogueRemover 1.20
Sony Ericsson PC Suite 1.20.224
Sound Blaster Live!
Ulead Photo Express 5 SE
USB PC Camera
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinRAR Archivierer
Yahoo! Extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar mit Pop-Up-Blocker
ZoneAlarm

Logfile of HijackThis v1.99.1
Scan saved at 23:20:38, on 02.07.2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AntiVir PersonalEdition Classic\avguard.exe
E:\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\Opera\Opera.exe
C:\Dokumente und Einstellungen\Auriflora\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von chello broadband n.v.
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {1d1b60fd-b21f-4b9a-8a5f-64e8544828d7} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {20ACCED3-E7BE-4175-9E5C-2BAB955789B5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - (no file)
O2 - BHO: (no name) - {BC5B0C83-56F4-4924-878C-C7035B93FF1B} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O2 - BHO: (no name) - {E710E0BB-FB74-4A43-9F31-E313FFFDE8EF} - C:\WINDOWS\System32\jkkjj.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Programme\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Ulead Photo Express 5 SE Calendar Checker] C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avgnt] "E:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4C8B7A-D799-4D28-BF65-6611B85C80B5}: NameServer = 195.34.133.21,195.34.133.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcbxvu - ddcbxvu.dll (file missing)
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - E:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - E:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks very much for your help and the excellent description what I have to do, hope now is everything alright with my computer?
Regards, Jessie

Edited by Jessie21, 02 July 2007 - 04:26 PM.


#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 03 July 2007 - 12:36 PM

Hallo Jessie21,

Das ist in Ordnung ( thats oke) :thumbsup:

Lets continue with the fix:

Step #1

Please download Combofix from here: combofix.exe or here combofix.exe.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log in your next reply together with a new HijackThis log
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #2

Run HijackThis, press Scan, and put a check mark next to all these entries:

R3 - URLSearchHook: (no name) - {1d1b60fd-b21f-4b9a-8a5f-64e8544828d7} - (no file)
O2 - BHO: (no name) - {20ACCED3-E7BE-4175-9E5C-2BAB955789B5} - (no file)
O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - (no file)
O2 - BHO: (no name) - {BC5B0C83-56F4-4924-878C-C7035B93FF1B} - (no file)
O2 - BHO: (no name) - {E710E0BB-FB74-4A43-9F31-E313FFFDE8EF} - C:\WINDOWS\System32\jkkjj.dll (file missing)
O20 - Winlogon Notify: ddcbxvu - ddcbxvu.dll (file missing)
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Step #3

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Please now post back with a fresh HijackThis log and the combofix.txt log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 03 July 2007 - 02:09 PM

Hi Johannes, here are the new logs.

Logfile of HijackThis v1.99.1
Scan saved at 21:07:46, on 03.07.2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AntiVir PersonalEdition Classic\avguard.exe
E:\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Creative\ShareDLL\CtNotify.exe
C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programme\Creative\SBLive\Program\CTAvTray.EXE
C:\Programme\Java\jre1.6.0_01\bin\jusched.exe
C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Creative\ShareDLL\MediaDet.Exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Dokumente und Einstellungen\Auriflora\Desktop\HijackThis.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AHQInit] C:\Programme\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Ulead Photo Express 5 SE Calendar Checker] C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avgnt] "E:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Disc Detector] C:\Programme\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Programme\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Programme\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4C8B7A-D799-4D28-BF65-6611B85C80B5}: NameServer = 195.34.133.21,195.34.133.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - E:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - E:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

"Auriflora" - 2007-07-03 20:40:27 - ComboFix 07-07-03.9   [color=red][b]FAT32 [/b][/color]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOKUME~1\ALLUSE~1\STARTM~1\PROGRA~1.\DriveCleaner Free
C:\DOKUME~1\AURIFL~1\Desktop\internet.lnk
C:\Dokumente und Einstellungen\AURIFL~1.\err.log
C:\Dokumente und Einstellungen\AURIFL~1.\ResErrors.log


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_NTIO256
-------\asc3550u
-------\ntio256


(((((((((((((((((((((((((   Files Created from 2007-06-03 to 2007-07-03  )))))))))))))))))))))))))))))))


2007-07-03 20:39	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-03 11:30	775,296	--a------	C:\WINDOWS\system32\drivers\emu10k1f.sys
2007-07-03 11:30	6,912	--a------	C:\WINDOWS\system32\drivers\ctlface.sys
2007-07-03 11:30	59,392	--a------	C:\WINDOWS\system32\a3d.dll
2007-07-03 11:30	57,344	--a------	C:\WINDOWS\system32\drivers\drmk.sys
2007-07-03 11:30	51,200	--a------	C:\WINDOWS\system32\sfman32.dll
2007-07-03 11:30	496,128	--a------	C:\WINDOWS\system32\sblfx.dll
2007-07-03 11:30	36,992	--a------	C:\WINDOWS\system32\drivers\sfman.sys
2007-07-03 11:30	3,584	--a------	C:\WINDOWS\system32\ctwdm32.dll
2007-07-03 11:30	25,600	--a------	C:\WINDOWS\system32\devldr32.exe
2007-07-03 11:30	135,040	--a------	C:\WINDOWS\system32\drivers\portcls.sys
2007-07-03 11:27	<DIR>	d--------	C:\Media
2007-07-03 11:26	73,728	--a------	C:\WINDOWS\system32\CTDrmRes.dll
2007-07-03 11:26	58,880	--a------	C:\WINDOWS\system32\CTDETRES.DLL
2007-07-03 11:26	44,032	--a------	C:\WINDOWS\system32\CTSVCCDA.EXE
2007-07-03 11:26	393,216	---------	C:\WINDOWS\system32\CTMedEng.dll
2007-07-03 11:26	32,768	--a------	C:\WINDOWS\system32\CTIntRes.dll
2007-07-03 11:26	307,200	---------	C:\WINDOWS\system32\CtMp3Lib.dll
2007-07-03 11:26	25,088	--a------	C:\WINDOWS\system32\CTSVCCTL.EXE
2007-07-03 11:26	24,576	--a------	C:\WINDOWS\system32\CTMERes.DLL
2007-07-03 11:26	155,648	---------	C:\WINDOWS\system32\CTDrmUI.dll
2007-07-03 11:26	110,592	---------	C:\WINDOWS\system32\ctmp3io2.dll
2007-07-03 08:54	98,816	--a------	C:\WINDOWS\system32\dmstyle.dll
2007-07-03 08:54	974,848	--a------	C:\WINDOWS\system32\dxdiag.exe
2007-07-03 08:54	80,896	--a------	C:\WINDOWS\system32\dpvsetup.exe
2007-07-03 08:54	8,192	--a------	C:\WINDOWS\system32\d3d8thk.dll
2007-07-03 08:54	797,184	--a------	C:\WINDOWS\system32\d3dim700.dll
2007-07-03 08:54	79,360	--a------	C:\WINDOWS\system32\dpwsockx.dll
2007-07-03 08:54	77,824	--a------	C:\WINDOWS\system32\dpmodemx.dll
2007-07-03 08:54	76,800	--a------	C:\WINDOWS\system32\dmscript.dll
2007-07-03 08:54	733,184	--a------	C:\WINDOWS\system32\qedwipes.dll
2007-07-03 08:54	723,968	--a------	C:\WINDOWS\system32\dpnet.dll
2007-07-03 08:54	7,424	--a------	C:\WINDOWS\system32\drivers\mskssrv.sys
2007-07-03 08:54	68,096	--a------	C:\WINDOWS\system32\dpnhupnp.dll
2007-07-03 08:54	667,648	--a------	C:\WINDOWS\system32\dinput8.dll
2007-07-03 08:54	648,704	--a------	C:\WINDOWS\system32\dinput.dll
2007-07-03 08:54	64,512	--a------	C:\WINDOWS\system32\amstream.dll
2007-07-03 08:54	602,624	--a------	C:\WINDOWS\system32\dx7vb.dll
2007-07-03 08:54	58,368	--a------	C:\WINDOWS\system32\dmcompos.dll
2007-07-03 08:54	5,248	--a------	C:\WINDOWS\system32\drivers\mspclock.sys
2007-07-03 08:54	491,520	--a------	C:\WINDOWS\system32\dsdmoprp.dll
2007-07-03 08:54	48,512	--a------	C:\WINDOWS\system32\drivers\stream.sys
2007-07-03 08:54	470,528	--a------	C:\WINDOWS\system32\qdvd.dll
2007-07-03 08:54	46,592	--a------	C:\WINDOWS\system32\dxdllreg.exe
2007-07-03 08:54	4,096	--a------	C:\WINDOWS\system32\drivers\swenum.sys
2007-07-03 08:54	4,096	---------	C:\WINDOWS\system32\ksuser.dll
2007-07-03 08:54	381,952	--a------	C:\WINDOWS\system32\dsound.dll
2007-07-03 08:54	381,952	--a------	C:\WINDOWS\system32\dpvoice.dll
2007-07-03 08:54	34,304	--a------	C:\WINDOWS\system32\mciqtz32.dll
2007-07-03 08:54	33,280	--a------	C:\WINDOWS\system32\dmloader.dll
2007-07-03 08:54	324,096	--a------	C:\WINDOWS\system32\mswebdvd.dll
2007-07-03 08:54	32,768	--a------	C:\WINDOWS\system32\dpnhpast.dll
2007-07-03 08:54	316,928	--a------	C:\WINDOWS\system32\qdv.dll
2007-07-03 08:54	31,744	--a------	C:\WINDOWS\system32\pid.dll
2007-07-03 08:54	3,072	--a------	C:\WINDOWS\system32\dpnlobby.dll
2007-07-03 08:54	3,072	--a------	C:\WINDOWS\system32\dpnaddr.dll
2007-07-03 08:54	292,864	--a------	C:\WINDOWS\system32\ddraw.dll
2007-07-03 08:54	28,160	--a------	C:\WINDOWS\system32\dplaysvr.exe
2007-07-03 08:54	27,136	--a------	C:\WINDOWS\system32\dmband.dll
2007-07-03 08:54	257,024	--a------	C:\WINDOWS\system32\qcap.dll
2007-07-03 08:54	24,064	--a------	C:\WINDOWS\system32\ddrawex.dll
2007-07-03 08:54	230,400	--a------	C:\WINDOWS\system32\dplayx.dll
2007-07-03 08:54	19,968	--a------	C:\WINDOWS\system32\dpvacm.dll
2007-07-03 08:54	186,880	--a------	C:\WINDOWS\system32\dsdmo.dll
2007-07-03 08:54	181,248	--a------	C:\WINDOWS\system32\dmime.dll
2007-07-03 08:54	18,432	--a------	C:\WINDOWS\system32\dswave.dll
2007-07-03 08:54	16,896	--a------	C:\WINDOWS\system32\dpnsvr.exe
2007-07-03 08:54	132,608	--a------	C:\WINDOWS\system32\devenum.dll
2007-07-03 08:54	130,304	--a------	C:\WINDOWS\system32\drivers\ks.sys
2007-07-03 08:54	13,312	--a------	C:\WINDOWS\system32\msdmo.dll
2007-07-03 08:54	122,880	--a------	C:\WINDOWS\system32\dmusic.dll
2007-07-03 08:54	112,128	--a------	C:\WINDOWS\system32\dpvvox.dll
2007-07-03 08:54	100,864	--a------	C:\WINDOWS\system32\dmsynth.dll
2007-07-03 08:54	1,962,496	--a------	C:\WINDOWS\system32\quartz.dll
2007-07-03 08:54	1,798,144	--a------	C:\WINDOWS\system32\qedit.dll
2007-07-03 08:54	1,294,336	--a------	C:\WINDOWS\system32\dsound3d.dll
2007-07-03 08:54	1,201,152	--a------	C:\WINDOWS\system32\d3d8.dll
2007-07-03 08:54	1,189,888	--a------	C:\WINDOWS\system32\dx8vb.dll
2007-07-02 22:37	24,576	--a------	C:\WINDOWS\system32\VundoFixSVC.exe
2007-07-02 22:35	<DIR>	d--------	C:\VundoFix Backups
2007-07-01 20:11	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-01 20:02	<DIR>	d--------	C:\!KillBox
2007-07-01 19:53	<DIR>	d--------	C:\Programme\RogueRemover
2007-06-30 17:13	<DIR>	d--------	C:\Programme\CCleaner
2007-06-30 17:07	<DIR>	d--hs----	C:\FOUND.002
2007-06-30 15:08	<DIR>	d--hs----	C:\FOUND.001
2007-06-30 15:04	<DIR>	d--------	C:\WINDOWS\Prefetch
2007-06-30 14:57	90,624	--a------	C:\WINDOWS\system32\msoert2.dll
2007-06-30 14:57	70,144	--a------	C:\WINDOWS\system32\acctres.dll
2007-06-30 14:57	593,920	--a------	C:\WINDOWS\system32\inetcomm.dll
2007-06-30 14:57	51,200	--a------	C:\WINDOWS\system32\inetres.dll
2007-06-30 14:57	228,864	--a------	C:\WINDOWS\system32\msoeacct.dll
2007-06-30 14:51	19,017	--a------	C:\WINDOWS\system32\drivers\RTL8029.sys
2007-06-30 14:47	24,661	--a------	C:\WINDOWS\system32\spxcoins.dll
2007-06-30 14:47	13,824	--a------	C:\WINDOWS\system32\irclass.dll
2007-06-30 12:09	<DIR>	d--hs----	C:\FOUND.000
2007-06-29 19:42	<DIR>	d--------	C:\DOKUME~1\ADMINI~1\ANWEND~1\Talkback
2007-06-29 19:41	0	--a------	C:\WINDOWS\nsreg.dat
2007-06-29 19:37	<DIR>	d--------	C:\WINDOWS\B6D5E63DEFF546169DB706D08F10B0C0.TMP
2007-06-29 19:27	<DIR>	dr-------	C:\DOKUME~1\ADMINI~1\Eigene Dateien


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 13:13:40	63,580	----a-w	C:\WINDOWS\system32\perfc007.dat
2007-06-30 13:13:40	391,000	----a-w	C:\WINDOWS\system32\perfh007.dat
2007-06-30 12:56:36	23,504	----a-w	C:\WINDOWS\system32\emptyregdb.dat
2007-04-22 07:25:56	12,288	----a-w	C:\WINDOWS\impborl.dll
2007-04-08 07:58:02	10	----a-w	C:\WINDOWS\smdat32m.sys
2007-04-05 18:15:56	144,357	----a-w	C:\WINDOWS\system32\atiicdxx.dat
2006-10-13 20:21:36	8	--sh--r	C:\WINDOWS\system32\823275592E.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-06-06 09:28	439872	--a------	C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-04-16 15:39	37808	---------	C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20ACCED3-E7BE-4175-9E5C-2BAB955789B5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-10 13:22	184423	--a------	C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
2004-08-13 17:42	155648	--a------	C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC5B0C83-56F4-4924-878C-C7035B93FF1B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
2006-01-17 16:04	282624	--a------	C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E710E0BB-FB74-4A43-9F31-E313FFFDE8EF}]
			C:\WINDOWS\System32\jkkjj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"AHQInit"="C:\Programme\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 18:49]
"OpwareSE2"="C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"Easy-PrintToolBox"="C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10]
"RemoteControl"="C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" [2006-07-11 12:06]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"Sony Ericsson PC Suite"="C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"Ulead Photo Express 5 SE Calendar Checker"="C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2006-09-04 14:57]
"DAEMON Tools-1033"="C:\Programme\D-Tools\daemon.exe" [2004-08-22 17:05]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2006-10-30 09:10]
"avgnt"="E:\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"Disc Detector"="C:\Programme\Creative\ShareDLL\CtNotify.exe" [1999-08-30 01:55]
"AudioHQ"="C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 17:01]
"CTAvTray"="C:\Programme\Creative\SBLive\Program\CTAvTray.EXE" [2000-09-26 19:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-05 08:29]
"MsnMsgr"="C:\Programme\MSN Messenger\MsnMsgr.exe" [2006-01-24 20:23]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [2006-07-31 11:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Programme\ICQLite\ICQLite.exe -trayboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Programme\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbxvu]
ddcbxvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
winexy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 20:47:37
Windows 5.1.2600  FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-03 20:48:36
C:\ComboFix-quarantined-files.txt ... 2007-07-03 20:48

	--- E O F ---

Thank you!
Jessie

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 03 July 2007 - 03:18 PM

Hi Jessie21,

PC looks much better now.

Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

Close all other windows and browsers, and press the Fix Checked button.

Step #2
  • Go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-yyyymmdd-hhmmss.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

Please post back with the AVG Antispyware report (Report-Scan-yyyymmdd-hhmmss.txt).

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 July 2007 - 03:16 PM

Hi Johannes,
I was on holidays sorry für my late response!
Here's the AVG Log, it's very short:

---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

 + Erstellt um:	21:09:05 17.07.2007

 + Scan-Ergebnis:	



C:\Dokumente und Einstellungen\Auriflora\Cookies\auriflora@atdmt[2].txt -> TrackingCookie.Atdmt : Gesäubert.
C:\Dokumente und Einstellungen\Auriflora\Cookies\auriflora@doubleclick[1].txt -> TrackingCookie.Doubleclick : Gesäubert.
C:\Dokumente und Einstellungen\Auriflora\Cookies\auriflora@ivwbox[1].txt -> TrackingCookie.Ivwbox : Gesäubert.
C:\Dokumente und Einstellungen\Auriflora\Cookies\auriflora@oewabox[1].txt -> TrackingCookie.Oewabox : Gesäubert.


::Berichtende


I wanted to transfer pics from the digicam to PC but it doesn't work anymore, transfer from webcam and mobile phone don't work to, are the infections the reason for this?
2 weeks before it still worked as I know..

Thanks very much,
Jessie

Edited by Jessie21, 17 July 2007 - 03:17 PM.


#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 18 July 2007 - 07:21 AM

Hi Jessie21,

I am not sure why your software does not seem to work any more. I suggest you uninstall / reinstall the software.
If that does not work, please give more details about your problem.

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Please post back with a fresh HijackThis log and the F-secure report.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 18 July 2007 - 11:35 AM

I followed your instructions, here are the new logs, after restarting I will try to connect the cam again, if it don't work i will post again whats the problem.

canning Report
Wednesday, July 18, 2007 17:53:17 - 18:33:54

Computer name: KAUFIPC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\ G:\
Result: 13 malware found
AltnetBDE (spyware)

	* System (Disinfected) 

BrilliantDigital (spyware)

	* System (Disinfected) 

RXToolbar (spyware)

	* System (Disinfected) 

TopSearch (spyware)

	* System (Disinfected) 

Tracking Cookie (spyware)

	* System (Disinfected)
	* System
	* System
	* System
	* System
	* System
	* System
	* System 

Vundo.gen38 (virus)

	* C:\WINDOWS\SYSTEM32\MBMXGXUH.INI (Submitted) 

Statistics
Scanned:

	* Files: 27261
	* System: 13138
	* Not scanned: 3 

Actions:

	* Disinfected: 5
	* Renamed: 0
	* Deleted: 0
	* None: 8
	* Submitted: 1 

Files not scanned:

	* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
	* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
	* D:\PAGEFILE.SYS 

Options
Scanning engines:

	* F-Secure Libra: 2.4.2, 2007-07-18
	* F-Secure AVP: 7.0.171, 2007-07-18
	* F-Secure Orion: 1.2.37, 2007-07-18
	* F-Secure Blacklight: 1.0.64
	* F-Secure Draco: 1.0.35, 0260-23-12
	* F-Secure Pegasus: 1.19.0, 2007-06-17 

Scanning options:

	* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
	* Use Advanced heuristics 

	  Copyright © 1998-2006 Product support |Send virus sample to F-Secure
	  F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liabili

Logfile of HijackThis v1.99.1
Scan saved at 18:35:42, on 18.07.2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AntiVir PersonalEdition Classic\avguard.exe
E:\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Creative\ShareDLL\CtNotify.exe
C:\Programme\Creative\ShareDLL\MediaDet.Exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Programme\Creative\SBLive\Program\CTAvTray.EXE
C:\Programme\Java\jre1.6.0_01\bin\jusched.exe
C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\Opera\Opera.exe
C:\Programme\internet explorer\iexplore.exe
C:\DOKUME~1\AURIFL~1\LOKALE~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOKUME~1\AURIFL~1\LOKALE~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Programme\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Dokumente und Einstellungen\Auriflora\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.5000.1021\de-at\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AHQInit] C:\Programme\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Ulead Photo Express 5 SE Calendar Checker] C:\Programme\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avgnt] "E:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Disc Detector] C:\Programme\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Programme\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Programme\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D4C8B7A-D799-4D28-BF65-6611B85C80B5}: NameServer = 195.34.133.21,195.34.133.22
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - E:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - E:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks, Jessie

#13 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 19 July 2007 - 12:52 PM

Hi Jessie21,

:thumbsup: ! Looking much better now.

Step #1

Please navigate to Freenet.de - Service Pack 2 (DE) and download the German update files by clicking "download starten."
Have it install the updates completely.

You should also consider to update your Internet Explorer to Version 7, as this also reduces chances of reinfaction (even better would be to concentrate on alternative browsers such as Opera and Firefox).

Step #2

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #3

Now please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Also have a read on this one: So How did I get infected?

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#14 Jessie21

Jessie21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 August 2007 - 08:24 AM

Hi Johannes,
I#m too late to say happy birthday to you, hope you had a finde party!

I hadn't time to come here sooner, so, I did the last steps, hope pc is now safe :thumbsup:

Don't know how to thank you, everything works now, great!

Thank you!!!!
I think some time I'll back for sure, for what problem ever *gg*

Jessie

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:03 AM

Posted 16 August 2007 - 11:05 AM

Thanks and you are quite welcome :thumbsup:
Feel free to come back and ask questions. Just make sure you wont get a regular customer in the HJT area :huh: :flowers: .
Hope you had a great birthday.

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users