1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Tojan Vundo Activity

Discussion in 'Malware and Virus Removal Archive' started by badhero, 2008/03/19.

  1. 2008/03/19
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    [Resolved] Tojan Vundo Activity

    Hi there
    for serveral days now i had the Norton Antivirus notice about Tojan Vundo Activity
    I checked some forum on google how to remove it and used VundoFix. I ran it 2 times an it removed the first time 3 files and the second time 2 files. One of them it couldn't remove instantly, so after rebooting it told me to run it again and then it fixed it. Since then i always get a notice at startup, that the modul C:\WINDOWS\system32\tpbdoevd.dll could not be found. This file was deleted by Vundofix at rebooting.
    After that I always get pop ups on Internet Explorer.

    here is what i've got:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:43:19, on 19.03.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\Programme\Cherry\KeyMan\KeyMan.exe
    C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
    C:\Programme\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
    C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
    C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    D:\Programme\UniKey\UniKey.exe
    D:\Programme\Veoh Networks\Veoh\VeohClient.exe
    C:\Programme\Cyberlink\Shared files\RichVideo.exe
    D:\Programme\CASIO\Photo Loader\Plauto.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
    C:\Programme\Cherry\CDI\cdi.exe
    D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Mozilla Firefox\firefox.exe
    D:\Programme\hijackthis\HijackThis.exe
    C:\Programme\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.at
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tuwien.ac.at/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Google Notizbuch - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BDRegion] C:\Programme\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [6401e18c] rundll32.exe "C:\WINDOWS\system32\tpbdoevd.dll ",b
    O4 - HKLM\..\Run: [BM6732d210] Rundll32.exe "C:\WINDOWS\system32\opwnbqif.dll ",s
    O4 - HKLM\..\RunServices: [nthcfs] C:\WINDOWS\system32\nthcfs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [UniKey] D:\Programme\UniKey\UniKey.exe
    O4 - HKCU\..\Run: [Veoh] "D:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - Global Startup: Photo Loader resident.lnk = D:\Programme\CASIO\Photo Loader\Plauto.exe
    O8 - Extra context menu item: Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Notiz erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu2.html
    O8 - Extra context menu item: Notiz mit dieser Seite erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu1.html
    O8 - Extra context menu item: Send to Keyman - C:\Programme\Cherry\KeyMan\IEMenuExtKeyman.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=www.tuwien.ac.at
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///D:/Programme/AutoCAD%202002%20Deu/InstFred.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163005242531
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcDcToday.ocx
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///D:/Programme/AutoCAD%202002%20Deu/InstBanr.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcPreview.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe



    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Wednesday, March 19, 2008 6:13:08 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 19/03/2008
    Kaspersky Anti-Virus database records: 640079
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 194367
    Number of viruses found: 6
    Number of infected objects: 16
    Number of suspicious objects: 0
    Duration of the scan process: 02:51:30

    Infected Object Name / Virus Name / Last Action
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CyberLink\BDNAV\BRF.dat Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Confid.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Content.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Privacy.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Restrict.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\WebHist.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\LiveUpdate\2008-03-19_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Cherry\KeyMan\Common.csf Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Cherry\KeyMan\CyMotionMasterXPress.csf Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\cert8.db Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\flashgot.log Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\formhistory.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\history.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\key3.db Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\search.sqlite Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\urlclassifier2.sqlite Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Cookies\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Temp\~DF58C6.tmp Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Temp\~DFC9B4.tmp Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\NTUSER.DAT Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\ntuser.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Antispam\Log\Spam.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSYS.log Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029675.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\change.log Object is locked skipped
    C:\VundoFix Backups\geeby.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\gebyxxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\mljgf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\nthcfs.exe Infected: Rootkit.Win32.Agent.vb skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6E152E95 Infected: Exploit.Java.Gimsh.a skipped
    D:\Programme\Veoh Networks\Veoh\client.log Object is locked skipped
    D:\Programme\Veoh Networks\Veoh\upload.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029292.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029712.exe Infected: not-a-virus:pSWTool.Win32.PdfCracker.c skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar Infected: Trojan-Downloader.Win32.Small.snf skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe RarSFX: infected - 4 skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029717.exe/file01 Infected: not-a-virus:pSWTool.Win32.PdfCracker.c skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029717.exe Inno: infected - 1 skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029718.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\change.log Object is locked skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\change.log Object is locked skipped

    Scan process completed.


    Please help me!
     
    badhero,
    #1
  2. 2008/03/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS badhero :)

    First, you need to get an updated version of HijackThis. Please uninstall your current copy, then download the HijackThis Installer from here and install it.

    Next, download ComboFix by sUBs from here, saving the file to your desktop.

    Please disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/03/20
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    here it is:

    ComboFix 08-03-18.1 - Dang Xuan Bach 2008-03-20 11:52:19.1 - NTFSx86
    ausgeführt von:: C:\Dokumente und Einstellungen\Dang Xuan Bach\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\BM6732d210.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\ahoyrchx.dll
    C:\WINDOWS\system32\fgjlm.ini
    C:\WINDOWS\system32\fgjlm.ini2
    C:\WINDOWS\system32\gebyxxx.dll
    C:\WINDOWS\system32\jtvkildo.dll
    C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\system32\odlikvtj.ini
    C:\WINDOWS\system32\opwnbqif.dll
    C:\WINDOWS\system32\qdifqurw.dll
    C:\WINDOWS\system32\wdrfgkjn.dll

    .
    ((((((((((((((((((((((( Dateien erstellt von 2008-02-20 bis 2008-03-20 ))))))))))))))))))))))))))))))
    .

    2008-03-19 11:11 . 2008-03-19 11:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-19 11:11 . 2008-03-19 11:11 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
    2008-03-19 10:22 . 2008-03-19 10:46 <DIR> d-------- C:\VundoFix Backups
    2008-03-14 09:36 . 2008-03-14 23:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-14 09:36 . 2008-03-14 09:36 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-10 23:33 . 2008-03-10 23:33 4 --a------ C:\WINDOWS\system32\msvcrt53.dll
    2008-03-10 23:27 . 2008-03-10 23:27 75 --a------ C:\WINDOWS\winDecrypt.INI
    2008-02-26 19:47 . 2008-02-26 20:21 <DIR> d-------- C:\Dokumente und Einstellungen\Dang Xuan Bach\.spss
    2008-02-26 19:43 . 2008-02-26 19:43 1,024 --a------ C:\WINDOWS\system32\grcauth2.dll
    2008-02-26 19:43 . 2008-02-26 19:43 1,024 --a------ C:\WINDOWS\system32\grcauth1.dll
    2008-02-26 19:43 . 2008-03-03 10:22 114 --a------ C:\WINDOWS\system32\prsgrc.tgz
    2008-02-26 19:43 . 2008-03-03 10:22 100 --a------ C:\WINDOWS\system32\prsgrc.dll
    2008-02-26 18:54 . 2008-02-26 18:54 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel
    2008-02-26 18:52 . 2008-02-26 18:52 <DIR> d-------- C:\Programme\Gemeinsame Dateien\SPSS
    2008-02-26 18:52 . 2008-02-26 18:52 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
    2008-02-26 18:52 . 2008-02-26 18:52 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
    2008-02-26 18:52 . 2008-03-03 10:20 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
    2008-02-26 18:52 . 2008-03-03 10:20 205 --a------ C:\WINDOWS\system32\lsprst7.dll
    2008-02-26 18:52 . 2008-03-03 10:20 16 ---h----- C:\WINDOWS\system32\servdat.slm
    2008-02-26 16:04 . 2008-02-26 16:04 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-20 10:30 --------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
    2008-03-17 20:57 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Azureus
    2008-03-14 08:39 --------- d-----w C:\Programme\Gemeinsame Dateien\DVDVIDEOSOFT
    2008-03-08 10:22 154,368 ----a-w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\GDIPFONTCACHEV1.DAT
    2008-03-05 18:31 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\concept design
    2008-02-26 12:27 --------- d--h--w C:\Programme\InstallShield Installation Information
    2008-02-03 22:48 --------- d-----w C:\Programme\Gemeinsame Dateien\xing shared
    2008-02-03 22:48 --------- d-----w C:\Programme\Gemeinsame Dateien\Real
    2008-02-01 21:16 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\CyberLink
    2008-02-01 21:15 --------- d-----w C:\Programme\Cyberlink
    2008-02-01 21:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CyberLink
    2008-02-01 20:31 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Recisio
    2008-02-01 20:22 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\dvdcss
    2008-01-31 15:59 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Ditto
    2008-01-22 13:30 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Winamp
    2008-01-21 23:34 --------- d-----w C:\Programme\Gemeinsame Dateien\NSV
    2008-01-21 20:16 --------- d-----w C:\Programme\Winamp Remote
    2008-01-21 20:16 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\OrbNetworks
    2006-05-06 16:42 7,260,160 ----a-w C:\Programme\mozilla firefox\plugins\libvlc.dll
    2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
    .

    (((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55F6E5EA-C191-4FDB-BD9E-58CC23A0414B}]
    C:\WINDOWS\system32\geeby.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
    "msnmsgr "= "C:\Programme\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "Yahoo! Pager "= "D:\Programme\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [ ]
    "UniKey "= "D:\Programme\UniKey\UniKey.exe" [2005-08-16 12:18 180224]
    "Veoh "= "D:\Programme\Veoh Networks\Veoh\VeohClient.exe" [2008-02-22 21:42 3537968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 20:06 7311360]
    "nwiz "= "nwiz.exe" [2005-12-09 20:06 1519616 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 20:06 86016]
    "ccApp "= "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2006-03-30 15:46 71304]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-08 17:56 100056]
    "CherryKeyMan "= "C:\Programme\Cherry\KeyMan\KeyMan.exe" [2005-12-22 09:50 254004]
    "SunJavaUpdateSched "= "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]
    "QuickTime Task "= "D:\Programme\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
    "Sony Ericsson PC Suite "= "D:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17 159744]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:00 208952]
    "IMEKRMIG6.1 "= "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 04:00 44032]
    "MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:00 59392]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00 455168]
    "BDRegion "= "C:\Programme\Cyberlink\Shared Files\brs.exe" [2007-11-16 19:20 91432]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "nthcfs "= "C:\WINDOWS\system32\nthcfs.exe" [2008-01-25 19:51 131072]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:00 15360]
    "Picasa Media Detector "= "D:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 22:18 443968]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyxxx]
    gebyxxx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe "=
    "D:\\Programme\\concept design\\onlineTV 4\\onlineTV.exe "=

    .
    Inhalt des "geplante Tasks" Ordners
    "2006-11-08 22:43:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Programme\Apple Software Update\SoftwareUpdate.exe
    "2006-11-08 15:46:55 C:\WINDOWS\Tasks\Norton AntiVirus - Meinen Computer prüfen.job "



    ---------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:09, on 2008-03-20
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\Programme\Cherry\KeyMan\KeyMan.exe
    C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
    C:\Programme\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
    C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    D:\Programme\UniKey\UniKey.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    D:\Programme\Veoh Networks\Veoh\VeohClient.exe
    D:\Programme\CASIO\Photo Loader\Plauto.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programme\Cyberlink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
    C:\Programme\Cherry\CDI\cdi.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    D:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Programme\Messenger\msmsgs.exe
    D:\Programme\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tuwien.ac.at/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {55F6E5EA-C191-4FDB-BD9E-58CC23A0414B} - C:\WINDOWS\system32\geeby.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Google Notizbuch - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BDRegion] C:\Programme\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\RunServices: [nthcfs] C:\WINDOWS\system32\nthcfs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Programme\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [UniKey] D:\Programme\UniKey\UniKey.exe
    O4 - HKCU\..\Run: [Veoh] "D:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: AutorunsDisabled
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: Photo Loader resident.lnk = D:\Programme\CASIO\Photo Loader\Plauto.exe
    O8 - Extra context menu item: Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Notiz erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu2.html
    O8 - Extra context menu item: Notiz mit dieser Seite erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu1.html
    O8 - Extra context menu item: Send to Keyman - C:\Programme\Cherry\KeyMan\IEMenuExtKeyman.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=www.tuwien.ac.at
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///D:/Programme/AutoCAD%202002%20Deu/InstFred.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163005242531
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcDcToday.ocx
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///D:/Programme/AutoCAD%202002%20Deu/InstBanr.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcPreview.ocx
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: gebyxxx - gebyxxx.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 13433 bytes
     
    badhero,
    #3
  5. 2008/03/22
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    My apologies for the delayed response. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
C:\WINDOWS\system32\nthcfs.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55F6E5EA-C191-4FDB-BD9E-58CC23A0414B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 "nthcfs "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyxxx]
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.
     
    noahdfear,
    #4
  6. 2008/03/25
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    Hi, no problem. I was on vacation for some days anyway. Here are the new logs:

    ComboFix 08-03-18.1 - Dang Xuan Bach 2008-03-25 23:53:21.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1559 [GMT 1:00]
    ausgeführt von:: C:\Dokumente und Einstellungen\Dang Xuan Bach\Desktop\ComboFix.exe
    Command switches used :: C:\Dokumente und Einstellungen\Dang Xuan Bach\Desktop\CFScript.txt
    * Neuer Wiederherstellungspunkt wurde erstellt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\nthcfs.exe
    .

    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\lsprst7.dll
    C:\WINDOWS\system32\msvcrt53.dll
    C:\WINDOWS\system32\nthcfs.exe
    C:\WINDOWS\system32\prsgrc.dll
    .
    ---- Previous Run -------
    .
    C:\WINDOWS\BM6732d210.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\ahoyrchx.dll
    C:\WINDOWS\system32\fgjlm.ini
    C:\WINDOWS\system32\fgjlm.ini2
    C:\WINDOWS\system32\gebyxxx.dll
    C:\WINDOWS\system32\jtvkildo.dll
    C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\system32\odlikvtj.ini
    C:\WINDOWS\system32\opwnbqif.dll
    C:\WINDOWS\system32\qdifqurw.dll
    C:\WINDOWS\system32\wdrfgkjn.dll

    .
    ((((((((((((((((((((((( Dateien erstellt von 2008-02-25 bis 2008-03-25 ))))))))))))))))))))))))))))))
    .

    2008-03-21 12:13 . 2008-03-21 12:13 <DIR> d-------- C:\Programme\NMQ Reader
    2008-03-19 11:11 . 2008-03-19 11:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-19 11:11 . 2008-03-19 11:11 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
    2008-03-19 10:22 . 2008-03-19 10:46 <DIR> d-------- C:\VundoFix Backups
    2008-03-14 09:36 . 2008-03-14 23:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-14 09:36 . 2008-03-14 09:36 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-10 23:27 . 2008-03-10 23:27 75 --a------ C:\WINDOWS\winDecrypt.INI
    2008-02-26 19:47 . 2008-02-26 20:21 <DIR> d-------- C:\Dokumente und Einstellungen\Dang Xuan Bach\.spss
    2008-02-26 19:43 . 2008-02-26 19:43 1,024 --a------ C:\WINDOWS\system32\grcauth2.dll
    2008-02-26 19:43 . 2008-02-26 19:43 1,024 --a------ C:\WINDOWS\system32\grcauth1.dll
    2008-02-26 19:43 . 2008-03-03 10:22 114 --a------ C:\WINDOWS\system32\prsgrc.tgz
    2008-02-26 18:54 . 2008-02-26 18:54 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel
    2008-02-26 18:52 . 2008-02-26 18:52 <DIR> d-------- C:\Programme\Gemeinsame Dateien\SPSS
    2008-02-26 18:52 . 2008-02-26 18:52 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
    2008-02-26 18:52 . 2008-02-26 18:52 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
    2008-02-26 18:52 . 2008-03-03 10:20 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
    2008-02-26 18:52 . 2008-03-03 10:20 16 ---h----- C:\WINDOWS\system32\servdat.slm
    2008-02-26 16:04 . 2008-02-26 16:04 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll

    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-25 22:46 --------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
    2008-03-21 11:12 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
    2008-03-21 11:12 286,720 ------w C:\WINDOWS\Setup1.exe
    2008-03-17 20:57 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Azureus
    2008-03-14 08:39 --------- d-----w C:\Programme\Gemeinsame Dateien\DVDVIDEOSOFT
    2008-03-08 10:22 154,368 ----a-w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\GDIPFONTCACHEV1.DAT
    2008-03-05 18:31 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\concept design
    2008-02-26 12:27 --------- d--h--w C:\Programme\InstallShield Installation Information
    2008-02-03 22:48 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-02-03 22:48 --------- d-----w C:\Programme\Gemeinsame Dateien\xing shared
    2008-02-03 22:48 --------- d-----w C:\Programme\Gemeinsame Dateien\Real
    2008-02-01 21:16 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\CyberLink
    2008-02-01 21:15 --------- d-----w C:\Programme\Cyberlink
    2008-02-01 21:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CyberLink
    2008-02-01 20:31 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Recisio
    2008-02-01 20:22 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\dvdcss
    2008-01-31 15:59 --------- d-----w C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Ditto
    2007-12-28 12:16 1,069,056 ----a-w C:\WINDOWS\system32\ChilkatCrypt2.dll
    2006-05-06 16:42 7,260,160 ----a-w C:\Programme\mozilla firefox\plugins\libvlc.dll
    2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-03-20_12.00.50.21 )))))))))))))))))))))))))))))))))))))))))
    .
    - 1998-07-05 23:00:00 33,792 ----a-w C:\WINDOWS\system32\CMDLGDE.DLL
    + 1998-07-05 22:00:00 33,792 ----a-w C:\WINDOWS\system32\CMDLGDE.DLL
    - 2007-10-28 10:46:21 70,580 ----a-w C:\WINDOWS\system32\perfc007.dat
    + 2008-03-20 11:00:29 70,580 ----a-w C:\WINDOWS\system32\perfc007.dat
    - 2007-10-28 10:46:21 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-03-20 11:00:29 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2007-10-28 10:46:21 405,118 ----a-w C:\WINDOWS\system32\perfh007.dat
    + 2008-03-20 11:00:29 405,118 ----a-w C:\WINDOWS\system32\perfh007.dat
    - 2007-10-28 10:46:21 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-03-20 11:00:29 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2004-12-13 05:20:04 6,995 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ssgr3en.DAT
    + 2008-03-20 22:23:31 7,014 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ssgr3en.DAT
    - 2000-09-18 23:50:28 202,752 ----a-w C:\WINDOWS\system32\zlib.dll
    + 1998-03-26 00:12:00 53,248 ----a-w C:\WINDOWS\system32\zlib.dll
    .
    (((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
    "msnmsgr "= "C:\Programme\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "Yahoo! Pager "= "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [ ]
    "UniKey "= "D:\Programme\UniKey\UniKey.exe" [2005-08-16 12:18 180224]
    "Veoh "= "D:\Programme\Veoh Networks\Veoh\VeohClient.exe" [2008-02-22 21:42 3537968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 20:06 7311360]
    "nwiz "= "nwiz.exe" [2005-12-09 20:06 1519616 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 20:06 86016]
    "ccApp "= "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2006-03-30 15:46 71304]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-08 17:56 100056]
    "CherryKeyMan "= "C:\Programme\Cherry\KeyMan\KeyMan.exe" [2005-12-22 09:50 254004]
    "SunJavaUpdateSched "= "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]
    "QuickTime Task "= "D:\Programme\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
    "Sony Ericsson PC Suite "= "D:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17 159744]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:00 208952]
    "IMEKRMIG6.1 "= "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 04:00 44032]
    "MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:00 59392]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00 455168]
    "BDRegion "= "C:\Programme\Cyberlink\Shared Files\brs.exe" [2007-11-16 19:20 91432]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:00 15360]
    "Picasa Media Detector "= "D:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 22:18 443968]

    C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
    Photo Loader resident.lnk - D:\Programme\CASIO\Photo Loader\Plauto.exe [2006-11-10 18:11:34 217088]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe "=
    "D:\\Programme\\concept design\\onlineTV 4\\onlineTV.exe "=

    R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Programme\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
    R2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler; "C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2005-12-19 11:57]
    R3 Ch2kPS2;Cherry PS/2 Tastatur Treiber (CDI);C:\WINDOWS\system32\DRIVERS\Ch2kPS2.sys [2005-10-26 12:48]
    R3 Cherry Device Interface;Cherry Device Interface;C:\Programme\Cherry\CDI\cdi.exe [2005-11-14 08:28]

    .
    Inhalt des "geplante Tasks" Ordners
    "2006-11-08 22:43:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Programme\Apple Software Update\SoftwareUpdate.exe
    "2006-11-08 15:46:55 C:\WINDOWS\Tasks\Norton AntiVirus - Meinen Computer prüfen.job "
    - D:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exel/task:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-25 23:55:08
    Windows 5.1.2600 Service Pack 2 NTFS

    Scanne versteckte Prozesse...

    Scanne versteckte Autostart Einträge...

    Scanne versteckte Dateien...

    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
    "ImagePath "= "\??\D:\Programme\CyberLink\PowerDVD\000.fcl "
    .
    Zeit der Fertigstellung: 2008-03-25 23:55:31
    ComboFix-quarantined-files.txt 2008-03-25 22:55:23




    ---------------------------------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:57:43, on 25.03.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\Programme\Cherry\KeyMan\KeyMan.exe
    C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
    C:\Programme\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
    D:\Programme\UniKey\UniKey.exe
    D:\Programme\Veoh Networks\Veoh\VeohClient.exe
    C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    D:\Programme\CASIO\Photo Loader\Plauto.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programme\Cyberlink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
    C:\Programme\Cherry\CDI\cdi.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Programme\Messenger\msmsgs.exe
    D:\Programme\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tuwien.ac.at/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Google Notizbuch - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BDRegion] C:\Programme\Cyberlink\Shared Files\brs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [UniKey] D:\Programme\UniKey\UniKey.exe
    O4 - HKCU\..\Run: [Veoh] "D:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: AutorunsDisabled
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: Photo Loader resident.lnk = D:\Programme\CASIO\Photo Loader\Plauto.exe
    O8 - Extra context menu item: Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Notiz erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu2.html
    O8 - Extra context menu item: Notiz mit dieser Seite erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu1.html
    O8 - Extra context menu item: Send to Keyman - C:\Programme\Cherry\KeyMan\IEMenuExtKeyman.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=www.tuwien.ac.at
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///D:/Programme/AutoCAD%202002%20Deu/InstFred.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163005242531
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcDcToday.ocx
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///D:/Programme/AutoCAD%202002%20Deu/InstBanr.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcPreview.ocx
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 13178 bytes
     
    badhero,
    #5
  7. 2008/03/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Did you install the SPSS software?

    C:\Programme\Gemeinsame Dateien\SPSS
     
    noahdfear,
    #6
  8. 2008/03/27
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    yes, did it cause any problem?
     
    badhero,
    #7
  9. 2008/03/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    No, it just leads me to another inquiry. Please check the properties of these files and let me know if they too are associated with the SPSS software.

    C:\Dokumente und Einstellungen\Dang Xuan Bach\.spss
    C:\WINDOWS\system32\grcauth2.dll
    C:\WINDOWS\system32\grcauth1.dll
    C:\WINDOWS\system32\prsgrc.tgz
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SafeNet Sentinel
    C:\WINDOWS\system32\sysprs7.tgz
    C:\WINDOWS\system32\sysprs7.dll
    C:\WINDOWS\system32\lsprst7.tgz
    C:\WINDOWS\system32\servdat.slm
     
    noahdfear,
    #8
  10. 2008/03/27
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    I checked the properties and they were all created on the same date and aprox. +/- 1hour when SPSS had been installed.
    only
    C:\WINDOWS\system32\servdat.slm
    I couldn't find anymore
     
    badhero,
    #9
  11. 2008/03/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I was aware of when they were created. I was more concerned whether there was company information, version number, etc showing in the file properties. So you know why I'm questioning these, one of the files was removed by ComboFix.

    In previous log;

    The deleted file will be located at C:\Qoobox\Quarantine\C\WINDOWS\system32\lsprst7.dll.vir
    Please upload a sample of that file to my submission channel. Leave a link back to this topic. Please upload the C:\WINDOWS\system32\lsprst7.tgz file as well. Thanks!
     
    noahdfear,
    #10
  12. 2008/03/28
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    I just sent the 2 files
     
    badhero,
    #11
  13. 2008/03/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    The tgz was empty, and the other was a text file instead of the file I needed.

    lsprst7[1].dll.vir.txt

    Please see if the following file is present and upload it.

    C:\Qoobox\Quarantine\C\WINDOWS\system32\lsprst7.dll.vir

    Upload C:\WINDOWS\system32\sysprs7.dll as well please.

    Thanks!
     
    noahdfear,
    #12
  14. 2008/03/28
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    strange, i did really send C:\Qoobox\Quarantine\C\WINDOWS\system32\lsprst7.dll.vir instead of a text file

    just sent it again plus C:\WINDOWS\system32\sysprs7.dll
     
    badhero,
    #13
  15. 2008/03/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I do believe the lsprst7.dll file is related to SPSS, and is safe. Please open the C:\Qoobox\Quarantine\C\WINDOWS\system32\ folder, right click and copy the lsprst7.dll.vir file, then navigate to C:\WINDOWS\system32 and right click Paste. Now rename the lsprst7.dll.vir to lsprst7.dll

    Now, lets run an online scan to see if we've missed anything. Please do an online scan with Kaspersky WebScanner

    Click Scan Now and accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log and one more fresh HijackThis log.
     
    noahdfear,
    #14
  16. 2008/03/28
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, March 28, 2008 8:48:05 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 28/03/2008
    Kaspersky Anti-Virus database records: 668934
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 184075
    Number of viruses found: 8
    Number of infected objects: 30
    Number of suspicious objects: 0
    Duration of the scan process: 02:50:24

    Infected Object Name / Virus Name / Last Action
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CyberLink\BDNAV\BRF.dat Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Confid.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Content.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Privacy.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\Restrict.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\WebHist.log Object is locked skipped
    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\LiveUpdate\2008-03-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Cherry\KeyMan\Common.csf Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Cherry\KeyMan\CyMotionMasterXPress.csf Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\cert8.db Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\flashgot.log Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\formhistory.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\history.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\key3.db Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\parent.lock Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\search.sqlite Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\urlclassifier2.sqlite Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Cookies\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\BB23ADF3d01 Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\F223ADF7d01 Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\slfvicz5.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\temp\fla124.tmp Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\temp\fla70.tmp Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\temp\~DF89C5.tmp Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\temp\~DF939.tmp Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008032820080329\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\NTUSER.DAT Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\ntuser.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\Dang Xuan Bach\UserData\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
    C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Antispam\Log\Spam.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSYS.log Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ahoyrchx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\jtvkildo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\nthcfs.exe.vir Infected: Rootkit.Win32.Agent.vb skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\opwnbqif.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.asj skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\qdifqurw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\wdrfgkjn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-03-20_115558.59.zip/gebyxxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-03-20_115558.59.zip/mljgf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\catchme2008-03-20_115558.59.zip ZIP: infected - 2 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029675.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029685.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029783.dll Infected: not-a-virus:AdWare.Win32.Agent.asj skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029784.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP102\A0029913.exe Infected: Rootkit.Win32.Agent.vb skipped
    C:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP102\change.log Object is locked skipped
    C:\VundoFix Backups\geeby.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\VundoFix Backups\tpbdoevd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\Downloads\software\internet\Router_Reconnect_Programm.zip/Programm zum Downloaden/CryptLoad_1.0.4/router/FRITZ!Box/nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
    D:\Downloads\software\internet\Router_Reconnect_Programm.zip ZIP: infected - 1 skipped
    D:\Programme\CryptLoad_1.0.4\router\FRITZ!Box\nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
    D:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6E152E95 Infected: Exploit.Java.Gimsh.a skipped
    D:\Programme\Veoh Networks\Veoh\client.log Object is locked skipped
    D:\Programme\Veoh Networks\Veoh\upload.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029292.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029712.exe Infected: not-a-virus:pSWTool.Win32.PdfCracker.c skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.snf skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe/data.rar Infected: Trojan-Downloader.Win32.Small.snf skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029716.exe RarSFX: infected - 4 skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029717.exe/file01 Infected: not-a-virus:pSWTool.Win32.PdfCracker.c skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029717.exe Inno: infected - 1 skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP101\A0029718.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
    D:\System Volume Information\_restore{0ACAC7DE-BC8C-4234-B7AC-6FCCBBC0326D}\RP102\change.log Object is locked skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.


    --------------------------------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:11:15, on 28.03.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\Programme\Cherry\KeyMan\KeyMan.exe
    C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
    C:\Programme\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
    D:\Programme\UniKey\UniKey.exe
    D:\Programme\Veoh Networks\Veoh\VeohClient.exe
    D:\Programme\CASIO\Photo Loader\Plauto.exe
    C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programme\Cyberlink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
    C:\Programme\Cherry\CDI\cdi.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Programme\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Programme\Internet Explorer\iexplore.exe
    D:\Programme\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tuwien.ac.at/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Google Notizbuch - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BDRegion] C:\Programme\Cyberlink\Shared Files\brs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [UniKey] D:\Programme\UniKey\UniKey.exe
    O4 - HKCU\..\Run: [Veoh] "D:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: AutorunsDisabled
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: Photo Loader resident.lnk = D:\Programme\CASIO\Photo Loader\Plauto.exe
    O8 - Extra context menu item: Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Notiz erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu2.html
    O8 - Extra context menu item: Notiz mit dieser Seite erstellen (Google Notizbuch) - res://C:\Programme\Google\Google Notebook\gnotes1.0.2.19--1560735790.dll/gn_menu1.html
    O8 - Extra context menu item: Send to Keyman - C:\Programme\Cherry\KeyMan\IEMenuExtKeyman.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=www.tuwien.ac.at
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///D:/Programme/AutoCAD%202002%20Deu/InstFred.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163005242531
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcDcToday.ocx
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///D:/Programme/AutoCAD%202002%20Deu/InstBanr.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///D:/Programme/AutoCAD%202002%20Deu/AcPreview.ocx
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 13241 bytes
     
    badhero,
    #15
  17. 2008/03/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks great! All infected files are in quarantine. :)

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. You can delete any logs that were created/saved too. Please verify that the following folders were removed and delete them if still present.

    C:\VundoFix Backups
    C:\QooBox

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


    Open the Norton antivirus interface and remove all Quarantined items.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
    • You should also select the Firefox option and clean that profile as well.
    Reboot

    That should wrap things up. How's the computer performing now? Any other issues?
     
    noahdfear,
    #16
  18. 2008/03/29
    badhero

    badhero Inactive Thread Starter

    Joined:
    2008/03/19
    Messages:
    9
    Likes Received:
    0
    there were no pop-ups anymore since the first time running ComboFix and everything ist running well
    thank you very much for your help! :)
    have a nice day and all the best!
     
    badhero,
    #17
  19. 2008/03/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    noahdfear,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...