Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.Agent

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan.Agent

Unread postby sowhat12 » November 13th, 2008, 1:01 pm

I habe the following Trojan in my sytem and I can't get rid off it.
I tried Malwarebytes and HiJack This to remove it but it always reappears. And everytime I start my computer I get the messages, that a module vevesadi.dll can't be found.

Can somebody please help me?
I tried everything I could.

Thank you so much!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duheroyite (Trojan.Agent)

Here the complete log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:01:34, on 13.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {c22d3440-0176-4c04-9918-bf735467ba96} - C:\WINDOWS\system32\nehakite.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111508 serial=DR12WEX-1538262-SEU lang=DE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7080512042
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bogerijo.dll
O20 - Winlogon Notify: nnnnOffg - nnnnOffg.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 5470 bytes
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm
Advertisement
Register to Remove

Re: Trojan.Agent

Unread postby mz30 » November 13th, 2008, 5:18 pm

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.

  • The fixes i post, are for fixing your issues only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
  • Please bookmark or favourite this page. In case you need it as reference.
  • Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.

    Important
  • Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Trojan.Agent

Unread postby sowhat12 » November 13th, 2008, 6:16 pm

Hi Mz 30

Thank you so much for your help!
I really appreciate it. My computer just drives me nuts! ;-)

Looking forward to hearing from you!

sowhat12
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby mz30 » November 14th, 2008, 5:46 am

Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a HijackThis log so we can continue cleaning the system.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Trojan.Agent

Unread postby sowhat12 » November 14th, 2008, 2:26 pm

I've got a problem with the software.

Combofix doesn't run on my computer.
When I'm trying to install it, it starts the process of installation and then nothing happens
anymore.

Am I doing sth wrong?
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby mz30 » November 14th, 2008, 4:19 pm

Hi sowhat12,

Could you please try following the instructions again,but this time try another link.

If that does'nt work please download and save it ,to your desktop and boot into safe mode,following the instuctions below:

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


And then try and run it.

Thanks
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Trojan.Agent

Unread postby sowhat12 » November 14th, 2008, 5:21 pm

Thanks a lot. I succeeded in using the software.

This is the Combofix log

ComboFix 08-11-12.02 - Standard 2008-11-14 22:02:25.1 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.146 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
Die folgenden Dateien wurden während des Laufs deaktiviert:
c:\windows\system32\bogerijo.dll


(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\start.exe
c:\windows\system32\MSINET.oca
c:\windows\system32\windows.scr
c:\windows\Tasks\xjjpavhz.job
c:\windows\Web\default.htt

----- BITS: Eventuell infizierte Webseiten -----

hxxp://contrhost.net
hxxp://77.74.48.101
.
((((((((((((((((((((((( Dateien erstellt von 2008-10-14 bis 2008-11-14 ))))))))))))))))))))))))))))))
.

2008-11-14 19:27 . 2008-11-14 19:27 <DIR> d-------- c:\programme\Avira
2008-11-14 19:27 . 2008-11-14 19:27 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2008-11-13 18:04 . 2008-11-13 18:04 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-11-13 00:35 . 2008-11-13 00:35 <DIR> d-------- c:\programme\Trend Micro
2008-11-12 23:50 . 2008-11-12 23:51 <DIR> d-------- C:\registrygesichert
2008-11-12 23:49 . 2008-11-12 23:49 <DIR> d-------- c:\programme\CCleaner
2008-10-30 02:48 . 2008-10-30 02:48 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\skypePM
2008-10-30 02:48 . 2008-10-30 02:48 56 --ah----- c:\windows\SYSTEM32\ezsidmv.dat
2008-10-30 02:46 . 2008-10-30 02:46 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2008-10-21 19:30 . 2008-10-21 19:30 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\Malwarebytes
2008-10-21 19:29 . 2008-10-21 19:29 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-10-21 19:29 . 2008-10-21 19:29 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-21 19:29 . 2008-10-16 20:25 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-21 19:29 . 2008-10-16 20:25 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-10-21 00:24 . 2008-10-21 00:24 <DIR> d-------- c:\windows\SYSTEM32\EV19
2008-10-21 00:24 . 2008-10-21 00:24 <DIR> d-------- c:\temp\xp34

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 09:37 14,206,297 ------w c:\windows\Internet Logs\tvDebug.zip
2008-10-21 00:20 688,640 ------w c:\windows\Internet Logs\xDBD.tmp
2008-10-07 23:49 215,552 ------w c:\windows\Internet Logs\xDBC.tmp
2008-10-05 09:03 20,419,767 ------w c:\windows\Internet Logs\vsmon_on_demand_2008_10_05_02_50_53_full.dmp.zip
2008-09-30 23:57 885,760 ------w c:\windows\Internet Logs\xDBB.tmp
2008-09-17 22:57 --------- d-----w c:\dokumente und einstellungen\Standard\Anwendungsdaten\EPSON
2008-09-05 15:34 720,896 ------w c:\windows\Internet Logs\xDBA.tmp
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-23 20:33 57344 c:\programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\programme\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programme\\MSN Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\system32\DRIVERS\avmwan.sys [2001-08-17 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\system32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\system32\DRIVERS\fpcibase.sys [2001-08-17 444416]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 w32n5223;w32n5223 Protocol Driver;c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]

*Newly Created Service* - AVIPBB
.
Inhalt des "geplante Tasks" Ordners

2008-11-14 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{c22d3440-0176-4c04-9918-bf735467ba96} - c:\windows\system32\nehakite.dll
HKLM-Run-duheroyite - c:\windows\system32\vevesadi.dll
Notify-nnnnOffg - nnnnOffg.dll
MSConfigStartUp-duheroyite - c:\windows\system32\vevesadi.dll

.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - c:\dokumente und einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\160jeysz.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 22:10:38
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\programme\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-11-14 22:14:08 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-11-14 21:13:54

Vor Suchlauf: 1.366.491.136 Bytes frei
Nach Suchlauf: 4,434,362,368 Bytes frei

168

And this is the HiJack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:18:43, on 14.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {c22d3440-0176-4c04-9918-bf735467ba96} - C:\WINDOWS\system32\nehakite.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111508 serial=DR12WEX-1538262-SEU lang=DE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7080512042
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bogerijo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 5684 bytes

I tried to read the logs myself and in the combofix log it is said that the registry entries were removed. I highlighted it in blue. Nevertheless it still appears when I boot my computer. It's still in the registry and it's still started when booting the computer. I just don't get it. I hope you can help me!
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby sowhat12 » November 14th, 2008, 5:23 pm

I didn't have the windows recovery machine because in the safe mode I didn't have an Internet access. I hope, that was ok.!?
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby mz30 » November 15th, 2008, 11:49 am

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder:: 
    c:\windows\SYSTEM32\EV19
    c:\temp\xp34 
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please also post a fresh hijack this log run after the above script.

Thanks
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Trojan.Agent

Unread postby sowhat12 » November 16th, 2008, 5:05 am

Ok, I did everything you said, and this is the log result from combofix:

ComboFix 08-11-13.02 - Standard 2008-11-16 3:53:53.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.65 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Standard\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\xp34
c:\windows\SYSTEM32\EV19

.
((((((((((((((((((((((( Dateien erstellt von 2008-10-16 bis 2008-11-16 ))))))))))))))))))))))))))))))
.

2008-11-15 10:50 . 2008-11-15 10:50 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\NI.GSCNS
2008-11-15 10:47 . 2008-11-15 10:47 35,840 --a------ c:\windows\SYSTEM32\prun.exe
2008-11-14 19:27 . 2008-11-14 19:27 <DIR> d-------- c:\programme\Avira
2008-11-14 19:27 . 2008-11-14 19:27 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2008-11-13 18:04 . 2008-11-13 18:04 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-11-13 00:35 . 2008-11-13 00:35 <DIR> d-------- c:\programme\Trend Micro
2008-11-12 23:50 . 2008-11-12 23:51 <DIR> d-------- C:\registrygesichert
2008-11-12 23:49 . 2008-11-12 23:49 <DIR> d-------- c:\programme\CCleaner
2008-10-30 02:48 . 2008-10-30 02:48 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\skypePM
2008-10-30 02:48 . 2008-10-30 02:48 56 --ah----- c:\windows\SYSTEM32\ezsidmv.dat
2008-10-30 02:46 . 2008-10-30 02:46 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2008-10-21 19:30 . 2008-10-21 19:30 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\Malwarebytes
2008-10-21 19:29 . 2008-10-21 19:29 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-10-21 19:29 . 2008-10-21 19:29 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-21 19:29 . 2008-10-16 20:25 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-21 19:29 . 2008-10-16 20:25 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 09:37 14,206,297 ------w c:\windows\Internet Logs\tvDebug.zip
2008-10-21 00:20 688,640 ------w c:\windows\Internet Logs\xDBD.tmp
2008-10-07 23:49 215,552 ------w c:\windows\Internet Logs\xDBC.tmp
2008-10-05 09:03 20,419,767 ------w c:\windows\Internet Logs\vsmon_on_demand_2008_10_05_02_50_53_full.dmp.zip
2008-09-30 23:57 885,760 ------w c:\windows\Internet Logs\xDBB.tmp
2008-09-17 22:57 --------- d-----w c:\dokumente und einstellungen\Standard\Anwendungsdaten\EPSON
2008-09-05 15:34 720,896 ------w c:\windows\Internet Logs\xDBA.tmp
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-14_22.12.49.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 21:02:18 294,912 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2008-11-16 03:03:04 425,984 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
- 2008-11-14 20:53:28 163,840 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012008111420081115\index.dat
+ 2008-11-14 22:40:12 196,608 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012008111420081115\index.dat
+ 2008-11-15 09:57:54 81,920 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012008111520081116\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c22d3440-0176-4c04-9918-bf735467ba96}]
c:\windows\system32\nehakite.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-15 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"duheroyite"="c:\windows\system32\vevesadi.dll" [BU]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-15 35840]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-23 20:33 57344 c:\programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\programme\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programme\\MSN Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\system32\DRIVERS\avmwan.sys [2007-01-15 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\system32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\system32\DRIVERS\fpcibase.sys [2007-01-15 444416]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe [2008-04-02 1527900]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 w32n5223;w32n5223 Protocol Driver;\??\c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]
.
Inhalt des "geplante Tasks" Ordners

2008-11-15 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 04:03:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\programme\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\programme\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\WDFMGR.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-11-16 4:06:45 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-11-16 03:06:34
ComboFix2.txt 2008-11-14 21:14:14

Vor Suchlauf: 4.123.721.728 Bytes frei
Nach Suchlauf: 4,283,695,104 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

170


And this is HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:37, on 16.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {c22d3440-0176-4c04-9918-bf735467ba96} - C:\WINDOWS\system32\nehakite.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=113008 serial=DR12WEX-1538262-SEU lang=DE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7080512042
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bogerijo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 5804 bytes
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby mz30 » November 16th, 2008, 10:14 am

RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Trojan.Agent

Unread postby sowhat12 » November 16th, 2008, 2:43 pm

this is the log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Standard at 2008-11-16 19:38:38
Microsoft Windows XP Professional Service Pack 2
System drive C: has 4 GB (13%) free of 31 GB
Total RAM: 255 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:51, on 16.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Dokumente und Einstellungen\Standard\Desktop\RSIT.exe
C:\Programme\Trend Micro\HijackThis\Standard.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {c22d3440-0176-4c04-9918-bf735467ba96} - C:\WINDOWS\system32\nehakite.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=113008 serial=DR12WEX-1538262-SEU lang=DE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7080512042
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bogerijo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 5662 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
C:\WINDOWS\tasks\Programmstart beschleunigen.job
C:\WINDOWS\tasks\Videoerinnerung.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c22d3440-0176-4c04-9918-bf735467ba96}]
C:\WINDOWS\system32\nehakite.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-21 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
FlashGet GetFlash Class - C:\Programme\FlashGet\getflash.dll [2007-09-11 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-21 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"=Mixer.exe /startup []
"CorelDRAW Graphics Suite 11b"=C:\Programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe [2003-11-28 733184]
"ZoneAlarm Client"=C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe [2007-09-06 919016]
"avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"duheroyite"=C:\WINDOWS\system32\vevesadi.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-23 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe [2007-01-26 1167360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe [2007-01-26 1167360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\duheroyite]
C:\WINDOWS\system32\vevesadi.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE [2007-03-01 180736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Programme\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Programme\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE [2006-06-15 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe [2006-06-27 1449984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet]
C:\WINDOWS\system32\prun.exe [2008-11-15 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programme\QuickTime\qttask.exe [2008-01-31 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
C:\AOL5.0\aoltray.exe [1999-09-29 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
C:\PROGRA~1\T-COM\T-COMW~1\INSTAL~1\WINXP\DTUSB1~1.EXE [2003-09-25 815202]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE [2006-01-25 61440]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\bogerijo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 240128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\bogerijo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Bonjour\mDNSResponder.exe"="C:\Programme\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Programme\iTunes\iTunes.exe"="C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Programme\MSN Messenger\msnmsgr.exe"="C:\Programme\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Programme\MSN Messenger\livecall.exe"="C:\Programme\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\MSN Messenger\msnmsgr.exe"="C:\Programme\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Programme\MSN Messenger\livecall.exe"="C:\Programme\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-11-16 19:38:38 ----D---- C:\rsit
2008-11-16 04:06:48 ----A---- C:\ComboFix.txt
2008-11-16 03:56:44 ----D---- C:\WINDOWS\temp
2008-11-16 03:53:06 ----A---- C:\Boot.bak
2008-11-16 03:53:01 ----RASHD---- C:\cmdcons
2008-11-15 10:50:47 ----D---- C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\NI.GSCNS
2008-11-15 10:47:25 ----A---- C:\WINDOWS\system32\prun.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\zip.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\VFIND.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\SWSC.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\SWREG.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\sed.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\grep.exe
2008-11-14 22:01:23 ----A---- C:\WINDOWS\fdsv.exe
2008-11-14 22:01:20 ----D---- C:\WINDOWS\ERDNT
2008-11-14 22:01:20 ----D---- C:\Qoobox
2008-11-14 21:57:21 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-14 19:27:06 ----D---- C:\Programme\Avira
2008-11-14 19:27:06 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-11-13 18:04:31 ----D---- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-11-13 00:35:56 ----D---- C:\Programme\Trend Micro
2008-11-12 23:50:59 ----D---- C:\registrygesichert
2008-11-12 23:49:35 ----D---- C:\Programme\CCleaner
2008-10-30 02:48:50 ----D---- C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\skypePM
2008-10-30 02:46:13 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2008-10-21 19:30:08 ----D---- C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Malwarebytes
2008-10-21 19:29:50 ----D---- C:\Programme\Malwarebytes' Anti-Malware
2008-10-21 19:29:50 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes

======List of files/folders modified in the last 1 months======

2008-11-16 10:50:30 ----A---- C:\WINDOWS\SCHEDLOG.TXT
2008-11-16 10:06:06 ----RASH---- C:\boot.ini
2008-11-16 10:06:06 ----A---- C:\WINDOWS\win.ini
2008-11-16 10:06:06 ----A---- C:\WINDOWS\system.ini
2008-11-15 12:25:00 ----A---- C:\WINDOWS\winamp.ini
2008-10-30 03:01:28 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-17 13:18:06 ----A---- C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-11-14 75072]
R1 P3;Intel PentiumIII-Prozessortreiber; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 46592]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2007-09-06 395080]
R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 AVMWAN;AVM NDIS WAN CAPI-Treiber; C:\WINDOWS\System32\DRIVERS\avmwan.sys [2001-08-17 37568]
R3 cmpci;C-Media PCI Audio Driver (WDM); C:\WINDOWS\system32\drivers\cmaudio.sys [2002-11-18 377358]
R3 DT154_A02;T-Sinus 154data Driver; C:\WINDOWS\System32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI; C:\WINDOWS\System32\DRIVERS\fpcibase.sys [2001-08-17 444416]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
R3 usbhub;Microsoft USB-Standardhubtreiber; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Untertiteldecoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 HidUsb;Microsoft HID Class-Treiber; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI-Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV-/Videoverbindung; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 nm;Netzwerkmonitortreiber; C:\WINDOWS\System32\DRIVERS\NMnt.sys [2004-08-04 40320]
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-05-29 8704]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-05-29 13312]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-05-29 127488]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-05-29 13312]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 42000]
S3 ovt519;TRUST 320 SPACEC@M; C:\WINDOWS\System32\Drivers\ov519vid.sys [2003-05-06 163072]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2007-11-08 21248]
S3 streamip;BDA-IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbaudio;USB-Audiotreiber (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB-Scannertreiber; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 usbstor;USB-Massenspeichertreiber; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 w32n5223;w32n5223 Protocol Driver; \??\C:\Programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys []
S3 WSTCODEC;World Standard Teletext-Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Programme\Lavasoft\Ad-Aware\aawservice.exe [2008-11-13 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 Apple Mobile Device;Apple Mobile Device; C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 Bonjour Service;Bonjour-Dienst; C:\Programme\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe [2007-09-06 75304]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; C:\Programme\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 iPod Service;iPod-Dienst; C:\Programme\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Programme\WinPcap\rpcapd.exe [2007-01-25 93048]
S3 ServiceLayer;ServiceLayer; C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe [2006-06-05 174080]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Programme\MSN Messenger\usnsvc.exe [2007-01-19 97136]

this is the info.txt

info.txt logfile of random's system information tool 1.04 2008-11-16 19:38:56

======Uninstall list======

-->"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT
-->C:\WINDOWS\IsUn0407.exe -f"C:\Programme\Adaptec\Easy CD Creator 4\CreateCD\UNINST.ISU"
-->C:\WINDOWS\IsUn0407.exe -f"C:\Programme\Adaptec\Easy CD Creator 4\UNINST.ISU"
-->C:\WINDOWS\IsUn0407.exe -f"C:\Programme\Adaptec\Easy CD Creator 4\UNINST.ISU"
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{20A4352A-237B-41DD-A6C0-3CD2F8E8D35C}\Setup.exe" -l0x7
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adaptec DirectCD-->C:\WINDOWS\IsUn0407.exe -fC:\Programme\Adaptec\DirectCD\DCDUnins.isu -cC:\PROGRA~1\ADAPTEC\DIRECTCD\Dcduhlp.dll
Adaptec Easy CD Creator 4-->"C:\Programme\Gemeinsame Dateien\Adaptec\ECDCUNIN\SETUP.EXE" -l0007 -fECDC.INS
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0-->C:\WINDOWS\ISUN0407.EXE -f"C:\Programme\Gemeinsame Dateien\Adobe\Acrobat 4.0\98\Uninst.isu" -c"C:\Programme\Gemeinsame Dateien\Adobe\Acrobat 4.0\98\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Advanced PDF-to-Word 1.0 Demo-->C:\PROGRA~1\ADVANC~1\demos\UNWISE.EXE /U C:\PROGRA~1\ADVANC~1\demos\apdf2word.log
Advertisement Service-->C:\WINDOWS\system32\prun.exe Uninstall
AFPL Ghostscript 8.50-->C:\gs\uninstgs.exe "C:\gs\gs8.50\uninstal.txt"
AFPL Ghostscript Fonts-->C:\gs\uninstgs.exe "C:\gs\fonts\uninstal.txt"
ALDI Foto Manager Free Sued-->C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Manager_Free\unwise.exe
ALDI Online Druck Service 3.4.3.0 (D)-->C:\Programme\ALDI Sued Foto Service\ALDI_ODS\unwise.exe
ALDI Sued Foto Service-->C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Service\unwise.exe
AOL-->C:\WINDOWS\Aolunins.exe
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Camera RAW Plug-In for EPSON Creativity Suite-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}\SETUP.EXE" -l0x7 UNINST
Canon i250-->C:\WINDOWS\System32\CNMCP50.exe "-PRINTERNAMECanon i250" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i250 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i250 Installer\Inst2\cnmi0407.dll"
CCleaner (remove only)-->"C:\Programme\CCleaner\uninst.exe"
CorelDRAW Graphics Suite 12-->MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
CX4300_5500_DX4400 Handbuch-->C:\Programme\EPSON\TPMANUAL\CX4300_5500_DX4400\DEU\USE_G\DOCUNINS.EXE
dBpoweramp m4a Codec-->"C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-dBpoweramp m4a Codec.dat
dBpowerAMP Music Converter-->"C:\WINDOWS\SYSTEM32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\SYSTEM\SpoonUninstall-dBpowerAMP Music Converter.dat
dBpowerAMP Ogg Vorbis Codec-->"C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
dBpowerAMP WMA V9 Codec-->"C:\WINDOWS\SYSTEM32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\SYSTEM\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
EPSON Attach To Email-->C:\Programme\Gemeinsame Dateien\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x7 -UnInstall
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B66E665A-DF96-4C38-9422-C7F74BC1B4E5}\SETUP.EXE" -l0x7 UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x7 UNINST
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x7 -u
EPSON Scan-->C:\Programme\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x7 -anything
EPSON-Drucker-Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Firebird SQL Server - MAGIX Edition-->C:\Programme\ALDI Sued Foto Service\Common\Database\unwise.exe
FLAC 1.2.1b (remove only)-->C:\Programme\FLAC\uninstall.exe
FlashGet 1.9.6.1073-->C:\Programme\FlashGet\uninst.exe
HijackThis 2.0.2-->"C:\Programme\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes-->MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java 2 Runtime Environment, SE v1.4.0_01-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\SETUP.EXE" Anytext
Java Web Start-->"C:\Programme\Java Web Start\uninst-javaws.exe"
Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Word 2000 SR-1-->MsiExec.exe /I{00170407-78E1-11D2-B60F-006097C998E7}
Monkey's Audio-->"C:\Programme\Monkey's Audio\unins000.exe"
Mozilla Firefox (2.0.0.14)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
Nero OEM-->C:\Programme\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape (7.0)-->C:\WINDOWS\NSUninst.exe /ua "7.0 (en)"
Nokia Connectivity Cable Driver-->MsiExec.exe /X{6882DD11-33B8-4DEA-8305-7E765BF74BD3}
Nokia Lifeblog 2.1-->MsiExec.exe /I{EE565795-2776-415A-B31C-EB3A8D7C6FA4}
Nokia MTP driver-->MsiExec.exe /I{59359B3D-ABE7-46BF-AB55-43B67A64DC68}
Nokia N73 highlights-->MsiExec.exe /I{02B71D92-A84B-4DFB-9A10-D12BB01AC1F2}
Nokia Nseries Skin for Microsoft Windows Media Player-->MsiExec.exe /I{73E30715-9EC4-4DAE-BE67-64500AEB8012}
Nokia PC Connectivity Solution-->MsiExec.exe /I{0D80391C-0A72-43BB-9BC2-143F63CC111D}
Nokia PC Suite-->MsiExec.exe /I{531317A5-586A-4E36-87C1-CA823447B375}
Nokia themes for your device-->MsiExec.exe /I{77F5816C-64A6-4FBE-BBE5-52EFE5EB84E8}
OpenOffice.org 2.0-->MsiExec.exe /I{33D6723B-DE6B-4E86-A6BC-CD1F3E42DD26}
PCI Audio Driver-->cmuninst.exe
PDFCreator-->C:\Programme\PDFCreator\unins000.exe
QuickTime-->MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
SUPER © Version 2008.bld.30 (Mar 22, 2008)-->C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
T-Online 5.0-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8283FCCD-AC71-4DC1-A81E-4F244FBBE11D}\SETUP.EXE" CPAS
T-Online Copas-->C:\PROGRA~1\T-ONLINE\COPAS\UNWISE.EXE /U C:\PROGRA~1\T-ONLINE\COPAS\INSTALL.LOG
T-Online Fotoservice-->C:\PROGRA~1\T-ONLI~1\UNWISE.EXE C:\PROGRA~1\T-ONLI~1\INSTALL.LOG
TRUST 320 SPACEC@M-->C:\WINDOWS\CleanDev.exe C:\WINDOWS\ov519.TXT
T-Sinus 154data-->C:\Programme\Gemeinsame Dateien\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F462C04-1A39-49A2-AA03-87A4EBF5D0DD}
Update für Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
VIA AGP 4x/133 Driver Setup Program-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\TEMP\_ISTMP1.DIR\_ISTMP0.DIR\Uninst.isu
VideoLAN VLC media player 0.8.6c-->C:\Programme\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player (Remove Only)-->C:\Programme\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VTrain (Vokabeltrainer) 4.5-->C:\Programme\VTrain\unins000.exe
Web Stream Recorder Pro 1.61-->C:\Programme\Sytexis Software\Web Stream Recorder Pro\uninstall.exe
Winamp (remove only)-->"C:\Programme\Winamp\UninstWA.exe"
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\System32\DRVSTORE\nokbtmdm_62A340731F8930057B44B8864F236850B0D49D65\nokbtmdm.inf
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Programme\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Millennium Edition - Schritt für Schritt interaktiv-->C:\WINDOWS\Help\MIT\Training\munins32_s.exe
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows XP-Deinstallation-->%SYSTEMROOT%\system32\osuninst.exe
WinPcap 4.0-->C:\Programme\WinPcap\uninstall.exe
WinRAR archiver-->C:\PROGRAMME\WINRAR\UNINSTALL.EXE
WinZip 11.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
WM Recorder 11.3-->C:\Programme\WMR11\Uninstal.exe
WordToPDF 2.4-->"C:\Programme\WordToPDF\unins000.exe"
ZoneAlarm-->C:\Programme\Zone Labs\ZoneAlarm\zauninst.exe

=====HijackThis Backups=====

O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [duheroyite] Rundll32.exe "C:\WINDOWS\system32\vevesadi.dll",s (User 'LOKALER DIENST')

======Security center information======

AV: Avira AntiVir PersonalEdition
FW: ZoneAlarm Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;%SYSTEMROOT%\COMMAND;C:\Programme\QuickTime\QTSystem
"windir"=C:\WINDOWS
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0803
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=C:\WINDOWS\TEMP
"TMP"=C:\WINDOWS\TEMP
"winbootdir"=C:\WINDOWS
"PROMPT"=$p$g
"tvdumpflags"=8
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.0\lib\ext\QTJava.zip

-----------------EOF-----------------
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby mz30 » November 17th, 2008, 1:01 pm

Backup Your Registry with ERUNT
  • Please use the following link to download ERUNT
  • Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe





COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
     
    File::
    C:\WINDOWS\system32\nehakite.dll
    C:\WINDOWS\system32\vevesadi.dll
    C:\WINDOWS\system32\prun.exe
    C:\WINDOWS\system32\bogerijo.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c22d3440-0176-4c04-9918-bf735467ba96}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "duheroyite"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\duheroyite]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=-
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] 
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Please also post a fresh hijack this log run after the above script.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Trojan.Agent

Unread postby sowhat12 » November 17th, 2008, 7:21 pm

Ok. Here's the nw log file:

ComboFix 08-11-13.02 - Standard 2008-11-18 0:12:48.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.89 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Standard\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Standard\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
c:\windows\system32\bogerijo.dll
c:\windows\system32\nehakite.dll
c:\windows\system32\prun.exe
c:\windows\system32\vevesadi.dll
.

((((((((((((((((((((((( Dateien erstellt von 2008-10-17 bis 2008-11-17 ))))))))))))))))))))))))))))))
.

2008-11-18 00:06 . 2008-11-18 00:06 <DIR> d-------- c:\programme\ERUNT
2008-11-17 10:58 . 2008-11-17 10:58 39 --a------ c:\windows\wininit.ini
2008-11-17 10:55 . 2008-11-17 10:55 272 --a------ c:\windows\_delis32.ini
2008-11-17 10:54 . 2008-11-17 10:54 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\Leadertech
2008-11-16 19:49 . 2008-11-16 19:49 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-16 19:49 . 2008-11-16 19:49 1,409 --a------ c:\windows\QTFont.for
2008-11-16 19:38 . 2008-11-16 19:38 <DIR> d-------- C:\rsit
2008-11-14 19:27 . 2008-11-14 19:27 <DIR> d-------- c:\programme\Avira
2008-11-14 19:27 . 2008-11-14 19:27 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2008-11-13 18:04 . 2008-11-13 18:04 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-11-13 00:35 . 2008-11-13 00:35 <DIR> d-------- c:\programme\Trend Micro
2008-11-12 23:50 . 2008-11-12 23:51 <DIR> d-------- C:\registrygesichert
2008-11-12 23:49 . 2008-11-12 23:49 <DIR> d-------- c:\programme\CCleaner
2008-10-30 02:48 . 2008-10-30 02:48 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\skypePM
2008-10-30 02:48 . 2008-10-30 02:48 56 --ah----- c:\windows\SYSTEM32\ezsidmv.dat
2008-10-30 02:46 . 2008-10-30 02:46 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2008-10-21 19:30 . 2008-10-21 19:30 <DIR> d-------- c:\dokumente und einstellungen\Standard\Anwendungsdaten\Malwarebytes
2008-10-21 19:29 . 2008-10-21 19:29 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-10-21 19:29 . 2008-10-21 19:29 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-21 19:29 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-21 19:29 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 09:37 14,206,297 ------w c:\windows\Internet Logs\tvDebug.zip
2008-10-21 00:20 688,640 ------w c:\windows\Internet Logs\xDBD.tmp
2008-10-07 23:49 215,552 ------w c:\windows\Internet Logs\xDBC.tmp
2008-10-05 09:03 20,419,767 ------w c:\windows\Internet Logs\vsmon_on_demand_2008_10_05_02_50_53_full.dmp.zip
2008-09-30 23:57 885,760 ------w c:\windows\Internet Logs\xDBB.tmp
2008-09-17 22:57 --------- d-----w c:\dokumente und einstellungen\Standard\Anwendungsdaten\EPSON
2008-09-05 15:34 720,896 ------w c:\windows\Internet Logs\xDBA.tmp
2008-04-03 12:53 43,768 ----a-w c:\dokumente und einstellungen\Standard\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2000-08-18 15:39 271 --sh--w c:\programme\DESKTOP.INI
2000-08-18 15:39 23,480 ---h--w c:\programme\FOLDER.HTT
2006-05-03 11:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 12:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 14:43 27,648 --sh--w c:\windows\SYSTEM32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-14_22.12.49.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\18.11.2008\ERDNT.EXE
+ 2008-11-17 23:06:40 4,878,336 ----a-w c:\windows\ERDNT\18.11.2008\Users\00000001\ntuser.dat
+ 2008-11-17 23:06:40 28,672 ----a-w c:\windows\ERDNT\18.11.2008\Users\00000002\UsrClass.dat
- 2008-10-30 02:10:48 1,744 ----a-w c:\windows\SYSTEM32\d3d9caps.dat
+ 2008-11-16 18:54:18 1,744 ----a-w c:\windows\SYSTEM32\d3d9caps.dat
- 2008-11-14 21:02:18 294,912 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2008-11-17 23:11:46 524,288 ----a-w c:\windows\Verlauf\HISTORY.IE5\index.dat
+ 2008-11-17 23:09:16 32,768 ----a-w c:\windows\Verlauf\HISTORY.IE5\MSHist012008111820081119\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\programme\Corel\Corel Graphics 12\Languages\DE\Programs\Registration.exe" [2003-11-28 733184]
"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-01-31 385024]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\Standard\Startmen\Programme\Autostart\
ERUNT AutoBackup.lnk - c:\programme\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AOL5.0 Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AOL5.0 Tray Icon.lnk
backup=c:\windows\pss\AOL5.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^T-COM WLAN Manager T-Sinus 154data.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\T-COM WLAN Manager T-Sinus 154data.lnk
backup=c:\windows\pss\T-COM WLAN Manager T-Sinus 154data.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Standard^Startmenü^Programme^Autostart^OpenOffice.org 2.0.lnk]
path=c:\dokumente und einstellungen\Standard\Startmenü\Programme\Autostart\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI Foto Service]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_SUED_FotoSuite_Download]
--a------ 2007-01-26 16:44 1167360 c:\programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4400 Series]
--a------ 2007-03-01 08:01 180736 c:\windows\SYSTEM32\spool\drivers\w32x86\3\E_FATICAE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\programme\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\programme\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Dosbat"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programme\\MSN Messenger\\livecall.exe"=

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;c:\windows\system32\DRIVERS\avmwan.sys [2007-01-15 37568]
R3 DT154_A02;T-Sinus 154data Driver;c:\windows\system32\DRIVERS\TS154USB.sys [2003-10-27 335328]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\system32\DRIVERS\fpcibase.sys [2007-01-15 444416]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 w32n5223;w32n5223 Protocol Driver;\??\c:\programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\w32n5223.sys [2003-05-12 15104]
.
Inhalt des "geplante Tasks" Ordners

2008-11-17 c:\windows\Tasks\PCHealth-Planer für die Zusammenstellung der Daten.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2007-01-15 c:\windows\Tasks\Videoerinnerung.job
- c:\windows\TUNEUP.EXE []
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

MSConfigStartUp-Adobe Photo Downloader - c:\programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 00:15:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-11-18 0:16:52
ComboFix-quarantined-files.txt 2008-11-17 23:16:46
ComboFix3.txt 2008-11-14 21:14:14
ComboFix2.txt 2008-11-16 03:06:50

Vor Suchlauf: 3.907.469.312 Bytes frei
Nach Suchlauf: 4,056,481,792 Bytes frei

155
sowhat12
Regular Member
 
Posts: 19
Joined: November 12th, 2008, 8:01 pm

Re: Trojan.Agent

Unread postby mz30 » November 18th, 2008, 11:43 am

Please post a fresh hijack this log . :)
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware