Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Virus detected. Please help me with its removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 23rd, 2008, 9:43 am

Hello,

my computer startet to be running slower lately so i did some Anti Virus Checks. I used most of the free Softwares like Adaware, AVG, Spybot Search and destroy and found a couple of smaller malware programms which I removed. Unfortunatly I found a few Trojan Virus as well.

Names are

Trojan-Downloader.Small.Buy
Adware.Zeno_Search_Assistant
Trojan.Virtuemonde


Please help me with the removal of these and any other malware I might have overlooked.

Thanks alot

here is the hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:34:32, on 23.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
F:\steam\steam.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Raxco\PerfectDisk\PDAgent.exe
F:\Programme\Spybot - Search & Destroy\TeaTimer.exe
F:\Programme\DAEMON Tools\daemon.exe
C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
E:\Programme\ICQ6\ICQ.exe
C:\Programme\Curse\CurseClient.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Hamachi\hamachi.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
F:\Programme\Azureus\Azureus.exe
C:\Programme\AVG\AVG8\avgui.exe
C:\Programme\AVG\AVG8\avgscanx.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0226D302-C044-41A6-A9D3-9B0EA8CA8BA8} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: netupbanner browser enhancer - {245188A5-0105-294D-FF73-949BED2B761F} - C:\WINDOWS\system32\vuiqinifwdqriibr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\ddcYspmn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {7c857bc1-699f-fde0-3955-4b6e6fd8fde4} - C:\WINDOWS\system32\ajhkarcmgomisz.dll (file missing)
O2 - BHO: (no name) - {9A02DA8F-719F-4D14-B372-1774CDDE5EC4} - (no file)
O2 - BHO: (no name) - {AA61DE26-FA67-4575-9033-918671094293} - (no file)
O2 - BHO: {8fa89ed4-fe0d-e768-2be4-6b83d25618eb} - {be81652d-38b6-4eb2-867e-d0ef4de98af8} - C:\WINDOWS\system32\wlefsd.dll
O2 - BHO: agadoo browser optimizer - {c848f688-9942-63bb-7f0c-67936e75a44e} - C:\WINDOWS\system32\bhngxyprwyvd.dll (file missing)
O2 - BHO: (no name) - {DCC23EF9-50AB-42C4-8E67-C57D33D01E4C} - C:\WINDOWS\system32\byXPGWoM.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar fuer eBay - {000E148C-F7A7-445A-9044-93BF6CE09ECB} - C:\Dokumente und Einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "f:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] f:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools] "f:\Programme\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ICQ] "E:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [CurseClient] C:\Programme\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Programme\Hamachi\hamachi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xaxvof.dll,avgrsstx.dll wlefsd.dll
O20 - Winlogon Notify: ddcYspmn - ddcYspmn.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - i:\Programme\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe

--
End of file - 10639 bytes
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am
Advertisement
Register to Remove

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 26th, 2008, 5:16 am

Hi Baumfrucht

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 26th, 2008, 8:28 am

Hello,

thanks for the reply. First, I used a couple of Anti-Spyware programs over the last day, so the Hijack log isnt up to date anymore. I post the actual one together with the log file you requested.

Here you go:

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:51, on 26.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
F:\steam\steam.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programme\Skype\Phone\Skype.exe
F:\Programme\Spybot - Search & Destroy\TeaTimer.exe
F:\Programme\DAEMON Tools\daemon.exe
C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
E:\Programme\ICQ6\ICQ.exe
C:\Programme\Raxco\PerfectDisk\PDAgent.exe
C:\Programme\Curse\CurseClient.exe
C:\Programme\Hamachi\hamachi.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\Raxco\PerfectDisk\PDEngine.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\SoulseekNS\slsk.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0226D302-C044-41A6-A9D3-9B0EA8CA8BA8} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: netupbanner browser enhancer - {245188A5-0105-294D-FF73-949BED2B761F} - C:\WINDOWS\system32\vuiqinifwdqriibr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\ddcYspmn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {7c857bc1-699f-fde0-3955-4b6e6fd8fde4} - C:\WINDOWS\system32\ajhkarcmgomisz.dll (file missing)
O2 - BHO: (no name) - {9A02DA8F-719F-4D14-B372-1774CDDE5EC4} - (no file)
O2 - BHO: (no name) - {AA61DE26-FA67-4575-9033-918671094293} - (no file)
O2 - BHO: {8fa89ed4-fe0d-e768-2be4-6b83d25618eb} - {be81652d-38b6-4eb2-867e-d0ef4de98af8} - C:\WINDOWS\system32\wlefsd.dll
O2 - BHO: agadoo browser optimizer - {c848f688-9942-63bb-7f0c-67936e75a44e} - C:\WINDOWS\system32\bhngxyprwyvd.dll (file missing)
O2 - BHO: (no name) - {DCC23EF9-50AB-42C4-8E67-C57D33D01E4C} - C:\WINDOWS\system32\byXPGWoM.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar fuer eBay - {000E148C-F7A7-445A-9044-93BF6CE09ECB} - C:\Dokumente und Einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "f:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] f:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools] "f:\Programme\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ICQ] "E:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [CurseClient] C:\Programme\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Programme\Hamachi\hamachi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xaxvof.dll,avgrsstx.dll wlefsd.dll
O20 - Winlogon Notify: ddcYspmn - ddcYspmn.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - i:\Programme\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 9949 bytes

Uninstall log:

Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Korean Fonts Support For Adobe Reader 8
LEGO® Indiana Jones™
Lounge Lizard EP-2 v2.0
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft Office PowerPoint Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
Mozilla Firefox (3.0.4)
MySidesearch Search Assistant Bfinding
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS
Norton PartitionMagic 8.0
NVIDIA Drivers
O&O Defrag Professional Edition
OpenOffice.org 2.4
PCI Audio Driver
PerfectDisk
PixiePack Codec Pack
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
RON Tool Netupbanner
Security Update für Microsoft .NET Framework 2.0 (KB917283)
Security Update für Microsoft .NET Framework 2.0 (KB922770)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
SiSoftware Sandra Lite 2009
Skype™ 3.5
SoulSeek 157 NS 12d
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.1
Steam
Team Fortress 2
TeamSpeak 2 RC2
Toolbar fuer eBay
Uninstall 1.0.0.1
US-122
USB Keyboard Device 1.0.1.0
Ventrilo Client
VentriloMIX
VeohTV BETA
VideoLAN VLC media player 0.8.6c
Warhammer Online - Age of Reckoning
Wecker 2.2 2.2
Winamp
Windows Imaging Component
Windows Live installer
Windows Media Player Firefox Plugin
winLAME prerelease4
WinRAR
WordNet 2.1
World of Warcraft
Wrath of the Lich King Beta
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 26th, 2008, 8:33 am

Your uninstall list cuts off.

Please re-send it.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 26th, 2008, 9:46 am

Ableton Live v7.0.1
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2 - Deutsch
Adobe Reader Extended Language Support Font Pack
Adobe Stock Photos 1.0
Advertisement Service
Apple Software Update
AVG Free 8.0
Azureus
BodyBoard Screen Saver
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 8
Chinese Traditional Fonts Support For Adobe Reader 8
Command & Conquer 3
Curse Client
Deewoo Network Manager removal
Dimension Pro
DivX Content Uploader
DivX Web Player
East West Drumkit From Hell 2
ElsterFormular 2007/2008
eMule
EVEREST Home Edition v2.20
Free YouTube to Mp3 Converter version 3.1
GPL Ghostscript 8.60
GPL Ghostscript Fonts
gtkmm Runtime Environment 2.14
Half-Life 2
Half-Life 2: Episode One
Hamachi 1.0.3.0
HijackThis 2.0.2
Hotfix für Microsoft .NET Framework 2.0 (KB916002)
Hyplay
ICQ6
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Korean Fonts Support For Adobe Reader 8
LEGO® Indiana Jones™
Lounge Lizard EP-2 v2.0
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft Office PowerPoint Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
Mozilla Firefox (3.0.4)
MySidesearch Search Assistant Bfinding
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS
Norton PartitionMagic 8.0
NVIDIA Drivers
O&O Defrag Professional Edition
OpenOffice.org 2.4
PCI Audio Driver
PerfectDisk
PixiePack Codec Pack
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
RON Tool Netupbanner
Security Update für Microsoft .NET Framework 2.0 (KB917283)
Security Update für Microsoft .NET Framework 2.0 (KB922770)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
SiSoftware Sandra Lite 2009
Skype™ 3.5
SoulSeek 157 NS 12d
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.1
Steam
Team Fortress 2
TeamSpeak 2 RC2
Toolbar fuer eBay
Uninstall 1.0.0.1
US-122
USB Keyboard Device 1.0.1.0
Ventrilo Client
VentriloMIX
VeohTV BETA
VideoLAN VLC media player 0.8.6c
Warhammer Online - Age of Reckoning
Wecker 2.2 2.2
Winamp
Windows Imaging Component
Windows Live installer
Windows Media Player Firefox Plugin
winLAME prerelease4
WinRAR
WordNet 2.1
World of Warcraft
Wrath of the Lich King Beta
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 26th, 2008, 9:53 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus
eMule
SoulSeek 157 NS 12d


I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Uninstall also these:

Advertisement Service
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
MySidesearch Search Assistant Bfinding

Please run a new uninstall list scan when finished and post the log back here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 26th, 2008, 11:23 am

Hi,

I deinstalled the P2P Applications, but I think I might have made a mistake. I misread your post and used the "Delete this entry" Option in Hijack This to delete Java 3-5, MyAdvertise and Advertisment Service.




Ableton Live v7.0.1
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2 - Deutsch
Adobe Reader Extended Language Support Font Pack
Adobe Stock Photos 1.0
Apple Software Update
AVG Free 8.0
BodyBoard Screen Saver
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 8
Chinese Traditional Fonts Support For Adobe Reader 8
Command & Conquer 3
Curse Client
Deewoo Network Manager removal
Dimension Pro
DivX Content Uploader
DivX Web Player
East West Drumkit From Hell 2
ElsterFormular 2007/2008
EVEREST Home Edition v2.20
Free YouTube to Mp3 Converter version 3.1
GPL Ghostscript 8.60
GPL Ghostscript Fonts
gtkmm Runtime Environment 2.14
Half-Life 2
Half-Life 2: Episode One
Hamachi 1.0.3.0
HijackThis 2.0.2
Hotfix für Microsoft .NET Framework 2.0 (KB916002)
Hyplay
ICQ6
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 7
Korean Fonts Support For Adobe Reader 8
LEGO® Indiana Jones™
Lounge Lizard EP-2 v2.0
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft Office PowerPoint Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
Mozilla Firefox (3.0.4)
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS
Norton PartitionMagic 8.0
NVIDIA Drivers
O&O Defrag Professional Edition
OpenOffice.org 2.4
PCI Audio Driver
PerfectDisk
PixiePack Codec Pack
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
RON Tool Netupbanner
Security Update für Microsoft .NET Framework 2.0 (KB917283)
Security Update für Microsoft .NET Framework 2.0 (KB922770)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
SiSoftware Sandra Lite 2009
Skype™ 3.5
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.1
Steam
Team Fortress 2
TeamSpeak 2 RC2
Toolbar fuer eBay
Uninstall 1.0.0.1
US-122
USB Keyboard Device 1.0.1.0
Ventrilo Client
VentriloMIX
VeohTV BETA
VideoLAN VLC media player 0.8.6c
Warhammer Online - Age of Reckoning
Wecker 2.2 2.2
Winamp
Windows Imaging Component
Windows Live installer
Windows Media Player Firefox Plugin
winLAME prerelease4
WinRAR
WordNet 2.1
World of Warcraft
Wrath of the Lich King Beta
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 26th, 2008, 11:32 am

Yes that was not right but shouldn't matter as programs will get removed later.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 26th, 2008, 2:24 pm

Sorry to keep you waiting, I had an appointment with my dentist.....

So here is the log:

ComboFix 08-11-26.03 - funk 2008-11-26 19:14:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1526 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\funk\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jxckwiso.dll
c:\windows\system32\kdwpklpd.dll
c:\windows\system32\o2
c:\windows\system32\rckxhbaw.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\wlefsd.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-10-26 bis 2008-11-26 ))))))))))))))))))))))))))))))
.

2008-11-24 00:07 . 2008-11-24 00:07 <DIR> d-------- c:\windows\system32\xircom
2008-11-24 00:07 . 2008-11-24 00:07 <DIR> d-------- c:\programme\microsoft frontpage
2008-11-23 14:28 . 2008-11-23 14:28 <DIR> d-------- c:\programme\Trend Micro
2008-11-23 14:20 . 2008-11-23 14:20 <DIR> d-------- c:\programme\SpywareBlaster
2008-11-20 23:18 . 2008-11-20 23:18 <DIR> d-------- c:\programme\Gemeinsame Dateien\Native Instruments
2008-11-20 23:17 . 2003-07-06 08:10 17,408 --------- c:\windows\system32\minimp3.exe
2008-11-19 00:31 . 2008-11-23 23:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-19 00:28 . 2008-11-26 00:05 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-19 00:28 . 2008-11-19 00:28 <DIR> d-------- c:\programme\AVG
2008-11-19 00:28 . 2008-11-19 00:28 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\avg8
2008-11-19 00:28 . 2008-11-19 00:28 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-19 00:28 . 2008-11-19 00:28 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-19 00:28 . 2008-11-19 00:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-18 18:54 . 2008-11-18 18:54 90,915 --a------ c:\windows\system32\ajhkarcmgomisz.dll-uninst.exe
2008-11-18 12:03 . 2008-11-18 12:03 <DIR> d-------- c:\dokumente und einstellungen\funk\Anwendungsdaten\NI.GSCNS
2008-11-18 11:54 . 2008-11-19 00:39 <DIR> d-------- c:\windows\system32\nb3
2008-11-18 11:54 . 2008-11-18 11:54 <DIR> d-------- c:\windows\system32\it2
2008-11-18 11:54 . 2008-11-18 12:19 <DIR> d-------- c:\windows\system32\BX
2008-11-18 11:54 . 2008-11-18 11:54 79,094 --a------ c:\windows\system32\qvfctchklackhx.exe
2008-11-18 11:54 . 2008-11-18 11:54 64,859 --a------ c:\windows\system32\ocdejgkmuvuxlfbs.exe
2008-11-07 19:04 . 2008-11-07 19:04 <DIR> d-------- c:\programme\Gemeinsame Dateien\DVDVideoSoft
2008-11-07 19:04 . 2008-11-07 19:04 <DIR> d-------- c:\programme\DVDVideoSoft
2008-11-07 19:04 . 2008-11-07 19:06 <DIR> d-------- C:\DVDVideoSoft
2008-11-04 00:16 . 2008-11-04 00:16 275 --a------ C:\Verknüpfung (2) mit Lokaler Datenträger (D).lnk
2008-11-01 20:14 . 2008-11-01 20:14 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 18:18 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Hamachi
2008-11-26 18:08 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Skype
2008-11-26 15:15 --------- d-----w c:\programme\SoulseekNS
2008-11-26 07:43 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\OpenOffice.org2
2008-11-25 20:57 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\teamspeak2
2008-11-24 13:01 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-11-24 12:59 --------- d---a-w c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2008-11-23 14:20 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus
2008-11-18 16:48 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-11-18 16:45 --------- d-----w c:\programme\Lavasoft
2008-11-18 16:45 --------- d-----w c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-11-01 19:52 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Bioshock
2008-10-27 12:20 74,399 ----a-w C:\report.zip
2008-10-24 19:05 --------- d-----w c:\programme\Hotspot Shield
2008-10-22 10:26 --------- d--h--w c:\programme\InstallShield Installation Information
2008-10-22 10:26 --------- d-----w c:\programme\ElsterFormular
2008-10-19 16:13 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Toolbars
2008-10-19 16:13 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Desktopicon
2008-10-15 12:59 --------- d-----w c:\programme\Gemeinsame Dateien\Blizzard Entertainment
2008-10-15 12:53 --------- d-----w c:\programme\Curse
2008-10-15 12:50 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Acreon
2008-10-15 12:30 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Blizzard
2008-10-08 23:56 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\nView_Profiles
2008-09-26 21:54 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Command & Conquer 3 Tiberium Wars
2008-09-26 21:49 --------- d--h--r c:\dokumente und einstellungen\funk\Anwendungsdaten\SecuROM
2008-09-26 21:35 2,002 ----a-w C:\c&c.reg
2007-09-16 14:05 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-09-16 14:05 32,768 -csha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
2007-09-16 14:05 32,768 -csha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007091620070917\index.dat
.

------- Sigcheck -------

2004-08-04 13:00 579584 78785eff8cb90cec1862a4ccfd9a3c3a c:\windows\system32\user32.dll

2004-08-04 13:00 823808 26db81279fed58d5199235c26d4836e2 c:\windows\system32\wininet.dll

2004-08-04 13:00 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\system32\drivers\tcpip.sys

2007-02-28 17:06 2019840 5aa6fe8b36d7d4074542925c38c142be c:\windows\system32\ntkrnlpa.exe
2004-08-04 13:00 2061696 9b9ca27ad315c02b71510238574894b2 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\ntkrnlpa.exe

2007-02-28 17:06 2140160 fd51b755255e963b1e78b010b575fa7c c:\windows\system32\ntoskrnl.exe
2004-08-04 13:00 2184448 e1de7a10d46959560c3b617227d95c19 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\ntoskrnl.exe

2004-08-04 13:00 1035264 64322e8399b205b7281ff883737a9b03 c:\windows\explorer.exe

2004-08-04 13:00 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\system32\spoolsv.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{000E148C-F7A7-445A-9044-93BF6CE09ECB}"= "c:\dokumente und einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll" [2008-08-14 2484224]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{000E148C-F7A7-445A-9044-93BF6CE09ECB}"= "c:\dokumente und einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll" [2008-08-14 2484224]

[HKEY_CLASSES_ROOT\clsid\{000e148c-f7a7-445a-9044-93bf6ce09ecb}]
[HKEY_CLASSES_ROOT\TBSB03968.TBSB03968.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB03968.TBSB03968]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="f:\steam\steam.exe" [2008-10-09 1410296]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"SpybotSD TeaTimer"="f:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"DAEMON Tools"="f:\programme\DAEMON Tools\daemon.exe" [2007-12-06 167368]
"Google Update"="c:\dokumente und einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"ICQ"="e:\programme\ICQ6\ICQ.exe" [2008-09-01 173304]
"CurseClient"="c:\programme\Curse\CurseClient.exe" [2008-10-10 4789760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="f:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-19 1234712]
"SoundMan"="SOUNDMAN.EXE" [2005-07-08 c:\windows\SOUNDMAN.EXE]
"C-Media Mixer"="Mixer.exe" [2002-07-13 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2004-08-04 c:\windows\system32\advpack.dll]

c:\dokumente und einstellungen\funk\Startmen\Programme\Autostart\
Adobe Gamma.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
hamachi.lnk - c:\programme\Hamachi\hamachi.exe [2008-07-21 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xaxvof.dll,avgrsstx.dll wlefsd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= usbkt1x1.dll
"midi2"= usbkt1x1.dll

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^funk^Startmenü^Programme^Autostart^OpenOffice.org 2.4.lnk]
path=c:\dokumente und einstellungen\funk\Startmenü\Programme\Autostart\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-09-01 16:08 173304 e:\programme\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 f:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-05-08 15:53 3640368 i:\programme\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-04 04:59 36352 f:\programme\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Programme\\ICQ6\\ICQ.exe"=
"f:\\Steam\\steamapps\\superzahnstein\\team fortress 2\\hl2.exe"=
"f:\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Steam\\steamapps\\salatbaum\\team fortress 2\\hl2.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"i:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009\\RpcAgentSrv.exe"=
"i:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009\\WNt500x86\\RpcSandraSrv.exe"=
"i:\\Unreal Tournament III\\Binaries\\UT3.exe"=
"c:\\Programme\\SoulseekNS\\slsk.exe"=
"c:\\Programme\\Curse\\CurseClient.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Programme\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programme\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-19 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-19 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-19 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-19 76040]
R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2004-07-30 217472]
R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2004-07-30 86648]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;i:\programme\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-09-23 98488]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);c:\windows\system32\DRIVERS\se59bus.sys [2006-09-05 61536]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2008-07-23 13504]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2008-07-23 22304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
c:\programme\PixiePack Codec Pack\InstallerHelper.exe
.
Inhalt des "geplante Tasks" Ordners

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\dokumente und einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2008-09-03 00:41]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{0226D302-C044-41A6-A9D3-9B0EA8CA8BA8} - (no file)
BHO-{245188A5-0105-294D-FF73-949BED2B761F} - c:\windows\system32\vuiqinifwdqriibr.dll
BHO-{7c857bc1-699f-fde0-3955-4b6e6fd8fde4} - c:\windows\system32\ajhkarcmgomisz.dll
BHO-{9A02DA8F-719F-4D14-B372-1774CDDE5EC4} - (no file)
BHO-{AA61DE26-FA67-4575-9033-918671094293} - (no file)
BHO-{be81652d-38b6-4eb2-867e-d0ef4de98af8} - c:\windows\system32\wlefsd.dll
BHO-{c848f688-9942-63bb-7f0c-67936e75a44e} - c:\windows\system32\bhngxyprwyvd.dll
BHO-{DCC23EF9-50AB-42C4-8E67-C57D33D01E4C} - c:\windows\system32\byXPGWoM.dll
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
Notify-AtiExtEvent - (no file)
Notify-ddcYspmn - ddcYspmn.dll
MSConfigStartUp-iTunesHelper - e:\programme\iTunes\iTunesHelper.exe


.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - c:\dokumente und einstellungen\funk\Anwendungsdaten\Mozilla\Firefox\Profiles\nolcteu9.default\
FF -: plugin - c:\dokumente und einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\programme\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\programme\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - f:\programme\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - f:\programme\QuickTime\Plugins\npqtplugin7.dll
FF -: plugin - i:\programme\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 19:17:33
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\windows\system32\rundll32.exe
c:\programme\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\programme\Raxco\PerfectDisk\PDEngine.exe
c:\programme\AVG\AVG8\avgrsx.exe
c:\programme\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-11-26 19:21:40 - PC wurde neu gestartet [funk]
ComboFix-quarantined-files.txt 2008-11-26 18:21:37

Vor Suchlauf: 5.726.527.488 Bytes frei
Nach Suchlauf: 5,660,790,784 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

252
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 26th, 2008, 2:30 pm

Please post also a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 26th, 2008, 8:00 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:00:20, on 27.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
F:\steam\steam.exe
C:\Programme\Raxco\PerfectDisk\PDAgent.exe
F:\Programme\Spybot - Search & Destroy\TeaTimer.exe
F:\Programme\DAEMON Tools\daemon.exe
C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
E:\Programme\ICQ6\ICQ.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Curse\CurseClient.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\Hamachi\hamachi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar fuer eBay - {000E148C-F7A7-445A-9044-93BF6CE09ECB} - C:\Dokumente und Einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "f:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] f:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools] "f:\Programme\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ICQ] "E:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [CurseClient] C:\Programme\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Programme\Hamachi\hamachi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xaxvof.dll,avgrsstx.dll wlefsd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - i:\Programme\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 8231 bytes
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 27th, 2008, 4:15 am

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system32\ajhkarcmgomisz.dll-uninst.exe
c:\windows\system32\qvfctchklackhx.exe
c:\windows\system32\ocdejgkmuvuxlfbs.exe

Folder::
c:\dokumente und einstellungen\funk\Anwendungsdaten\NI.GSCNS
c:\windows\system32\nb3
c:\windows\system32\it2
c:\windows\system32\B
c:\programme\SoulseekNS
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 27th, 2008, 6:36 am

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:53, on 27.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programme\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oodtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\steam\steam.exe
C:\Programme\Skype\Phone\Skype.exe
F:\Programme\DAEMON Tools\daemon.exe
C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
E:\Programme\ICQ6\ICQ.exe
C:\Programme\Curse\CurseClient.exe
C:\Programme\Hamachi\hamachi.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Windows NT\Zubehör\wordpad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar fuer eBay - {000E148C-F7A7-445A-9044-93BF6CE09ECB} - C:\Dokumente und Einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "f:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools] "f:\Programme\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ICQ] "E:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [CurseClient] C:\Programme\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Programme\Hamachi\hamachi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - i:\Programme\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 8078 bytes

ComboFix Log


ComboFix 08-11-26.05 - funk 2008-11-27 11:32:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1393 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\funk\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\funk\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
c:\windows\system32\ajhkarcmgomisz.dll-uninst.exe
c:\windows\system32\ocdejgkmuvuxlfbs.exe
c:\windows\system32\qvfctchklackhx.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\.certs
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\.keystore
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\.lock
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\0C4F7F44D4B169CA6EE37F19708E3618AD948F5E.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\0C4F7F44D4B169CA6EE37F19708E3618AD948F5E.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\1D9F8B63500B23DCF236F227501919CA1B139CF9.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\1D9F8B63500B23DCF236F227501919CA1B139CF9.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\2CB08889A414CAAD17BAF5128F7F7F0AAF69DB26.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\2CB08889A414CAAD17BAF5128F7F7F0AAF69DB26.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\31A3641B1A9A644C30AF5A4D1208C7640A97311C.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\31A3641B1A9A644C30AF5A4D1208C7640A97311C.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\3792AB0222A638342842E6891533A74E8E4D8188.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\3792AB0222A638342842E6891533A74E8E4D8188.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile0.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile1.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile10.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile2.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile3.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile4.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile5.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile6.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile7.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile8.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\407A2DFA3940CC1C174CA655A475BBD233F7EFFD\fmfile9.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\4891C6F2813CBF7F342CCEA712986CEBEA7A3823.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\4891C6F2813CBF7F342CCEA712986CEBEA7A3823.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\4943776798B221000EF720006F6EB9BDC00D9F95.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\4943776798B221000EF720006F6EB9BDC00D9F95.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\65203C3F3DF9B7F729CE062FFC3620B57D086B89.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\65203C3F3DF9B7F729CE062FFC3620B57D086B89.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\6F57998CE654C028BE965673E53E4242E47E22A5.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\6F57998CE654C028BE965673E53E4242E47E22A5.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\7CCDD03D2B5DA717B0C7675B18C2CDEB416116B1.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\7CCDD03D2B5DA717B0C7675B18C2CDEB416116B1.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\7DB9DCC876003F849480A123BC0E646C554C40B6.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\7DB9DCC876003F849480A123BC0E646C554C40B6.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\88652D30F3C75F56743F91F7472A293DD372ED46.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\88652D30F3C75F56743F91F7472A293DD372ED46.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\93B80F5D69DF2F1E29264CC32340EE64118671C8.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\93B80F5D69DF2F1E29264CC32340EE64118671C8.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\9516E0C80FFB0BD5B3BCD42551528BF9B208F2FD.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\9516E0C80FFB0BD5B3BCD42551528BF9B208F2FD.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\9CCF3CFCE55375539423593ACF2E3DBEF4B5D478.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\9CCF3CFCE55375539423593ACF2E3DBEF4B5D478.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\A40FAB71F5F8EDD79A5B3342E1BEA59A44F8E2F4.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\A40FAB71F5F8EDD79A5B3342E1BEA59A44F8E2F4.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\A4A7CC11A078DC707A4239F9B993D19E94A5C484.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\A4A7CC11A078DC707A4239F9B993D19E94A5C484.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\C004D81F466380061021118BB0B8D874E3AC7080.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\C004D81F466380061021118BB0B8D874E3AC7080.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\cache.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\CDD6D31B82E2EAA037B24948EC1A2F24CCD31D9E.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\CDD6D31B82E2EAA037B24948EC1A2F24CCD31D9E.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\D9497F5128B2ED96DE4CDFDDE05A67B595CE44A3.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\D9497F5128B2ED96DE4CDFDDE05A67B595CE44A3.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\E43F98CE6AC439235C9DEEB73835DEABCBA5EA9F.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\E43F98CE6AC439235C9DEEB73835DEABCBA5EA9F.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\F05C7EE6E6CF1254AE5A6CD08B2989C4D231FA67.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\active\F05C7EE6E6CF1254AE5A6CD08B2989C4D231FA67.dat.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\azureus.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\azureus.config.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\azureus.statistics
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\azureus.statistics.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\banips.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\banips.config.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\dht\addresses.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\dht\contacts.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\dht\diverse.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\dht\general.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\dht\version.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\downloads.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\downloads.config.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\filters.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\friends.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\friends.config.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\ipfilter.cache
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\net\pm_3209.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\net\pm_8881.dat
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.1.3.jar
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.1.3.zip
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.2.0.jar
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.2.0.zip
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\plugin.properties
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\plugin.properties_0.1.3
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\plugin.properties_0.1.7
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\plugin.properties_0.2.0
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tables.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tables.config.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48690.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48691.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48692.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48693.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48694.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48695.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48696.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48698.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tmp\AZU48699.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\torrents\AZU23858.tmp
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tracker.config
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\tracker.config.bak
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\update.log
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\update.properties
c:\dokumente und einstellungen\funk\Anwendungsdaten\Azureus\upnp_trace1.log
c:\dokumente und einstellungen\funk\Anwendungsdaten\NI.GSCNS
c:\dokumente und einstellungen\funk\Anwendungsdaten\NI.GSCNS\dl.ini
c:\dokumente und einstellungen\funk\Anwendungsdaten\NI.GSCNS\settings.ini
c:\programme\SoulseekNS
c:\programme\SoulseekNS\slsk.exe
c:\windows\system32\ajhkarcmgomisz.dll-uninst.exe
c:\windows\system32\it2
c:\windows\system32\nb3
c:\windows\system32\ocdejgkmuvuxlfbs.exe
c:\windows\system32\qvfctchklackhx.exe

.
((((((((((((((((((((((( Dateien erstellt von 2008-10-27 bis 2008-11-27 ))))))))))))))))))))))))))))))
.

2008-11-24 00:07 . 2008-11-24 00:07 <DIR> d-------- c:\windows\system32\xircom
2008-11-24 00:07 . 2008-11-24 00:07 <DIR> d-------- c:\programme\microsoft frontpage
2008-11-23 14:28 . 2008-11-23 14:28 <DIR> d-------- c:\programme\Trend Micro
2008-11-23 14:20 . 2008-11-23 14:20 <DIR> d-------- c:\programme\SpywareBlaster
2008-11-20 23:18 . 2008-11-20 23:18 <DIR> d-------- c:\programme\Gemeinsame Dateien\Native Instruments
2008-11-20 23:17 . 2003-07-06 08:10 17,408 --------- c:\windows\system32\minimp3.exe
2008-11-19 00:31 . 2008-11-23 23:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-19 00:28 . 2008-11-27 01:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-19 00:28 . 2008-11-19 00:28 <DIR> d-------- c:\programme\AVG
2008-11-19 00:28 . 2008-11-19 00:28 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\avg8
2008-11-19 00:28 . 2008-11-19 00:28 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-19 00:28 . 2008-11-19 00:28 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-19 00:28 . 2008-11-19 00:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-18 11:54 . 2008-11-18 12:19 <DIR> d-------- c:\windows\system32\BX
2008-11-07 19:04 . 2008-11-07 19:04 <DIR> d-------- c:\programme\Gemeinsame Dateien\DVDVideoSoft
2008-11-07 19:04 . 2008-11-07 19:04 <DIR> d-------- c:\programme\DVDVideoSoft
2008-11-07 19:04 . 2008-11-07 19:06 <DIR> d-------- C:\DVDVideoSoft
2008-11-04 00:16 . 2008-11-04 00:16 275 --a------ C:\Verknüpfung (2) mit Lokaler Datenträger (D).lnk
2008-11-01 20:14 . 2008-11-01 20:14 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 10:28 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Skype
2008-11-27 10:26 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Hamachi
2008-11-27 10:17 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-11-26 18:46 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\teamspeak2
2008-11-26 07:43 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\OpenOffice.org2
2008-11-24 12:59 --------- d---a-w c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2008-11-18 16:48 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-11-18 16:45 --------- d-----w c:\programme\Lavasoft
2008-11-18 16:45 --------- d-----w c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-11-01 19:52 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Bioshock
2008-10-27 12:20 74,399 ----a-w C:\report.zip
2008-10-24 19:05 --------- d-----w c:\programme\Hotspot Shield
2008-10-22 10:26 --------- d--h--w c:\programme\InstallShield Installation Information
2008-10-22 10:26 --------- d-----w c:\programme\ElsterFormular
2008-10-19 16:13 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Toolbars
2008-10-19 16:13 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Desktopicon
2008-10-15 12:59 --------- d-----w c:\programme\Gemeinsame Dateien\Blizzard Entertainment
2008-10-15 12:53 --------- d-----w c:\programme\Curse
2008-10-15 12:50 --------- d-----w c:\dokumente und einstellungen\funk\Anwendungsdaten\Acreon
2008-10-15 12:30 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Blizzard
2008-10-08 23:56 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\nView_Profiles
2008-09-26 21:35 2,002 ----a-w C:\c&c.reg
2007-09-16 14:05 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-09-16 14:05 32,768 -csha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
2007-09-16 14:05 32,768 -csha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007091620070917\index.dat
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{000E148C-F7A7-445A-9044-93BF6CE09ECB}"= "c:\dokumente und einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll" [2008-08-14 2484224]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{000E148C-F7A7-445A-9044-93BF6CE09ECB}"= "c:\dokumente und einstellungen\funk\Anwendungsdaten\Toolbars\Toolbar fuer eBay\ebay.dll" [2008-08-14 2484224]

[HKEY_CLASSES_ROOT\clsid\{000e148c-f7a7-445a-9044-93bf6ce09ecb}]
[HKEY_CLASSES_ROOT\TBSB03968.TBSB03968.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB03968.TBSB03968]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="f:\steam\steam.exe" [2008-10-09 1410296]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"DAEMON Tools"="f:\programme\DAEMON Tools\daemon.exe" [2007-12-06 167368]
"Google Update"="c:\dokumente und einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"ICQ"="e:\programme\ICQ6\ICQ.exe" [2008-09-01 173304]
"CurseClient"="c:\programme\Curse\CurseClient.exe" [2008-10-10 4789760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="f:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"SoundMan"="SOUNDMAN.EXE" [2005-07-08 c:\windows\SOUNDMAN.EXE]
"C-Media Mixer"="Mixer.exe" [2002-07-13 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2004-08-04 c:\windows\system32\advpack.dll]

c:\dokumente und einstellungen\funk\Startmen\Programme\Autostart\
Adobe Gamma.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
hamachi.lnk - c:\programme\Hamachi\hamachi.exe [2008-07-21 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= usbkt1x1.dll
"midi2"= usbkt1x1.dll

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^funk^Startmenü^Programme^Autostart^OpenOffice.org 2.4.lnk]
path=c:\dokumente und einstellungen\funk\Startmenü\Programme\Autostart\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-09-01 16:08 173304 e:\programme\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 f:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-05-08 15:53 3640368 i:\programme\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-04 04:59 36352 f:\programme\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Programme\\ICQ6\\ICQ.exe"=
"f:\\Steam\\steamapps\\superzahnstein\\team fortress 2\\hl2.exe"=
"f:\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Steam\\steamapps\\salatbaum\\team fortress 2\\hl2.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"i:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009\\RpcAgentSrv.exe"=
"i:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009\\WNt500x86\\RpcSandraSrv.exe"=
"i:\\Unreal Tournament III\\Binaries\\UT3.exe"=
"c:\\Programme\\Curse\\CurseClient.exe"=
"c:\\Programme\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programme\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-19 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-19 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-19 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-19 76040]
R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2004-07-30 217472]
R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2004-07-30 86648]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;i:\programme\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-09-23 98488]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);c:\windows\system32\DRIVERS\se59bus.sys [2006-09-05 61536]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2008-07-23 13504]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2008-07-23 22304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
c:\programme\PixiePack Codec Pack\InstallerHelper.exe
.
Inhalt des "geplante Tasks" Ordners

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\dokumente und einstellungen\funk\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2008-09-03 00:41]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 11:33:37
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\avgrsstx.dll
.
Zeit der Fertigstellung: 2008-11-27 11:34:05
ComboFix-quarantined-files.txt 2008-11-27 10:33:50
ComboFix2.txt 2008-11-26 18:21:41

Vor Suchlauf: 5.648.932.864 Bytes frei
Nach Suchlauf: 5,640,708,096 Bytes frei

307
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am

Re: Trojan Virus detected. Please help me with its removal

Unread postby Shaba » November 27th, 2008, 6:47 am

Looks like there was error in CFScript.

Delete this:

c:\windows\system32\BX

Let me know if you can't find it.

After that:

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Trojan Virus detected. Please help me with its removal

Unread postby Baumfrucht » November 27th, 2008, 7:24 am

Hi,

first of all a BIG thanks for your time and help so far. I just started the online scan, but it is really slow. Its already 18min duration but only 2% scanned. Is it normal or should I abort the scan and start it again?
Baumfrucht
Active Member
 
Posts: 12
Joined: November 23rd, 2008, 9:36 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 67 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware