Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

virtumonde

Started by rko819, Jan 11 2009 02:04 AM

This topic is locked
Go to first unread post

11 replies to this topic

#1
rko819

Posted 11 January 2009 - 02:04 AM

New Member

Members
5 posts

I got a Fricking annoying Virtomonde when i'm in internet he opens 1000 of tabs and sends me ad and so on i cant delete it it comes back everytime i need help my installed programs are:
CCleaner
Avira newest
Ad-Aware
Spybot Search&Destroy
RegCure

This is my hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:54:38, on 11.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\DAEMON Tools Lite\YASU.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\hh.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f21349da-4cf4-4b86-a85a-f48c9a9375dc} - C:\WINDOWS\system32\kovibele.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Base road long save] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\File dvd base road\Acid bin.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CPMf7214f91] Rundll32.exe "C:\WINDOWS\system32\mabigeku.dll",a
O4 - HKLM\..\Run: [sonukijale] Rundll32.exe "C:\WINDOWS\system32\tedepodu.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA993] command.com /c del "c:\windows\system32\mabigeku.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4970] cmd.exe /c del "c:\windows\system32\mabigeku.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA754] command.com /c del "C:\WINDOWS\system32\tedepodu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3612] cmd.exe /c del "C:\WINDOWS\system32\tedepodu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1959] command.com /c del "C:\WINDOWS\system32\dinivosa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC75] cmd.exe /c del "C:\WINDOWS\system32\dinivosa.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB6881] command.com /c del "c:\windows\system32\mabigeku.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6551] cmd.exe /c del "c:\windows\system32\mabigeku.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3162] command.com /c del "C:\WINDOWS\system32\tedepodu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD192] cmd.exe /c del "C:\WINDOWS\system32\tedepodu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3703] command.com /c del "C:\WINDOWS\system32\dinivosa.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4735] cmd.exe /c del "C:\WINDOWS\system32\dinivosa.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [sonukijale] Rundll32.exe "C:\WINDOWS\system32\tedepodu.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224939906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224933171
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\doheyesi.dllc:\windows\system32\fikuyelu.dll c:\windows\system32\ c:\windows\system32\vivodiha.dll C:\WINDOWS\system32\yepizidu.dll c:\windows\system32\ c:\windows\system32\mabigeku.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mabigeku.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mabigeku.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11298 bytes

anyone please help me

#2
AdvancedSetup

Posted 11 January 2009 - 07:40 AM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

Update and Scan with Malwarebytes' Anti-Malware

Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

#3
rko819

Posted 11 January 2009 - 03:11 PM

New Member

Members
5 posts

k i did this
malwarebyte log:
Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1643
Windows 5.1.2600 Service Pack 2

11.01.2009 16:04:19
mbam-log-2009-01-11 (16-04-14).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 51866
Laufzeit: 5 minute(s), 1 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 4
Infizierte Registrierungsschl�ssel: 7
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 5
Infizierte Verzeichnisse: 0
Infizierte Dateien: 18

Infizierte Speicherprozesse:
(Keine b�sartigen Objekte gefunden)

Infizierte Speichermodule:
C:\WINDOWS\system32\yepizidu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dukeyiwa.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\sehuwuri.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kovibele.dll (Trojan.Vundo.H) -> No action taken.

Infizierte Registrierungsschl�ssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f21349da-4cf4-4b86-a85a-f48c9a9375dc} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f21349da-4cf4-4b86-a85a-f48c9a9375dc} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f21349da-4cf4-4b86-a85a-f48c9a9375dc} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4127c0d (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sonukijale (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmf7214f91 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yepizidu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yepizidu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yepizidu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sehuwuri.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sehuwuri.dll -> No action taken.

Infizierte Verzeichnisse:
(Keine b�sartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\dukeyiwa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\awiyekud.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mejiyuwo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\owuyijem.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\sehuwuri.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kovibele.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yepizidu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gipunowe.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pulamiwa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kiratero.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kogonubo.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lamojido.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\zuvusibo.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lesetate.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\jeruvote.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vozafiwu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tomiyegi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wuwasomo.dll (Trojan.Vundo) -> No action taken.

hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:09:29, on 11.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Programme\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Base road long save] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\File dvd base road\Acid bin.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [sonukijale] Rundll32.exe "C:\WINDOWS\system32\tedepodu.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224939906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224933171
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\doheyesi.dllc:\windows\system32\fikuyelu.dll c:\windows\system32\ c:\windows\system32\vivodiha.dll c:\windows\system32\ c:\windows\system32\mabigeku.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9413 bytes

#4
AdvancedSetup

Posted 12 January 2009 - 06:10 AM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

Okay please update MBAM and run one more quick scan and new HJT log

#5
rko819

Posted 12 January 2009 - 09:57 AM

New Member

Members
5 posts

k i did Malwarebytes didnt found anything infected does it mean its gone??

Malwarebytes:
Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1645
Windows 5.1.2600 Service Pack 2

12.01.2009 10:54:12
mbam-log-2009-01-12 (10-54-12).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 51514
Laufzeit: 4 minute(s), 45 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschl�ssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine b�sartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine b�sartigen Objekte gefunden)

Infizierte Registrierungsschl�ssel:
(Keine b�sartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine b�sartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine b�sartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine b�sartigen Objekte gefunden)

Infizierte Dateien:
(Keine b�sartigen Objekte gefunden)

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:13, on 12.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Base road long save] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\File dvd base road\Acid bin.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [sonukijale] Rundll32.exe "C:\WINDOWS\system32\tedepodu.dll",s (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224939906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224933171
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\doheyesi.dllc:\windows\system32\fikuyelu.dll c:\windows\system32\ c:\windows\system32\vivodiha.dll c:\windows\system32\ c:\windows\system32\mabigeku.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9458 bytes

#6
AdvancedSetup

Posted 12 January 2009 - 10:16 AM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

Close ALL open browsers and chat programs
Then start HJT and run Do a system scan only and place a check mark on the following items.

O4 - HKUS\S-1-5-19\..\Run: [sonukijale] Rundll32.exe "C:\WINDOWS\system32\tedepodu.dll",s (User 'LOKALER DIENST')

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O20 - AppInit_DLLs: c:\windows\system32\doheyesi.dllc:\windows\system32\fikuyelu.dll c:\windows\system32\ c:\windows\system32\vivodiha.dll c:\windows\system32\ c:\windows\system32\mabigeku.dll
Then click on Fix checked and then quit HJT

Please download the following scanning tool. GMER
[indent]

Open the zip file and copy the file gmer.exe to your Desktop.
Double click on gmer.exe and run it.
It may take a minute to load and become available.
Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
DO NOT Click on the SCAN button.
This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
Click OK and quit the GMER program.

[/indent]

#7
rko819

Posted 12 January 2009 - 11:00 AM

New Member

Members
5 posts

Hijackthis cant fix O10

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-12 11:59:42
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT spbe.sys ZwEnumerateKey [0xF72A5CA2]
SSDT spbe.sys ZwEnumerateValueKey [0xF72A6030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 865DB1F8

---- EOF - GMER 1.0.14 ----
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-12 11:59:42
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT spbe.sys ZwEnumerateKey [0xF72A5CA2]
SSDT spbe.sys ZwEnumerateValueKey [0xF72A6030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 865DB1F8

---- EOF - GMER 1.0.14 ----

#8
AdvancedSetup

Posted 13 January 2009 - 10:36 AM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

[indent]You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member rko819 only. If you are a lurker, do NOT try this on your system!
If you are not rko819 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Posted Image

Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

STEP01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

STEP02

CCleaner

CCleaner
Double-click on the downloaded file "ccsetup215.exe" and install the application.
Keep the default installation folder "C:\Program Files\CCleaner"
Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
Click finish when done and close ALL PROGRAMS
Start the CCleaner program.
Click on Registry and Uncheck Registry Integrity so that it does not run
Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
Click on Run Cleaner button on the bottom right side of the program.
Click OK to any prompts

STEP03
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
This should apply to AVG8:
To disable the Resident Shield, please:
open AVG User Interface
double-click on the Resident Shield
un-tick the option Resident Shield active
save the changes.

STEP04
Please download and run the following file to repair file and registry permissions
fixacl.exe

STEP05

Download FixPolicies.exe by Bill Castner and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
Reboot your computer after it runs
This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06
Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP07
Posted Image

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
If and only if you are prompted to download a new version of Combofix, reply NO .
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

STEP09
Download DDS and save it to your desktop from one of these 3 locations
1 http://www.techsupportforum.com/sectools/sUBs/dds
2 http://download.bleepingcomputer.com/sUBs/dds.scr
3 http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Save both reports to your desktop.

Please include the following logs in your next reply:
DDS.txt
Attach.txt

Please then reply with a copy of C:\Combofix.txt, C:\Avenger.txt, and a new HijackThis

RE-Enable your AntiVirus and AntiSpyware applications.[/indent]

#9
AdvancedSetup

Posted 15 January 2009 - 08:25 AM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

Please post a status update on this.

#10
rko819

Posted 15 January 2009 - 12:21 PM

New Member

Members
5 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:56, on 15.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Base road long save] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\File dvd base road\Acid bin.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224939906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1230224933171
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8482 bytes

DDS (Ver_09-01-07.01) - NTFSx86
Run by dudu at 13:14:07,95 on 15.01.2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.1023.558 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\dudu\Desktop\autorefresh\ehtrhtb\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.de/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programme\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programme\gemeinsame dateien\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programme\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\programme\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\programme\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\googletoolbar1.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\programme\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [EVEREST AutoStart] d:\programme\everest ultimate engineer edition v.4.00.1053 beta\everest.exe
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MsnMsgr] "c:\programme\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Base road long save] c:\dokumente und einstellungen\all users\anwendungsdaten\file dvd base road\Acid bin.exe
mRun: [avgnt] "c:\programme\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\programme\windows live\messenger\msnmsgr.exe" /background
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [IE7] rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Windows Live Search - c:\programme\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\dudu\anwend~1\mozilla\firefox\profiles\n6e2rh98.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\programme\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir personaledition classic\avgio.sys [2009-1-5 11840]
R3 avgntflt;avgntflt;c:\programme\avira\antivir personaledition classic\avgntflt.sys [2009-1-5 52032]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\programme\everest ultimate engineer edition v.4.00.1053 beta\kerneld.wnt [2007-8-28 20856]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-1-8 25216]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer;c:\programme\avira\antivir personaledition classic\sched.exe [2009-1-5 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\programme\avira\antivir personaledition classic\avguard.exe [2009-1-5 151297]
R4 CGVPNCliSrvc;CyberGhost VPN Client;c:\programme\s.a.d\cyberghost vpn\CGVPNCliService.exe [2009-1-8 1940992]
S3 gAGP440p;gAGP440p;\??\c:\dokume~1\dudu\lokale~1\temp\gagp440p.sys --> c:\dokume~1\dudu\lokale~1\temp\gAGP440p.sys [?]

=============== Created Last 30 ================

2009-01-15 13:00 <DIR> --d----- c:\windows\system32\xircom
2009-01-15 12:57 <DIR> a-dshr-- C:\cmdcons
2009-01-15 12:56 161,792 a------- c:\windows\SWREG.exe
2009-01-15 12:56 98,816 a------- c:\windows\sed.exe
2009-01-12 11:58 250 a------- c:\windows\gmer.ini
2009-01-11 15:57 <DIR> --d----- c:\dokume~1\dudu\anwend~1\Malwarebytes
2009-01-11 15:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-11 15:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 15:57 <DIR> --d----- c:\programme\Malwarebytes' Anti-Malware
2009-01-11 15:57 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2009-01-11 02:54 <DIR> --d----- c:\programme\Trend Micro
2009-01-10 02:01 <DIR> --d----- c:\dokume~1\dudu\anwend~1\TeamViewer
2009-01-10 02:01 <DIR> --d----- c:\dokumente und einstellungen\dudu\temp
2009-01-10 01:10 <DIR> --d----- c:\windows\Downloaded Installations
2009-01-10 01:04 <DIR> --d----- c:\windows\Lhsp
2009-01-09 18:02 78,498 a------- c:\windows\War3Unin.dat
2009-01-09 18:02 139,264 a------- c:\windows\War3Unin.exe
2009-01-09 18:02 2,829 a------- c:\windows\War3Unin.pif
2009-01-08 23:22 5,627,904 a------- c:\windows\system32\RLVirDev.ocx
2009-01-08 23:22 73,728 a------- c:\windows\system32\ISUSPM.cpl
2009-01-08 23:22 <DIR> --d----- c:\programme\Reallusion
2009-01-08 23:13 268 a---h--- C:\sqmdata05.sqm
2009-01-08 23:13 244 a---h--- C:\sqmnoopt05.sqm
2009-01-08 22:47 <DIR> --d----- c:\windows\pss
2009-01-08 21:16 306,688 a------- c:\windows\IsUninst.exe
2009-01-08 21:14 328,704 a------- c:\windows\IsUn0407.exe
2009-01-08 20:39 <DIR> --d-h--- c:\windows\PIF
2009-01-08 20:29 326 a------- c:\windows\wininit.ini
2009-01-08 19:53 <DIR> --d----- c:\programme\Spybot - Search & Destroy
2009-01-08 19:53 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Spybot - Search & Destroy
2009-01-08 16:28 25,216 a------- c:\windows\system32\drivers\tap0901.sys
2009-01-08 16:28 <DIR> --d----- c:\programme\S.A.D
2009-01-08 00:47 244 a---h--- C:\sqmnoopt03.sqm
2009-01-08 00:47 232 a---h--- C:\sqmdata03.sqm
2009-01-08 00:47 172 a---h--- C:\sqmnoopt04.sqm
2009-01-08 00:47 172 a---h--- C:\sqmdata04.sqm
2009-01-07 16:04 244 a---h--- C:\sqmnoopt02.sqm
2009-01-07 16:04 232 a---h--- C:\sqmdata02.sqm
2009-01-07 11:28 244 a---h--- C:\sqmnoopt01.sqm
2009-01-07 11:28 232 a---h--- C:\sqmdata01.sqm
2009-01-05 23:54 <DIR> --d----- c:\programme\Microsoft SQL Server
2009-01-05 23:53 <DIR> --d----- c:\programme\Microsoft Synchronization Services
2009-01-05 23:53 <DIR> --d----- c:\programme\Microsoft SQL Server Compact Edition
2009-01-05 21:25 <DIR> --d----- c:\programme\Avira
2009-01-05 21:25 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Avira
2009-01-05 20:25 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-05 19:12 <DIR> --d----- c:\programme\VST-Plug-Ins
2009-01-05 19:06 <DIR> --d----- c:\programme\Sony
2009-01-05 18:59 <DIR> --d----- c:\programme\Sony Setup
2009-01-05 13:08 196 a--sh--- c:\windows\klif.spi
2009-01-04 14:12 27 a------- c:\windows\dksav1.ini
2009-01-04 14:10 18 a------- c:\windows\cnc.ini
2009-01-04 14:10 172,544 a------- c:\windows\system32\cncs32.dll
2009-01-04 12:42 <DIR> --d----- c:\programme\DivX
2009-01-04 12:15 2,923 ---sh--- c:\windows\system32\nobajanu.dll
2009-01-04 12:15 2,922 ---sh--- c:\windows\system32\vonibusa.dll
2009-01-04 12:15 2,921 ---sh--- c:\windows\system32\ronigofu.dll
2009-01-02 23:01 <DIR> --d----- c:\dokume~1\dudu\anwend~1\Digital Joy
2009-01-02 22:19 2,924 ---sh--- c:\windows\system32\kiyubipo.dll
2009-01-02 22:19 2,922 ---sh--- c:\windows\system32\foyamugu.dll
2009-01-02 22:19 2,921 ---sh--- c:\windows\system32\lomitete.dll
2009-01-02 22:05 168,448 a------- c:\windows\system32\unrar.dll
2009-01-02 22:05 839,680 a------- c:\windows\system32\lameACM.acm
2009-01-02 22:05 118,784 a------- c:\windows\system32\ac3acm.acm
2009-01-02 22:05 414 a------- c:\windows\system32\lame_acm.xml
2009-01-02 22:05 795,648 a------- c:\windows\system32\xvidcore.dll
2009-01-02 22:05 130,048 a------- c:\windows\system32\xvidvfw.dll
2009-01-02 22:05 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-01-02 22:05 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-01-02 22:05 <DIR> --d----- c:\programme\K-Lite Codec Pack
2009-01-02 21:00 <DIR> --d----- c:\programme\CCleaner
2009-01-02 18:52 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-01-02 18:52 8,192 a------- c:\windows\system32\kbdkor.dll
2009-01-02 18:52 6,144 a------- c:\windows\system32\kbd106.dll
2009-01-02 18:52 6,144 a------- c:\windows\system32\kbd101c.dll
2009-01-02 18:52 6,144 a------- c:\windows\system32\kbd101b.dll
2009-01-02 18:52 5,632 a------- c:\windows\system32\kbd103.dll
2009-01-02 17:00 <DIR> --d----- c:\programme\WinPcap
2009-01-02 15:40 <DIR> --d----- c:\programme\MessengerDiscovery
2009-01-01 15:53 2,924 ---sh--- c:\windows\system32\memovovo.dll
2009-01-01 15:53 2,924 ---sh--- c:\windows\system32\mebarepo.dll
2009-01-01 03:53 2,921 ---sh--- c:\windows\system32\yerofata.dll
2008-12-31 14:40 261,480 a------- c:\windows\system32\xactengine2_7.dll
2008-12-31 14:40 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2008-12-31 14:40 443,752 a------- c:\windows\system32\d3dx10_33.dll
2008-12-31 14:40 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2008-12-31 02:22 2,924 ---sh--- c:\windows\system32\kubemibo.dll
2008-12-30 14:22 2,923 ---sh--- c:\windows\system32\ninobuku.dll
2008-12-29 23:47 <DIR> --d----- c:\programme\Postal2
2008-12-29 19:21 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Kaspersky Lab Setup Files
2008-12-28 01:46 <DIR> --d----- c:\programme\Alcohol Soft
2008-12-28 01:35 <DIR> --d----- c:\programme\Lavasoft
2008-12-28 01:35 <DIR> --d----- c:\programme\gemeinsame dateien\Wise Installation Wizard
2008-12-28 01:32 <DIR> --d----- c:\programme\DAEMON Tools Lite
2008-12-28 01:15 <DIR> --d----- c:\dokume~1\dudu\anwend~1\DAEMON Tools Pro
2008-12-28 01:14 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\DAEMON Tools Lite
2008-12-28 01:14 <DIR> --d----- c:\programme\DAEMON Tools Toolbar
2008-12-28 01:10 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-28 01:10 <DIR> --d----- c:\dokume~1\dudu\anwend~1\DAEMON Tools Lite
2008-12-28 01:03 <DIR> --d----- c:\programme\Yahoo!
2008-12-27 23:54 <DIR> --d----- c:\programme\PeerGuardian2
2008-12-27 23:31 <DIR> --d----- c:\programme\utorrent
2008-12-27 23:31 <DIR> --d----- c:\dokume~1\dudu\anwend~1\uTorrent
2008-12-27 20:18 34,064 a------- c:\windows\system32\lhacm.acm
2008-12-27 20:18 <DIR> --d----- c:\programme\Teamspeak2_RC2
2008-12-27 00:12 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-26 22:22 102,400 a------- c:\windows\system32\tsccvid.dll
2008-12-26 13:53 <DIR> --d----- c:\dokume~1\dudu\anwend~1\Black Sea Studios
2008-12-26 03:09 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\Messenger Plus!
2008-12-26 03:03 <DIR> --d----- c:\programme\MSXML 6.0
2008-12-26 03:01 <DIR> --d----- c:\programme\MSXML 4.0
2008-12-26 02:51 <DIR> --d----- c:\dokume~1\alluse~1\anwend~1\File dvd base road
2008-12-26 02:50 <DIR> --d----- c:\dokume~1\dudu\anwend~1\Ball keep cash
2008-12-26 02:50 <DIR> --d----- c:\programme\Messenger Plus! Live
2008-12-25 22:51 <DIR> --d----- c:\windows\system32\CatRoot_bak
2008-12-25 22:48 214,528 -------- c:\windows\system32\dllcache\dxtrans.dll
2008-12-25 22:48 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-12-25 22:48 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2008-12-25 22:48 347,136 -------- c:\windows\system32\dllcache\dxtmsft.dll
2008-12-25 22:47 273,024 -------- c:\windows\system32\drivers\bthport.sys
2008-12-25 22:47 273,024 -------- c:\windows\system32\dllcache\bthport.sys
2008-12-25 22:47 74,240 -------- c:\windows\system32\dllcache\mscms.dll
2008-12-25 22:43 253,952 -------- c:\windows\system32\dllcache\es.dll
2008-12-25 22:43 1,293,824 -------- c:\windows\system32\dllcache\quartz.dll
2008-12-25 22:42 765,952 -------- c:\windows\system32\dllcache\vgx.dll
2008-12-25 22:42 284,160 -------- c:\windows\system32\dllcache\gdi32.dll
2008-12-25 22:41 138,368 -------- c:\windows\system32\dllcache\afd.sys
2008-12-25 22:40 546,304 -------- c:\windows\system32\dllcache\hhctrl.ocx
2008-12-25 22:35 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-12-25 22:27 1,847,040 -------- c:\windows\system32\dllcache\win32k.sys
2008-12-25 22:26 2,182,656 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-25 22:26 2,138,624 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-25 22:26 2,060,032 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-25 22:26 2,018,304 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-25 22:23 203,008 -------- c:\windows\system32\dllcache\rmcast.sys
2008-12-25 22:22 455,936 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-25 22:22 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2008-12-25 22:22 683,520 -------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-25 22:21 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-12-25 22:20 339,456 -------- c:\windows\system32\dllcache\netapi32.dll
2008-12-25 22:20 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-12-25 22:12 268,648 a------- c:\windows\system32\mucltui.dll
2008-12-25 22:12 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-25 19:14 <DIR> --d----- c:\programme\AviSynth 2.5
2008-12-25 19:13 227,328 ---shr-- c:\windows\system32\ac3DX.ax
2008-12-25 19:13 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-12-25 19:13 179,200 ---shr-- c:\windows\system32\DiracSplitter.ax
2008-12-25 19:13 175,104 ---shr-- c:\windows\system32\CoreAAC.ax
2008-12-25 19:13 169,472 ---shr-- c:\windows\system32\MatroskaDX.ax
2008-12-25 19:13 163,328 ---shr-- c:\windows\system32\flvDX.dll
2008-12-25 19:13 161,792 ---shr-- c:\windows\system32\RealMediaDX.ax
2008-12-25 19:13 123,904 ---shr-- c:\windows\system32\AVCDX.ax
2008-12-25 19:13 81,920 ---shr-- c:\windows\system32\aac_parser.ax
2008-12-25 19:13 54,784 ---shr-- c:\windows\system32\RLAPEDec.ax
2008-12-25 19:13 37,888 ---shr-- c:\windows\system32\RLMPCDec.ax
2008-12-25 19:13 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-12-25 19:13 <DIR> --d----- c:\programme\eRightSoft
2008-12-25 18:35 90,112 a------- c:\windows\unvise32.exe
2008-12-25 18:29 268 a---h--- C:\sqmdata00.sqm
2008-12-25 18:29 244 a---h--- C:\sqmnoopt00.sqm
2008-12-25 18:18 <DIR> --d----- c:\programme\Windows Live Favorites
2008-12-25 18:18 <DIR> --d----- c:\dokumente und einstellungen\dudu\Contacts
2008-12-25 18:18 <DIR> --d----- c:\programme\Windows Live Toolbar
2008-12-25 18:12 <DIR> -cdsh--- c:\programme\gemeinsame dateien\WindowsLiveInstaller
2008-12-25 18:09 31,768 a------- c:\windows\system32\wucltui.dll.mui
2008-12-25 18:09 27,672 a------- c:\windows\system32\wuaucpl.cpl.mui
2008-12-25 18:09 27,672 a------- c:\windows\system32\wuapi.dll.mui
2008-12-25 18:09 18,968 a------- c:\windows\system32\wuaueng.dll.mui
2008-12-25 18:09 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2008-12-25 18:03 0 a------- c:\windows\ativpsrm.bin
2008-12-25 17:57 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-25 17:57 <DIR> --d----- C:\ATI
2008-12-25 17:27 56 a---h--- c:\windows\system32\ezsidmv.dat
2008-12-25 17:21 <DIR> --d----- c:\programme\Skype
2008-12-25 17:00 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2008-12-25 17:00 61,312 a------- c:\windows\system32\drivers\ohci1394.sys
2008-12-25 17:00 53,376 a------- c:\windows\system32\drivers\1394bus.sys
2008-12-25 16:55 49,152 -----r-- c:\windows\system32\ChCfg.exe
2008-12-25 16:54 <DIR> --d----- c:\programme\Realtek
2008-12-25 16:54 499,712 -----r-- c:\windows\RtlExUpd.dll
2008-12-25 16:07 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-25 16:07 98,304 a------- c:\windows\system32\CmdLineExt.dll
2008-12-25 14:59 162,304 a------- c:\windows\system32\everest_cpl.cpl
2008-12-25 14:59 77 a------- c:\windows\system32\everest_cpl.ini
2008-12-24 21:12 1,733 a------- c:\windows\TSearch.INI
2008-12-24 19:52 940,794 a------- c:\windows\system32\LoopyMusic.wav
2008-12-24 19:52 146,650 a------- c:\windows\system32\BuzzingBee.wav
2008-12-24 19:52 <DIR> --d----- c:\windows\system32\Lang
2008-12-24 19:50 1,183,744 -----r-- c:\windows\RtlUpd.exe
2008-12-24 19:50 69,632 -----r-- c:\windows\Alcmtr.exe
2008-12-24 19:50 <DIR> --d----- c:\windows\system32\RTCOM
2008-12-24 19:50 2,808,832 -----r-- c:\windows\alcwzrd.exe
2008-12-24 19:50 299,008 -----r-- c:\windows\system32\ALSndMgr.Cpl
2008-12-24 19:50 9,709,568 -----r-- c:\windows\RTLCPL.exe
2008-12-24 19:50 282,624 -----r-- c:\windows\system32\RTSndMgr.Cpl
2008-12-24 19:50 86,016 -----r-- c:\windows\SoundMan.exe
2008-12-24 19:50 2,879,488 -----r-- c:\windows\SkyTel.exe
2008-12-24 19:50 2,157,568 -----r-- c:\windows\MicCal.exe
2008-12-24 19:50 16,269,312 -----r-- c:\windows\RTHDCPL.exe
2008-12-24 19:50 4,394,496 -----r-- c:\windows\system32\drivers\RtkHDAud.Sys
2008-12-24 19:49 1,191,936 a----r-- c:\windows\RtkUpd.exe
2008-12-24 19:49 494,080 a----r-- c:\windows\system32\RHDMIExt.dll
2008-12-24 19:49 1,840,640 a----r-- c:\windows\system32\RtkHDMI.dll
2008-12-24 19:49 134,888 a----r-- c:\windows\system32\drivers\RtHDMIV.sys
2008-12-24 19:46 356,352 a----r-- c:\windows\system32\nvusmu.exe
2008-12-24 19:46 528 a----r-- c:\windows\system32\nvsmu.nvu
2008-12-24 19:46 12,032 a----r-- c:\windows\system32\drivers\nvsmu.sys
2008-12-24 19:46 356,352 a----r-- c:\windows\system32\nvusmb.exe
2008-12-24 19:46 1,864 a----r-- c:\windows\system32\nvsmb.nvu
2008-12-24 19:46 356,352 a------- c:\windows\system32\NVUNINST.EXE
2008-12-24 19:22 <DIR> --d----- c:\windows\system32\ReinstallBackups
2008-12-24 19:22 43,520 a------- c:\windows\system32\drivers\AmdK8.sys
2008-12-24 19:21 4,481 a------- c:\windows\Ascd_tmp.ini
2008-12-24 19:21 10,288 a------- c:\windows\system32\drivers\ASUSHWIO.SYS

==================== Find3M ====================

2009-01-15 13:04 448,470 a------- c:\windows\system32\perfh007.dat
2009-01-15 13:04 79,910 a------- c:\windows\system32\perfc007.dat
2008-12-24 19:51 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-01 23:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 21:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 21:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 21:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 21:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 21:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 21:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 21:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 21:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 21:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 21:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 21:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 21:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 21:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 21:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 21:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 21:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 20:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 20:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 20:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 20:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 20:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 20:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 20:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-01 20:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 20:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 20:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-11-21 22:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 22:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 22:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 22:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 22:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 22:47 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 22:47 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 22:47 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 22:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 22:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 22:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 22:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-19 14:35 21,740 a------- c:\windows\system32\emptyregdb.dat
2008-10-30 15:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-23 13:51 284,160 a------- c:\windows\system32\gdi32.dll
2008-10-21 19:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-21 18:40 81,920 a------- c:\windows\system32\ATIODE.exe
2008-10-21 18:40 45,056 a------- c:\windows\system32\ATIODCLI.exe
2006-05-03 10:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 13:14:24,09 ===============

ComboFix 09-01-13.04 - dudu 2009-01-15 12:57:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1023.544 [GMT 1:00]
ausgef�hrt von:: c:\dokumente und einstellungen\dudu\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L�schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\_000127_.tmp.dll
c:\windows\system32\asovinid.ini
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

----- BITS: Eventuell infizierte Webseiten -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((( Dateien erstellt von 2008-12-15 bis 2009-01-15 ))))))))))))))))))))))))))))))
.

2009-01-15 13:00 . 2009-01-15 13:00 <DIR> d-------- c:\windows\system32\xircom
2009-01-15 13:00 . 2009-01-15 13:00 <DIR> d-------- c:\programme\microsoft frontpage
2009-01-12 11:58 . 2009-01-12 11:58 250 --a------ c:\windows\gmer.ini
2009-01-11 15:57 . 2009-01-11 16:04 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2009-01-11 15:57 . 2009-01-11 15:57 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\Malwarebytes
2009-01-11 15:57 . 2009-01-11 15:57 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-01-11 15:57 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 15:57 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-11 02:54 . 2009-01-11 02:54 <DIR> d-------- c:\programme\Trend Micro
2009-01-10 02:01 . 2009-01-10 02:01 <DIR> d-------- c:\dokumente und einstellungen\dudu\temp
2009-01-10 02:01 . 2009-01-10 02:01 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\TeamViewer
2009-01-10 01:10 . 2009-01-10 01:10 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-10 01:04 . 2009-01-10 01:04 <DIR> d-------- c:\windows\Lhsp
2009-01-09 18:02 . 2009-01-10 23:25 139,264 --a------ c:\windows\War3Unin.exe
2009-01-09 18:02 . 2009-01-10 23:28 78,498 --a------ c:\windows\War3Unin.dat
2009-01-09 18:02 . 2009-01-10 23:25 2,829 --a------ c:\windows\War3Unin.pif
2009-01-08 23:22 . 2009-01-08 23:22 <DIR> d-------- c:\programme\Reallusion
2009-01-08 23:22 . 2009-01-08 23:22 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\InstallShield
2009-01-08 23:22 . 2007-05-23 18:28 5,627,904 --a------ c:\windows\system32\RLVirDev.ocx
2009-01-08 23:22 . 2006-05-16 11:58 73,728 --a------ c:\windows\system32\ISUSPM.cpl
2009-01-08 23:13 . 2009-01-08 23:13 268 --ah----- C:\sqmdata05.sqm
2009-01-08 23:13 . 2009-01-08 23:13 244 --ah----- C:\sqmnoopt05.sqm
2009-01-08 21:16 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-08 21:14 . 1998-10-21 18:43 328,704 --a------ c:\windows\IsUn0407.exe
2009-01-08 20:39 . 2009-01-08 20:39 <DIR> d--h----- c:\windows\PIF
2009-01-08 20:29 . 2009-01-11 02:50 326 --a------ c:\windows\wininit.ini
2009-01-08 19:53 . 2009-01-08 19:53 <DIR> d-------- c:\programme\Spybot - Search & Destroy
2009-01-08 19:53 . 2009-01-12 19:59 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-01-08 16:28 . 2009-01-08 16:28 <DIR> d-------- c:\programme\S.A.D
2009-01-08 16:28 . 2008-01-30 01:41 25,216 --a------ c:\windows\system32\drivers\tap0901.sys
2009-01-08 00:47 . 2009-01-08 00:47 244 --ah----- C:\sqmnoopt03.sqm
2009-01-08 00:47 . 2009-01-08 00:47 232 --ah----- C:\sqmdata03.sqm
2009-01-08 00:47 . 2009-01-08 00:47 172 --ah----- C:\sqmnoopt04.sqm
2009-01-08 00:47 . 2009-01-08 00:47 172 --ah----- C:\sqmdata04.sqm
2009-01-07 16:04 . 2009-01-07 16:04 244 --ah----- C:\sqmnoopt02.sqm
2009-01-07 16:04 . 2009-01-07 16:04 232 --ah----- C:\sqmdata02.sqm
2009-01-07 11:28 . 2009-01-07 11:28 244 --ah----- C:\sqmnoopt01.sqm
2009-01-07 11:28 . 2009-01-07 11:28 232 --ah----- C:\sqmdata01.sqm
2009-01-05 23:54 . 2009-01-05 23:54 <DIR> d-------- c:\programme\Microsoft SQL Server
2009-01-05 23:54 . 2009-01-05 23:54 <DIR> d-------- c:\programme\Microsoft Silverlight
2009-01-05 23:53 . 2009-01-05 23:53 <DIR> d-------- c:\programme\Microsoft Synchronization Services
2009-01-05 23:53 . 2009-01-05 23:53 <DIR> d-------- c:\programme\Microsoft SQL Server Compact Edition
2009-01-05 23:49 . 2009-01-05 23:49 <DIR> d-------- c:\programme\Microsoft.NET
2009-01-05 23:49 . 2009-01-05 23:54 <DIR> d-------- c:\programme\Microsoft Visual Studio 9.0
2009-01-05 23:49 . 2009-01-05 23:52 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2009-01-05 23:48 . 2009-01-05 23:48 <DIR> d-------- c:\programme\Microsoft SDKs
2009-01-05 21:25 . 2009-01-05 21:25 <DIR> d-------- c:\programme\Avira
2009-01-05 21:25 . 2009-01-05 21:25 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-05 20:42 . 2009-01-05 20:42 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Sony
2009-01-05 19:12 . 2009-01-05 19:12 <DIR> d-------- c:\programme\VST-Plug-Ins
2009-01-05 19:12 . 2009-01-05 19:12 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\Sony
2009-01-05 19:12 . 2009-01-05 19:12 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\Publish Providers
2009-01-05 19:12 . 2009-01-07 20:22 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\DivX
2009-01-05 19:12 . 2009-01-05 20:16 <DIR> d-a------ c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-01-05 19:06 . 2009-01-05 20:41 <DIR> d-------- c:\programme\Sony
2009-01-05 18:59 . 2009-01-05 18:59 <DIR> d-------- c:\programme\Sony Setup
2009-01-05 13:08 . 2009-01-05 13:08 196 --ahs---- c:\windows\klif.spi
2009-01-04 14:12 . 2009-01-04 14:21 27 --a------ c:\windows\dksav1.ini
2009-01-04 14:10 . 2009-01-04 14:10 172,544 --a------ c:\windows\system32\cncs32.dll
2009-01-04 14:10 . 2009-01-04 14:10 18 --a------ c:\windows\cnc.ini
2009-01-04 12:42 . 2009-01-04 12:43 <DIR> d-------- c:\programme\DivX
2009-01-04 12:15 . 2009-01-04 12:15 2,923 ---hs---- c:\windows\system32\nobajanu.dll
2009-01-04 12:15 . 2009-01-04 12:15 2,922 ---hs---- c:\windows\system32\vonibusa.dll
2009-01-04 12:15 . 2009-01-04 12:15 2,921 ---hs---- c:\windows\system32\ronigofu.dll
2009-01-02 23:01 . 2009-01-02 23:01 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\Digital Joy
2009-01-02 22:19 . 2009-01-02 22:19 2,924 ---hs---- c:\windows\system32\kiyubipo.dll
2009-01-02 22:19 . 2009-01-02 22:19 2,922 ---hs---- c:\windows\system32\foyamugu.dll
2009-01-02 22:19 . 2009-01-02 22:19 2,921 ---hs---- c:\windows\system32\lomitete.dll
2009-01-02 22:05 . 2009-01-02 22:05 <DIR> d-------- c:\programme\K-Lite Codec Pack
2009-01-02 22:05 . 2008-09-24 19:41 839,680 --a------ c:\windows\system32\lameACM.acm
2009-01-02 22:05 . 2008-12-07 19:08 795,648 --a------ c:\windows\system32\xvidcore.dll
2009-01-02 22:05 . 2008-09-16 20:23 168,448 --a------ c:\windows\system32\unrar.dll
2009-01-02 22:05 . 2008-12-07 19:08 130,048 --a------ c:\windows\system32\xvidvfw.dll
2009-01-02 22:05 . 2007-09-21 01:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-01-02 22:05 . 2008-12-08 12:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-01-02 22:05 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-02 22:05 . 2008-10-03 13:30 414 --a------ c:\windows\system32\lame_acm.xml
2009-01-02 21:00 . 2009-01-02 21:00 <DIR> d-------- c:\programme\CCleaner
2009-01-02 18:52 . 2007-03-17 20:00 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-01-02 18:52 . 2007-03-17 20:00 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-01-02 18:52 . 2007-03-17 20:00 6,144 --a------ c:\windows\system32\kbd106.dll
2009-01-02 18:52 . 2007-03-17 20:00 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-01-02 18:52 . 2007-03-17 20:00 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-01-02 18:52 . 2007-03-17 20:00 5,632 --a------ c:\windows\system32\kbd103.dll
2009-01-02 17:00 . 2009-01-02 17:00 <DIR> d-------- c:\programme\WinPcap
2009-01-02 15:40 . 2009-01-02 15:41 <DIR> d-------- c:\programme\MessengerDiscovery
2009-01-01 15:53 . 2009-01-01 15:53 2,924 ---hs---- c:\windows\system32\memovovo.dll
2009-01-01 15:53 . 2009-01-01 15:53 2,924 ---hs---- c:\windows\system32\mebarepo.dll
2009-01-01 03:53 . 2009-01-01 03:53 2,921 ---hs---- c:\windows\system32\yerofata.dll
2008-12-31 14:40 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2008-12-31 14:40 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2008-12-31 14:40 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2008-12-31 14:40 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll
2008-12-31 02:22 . 2008-12-31 02:22 2,924 ---hs---- c:\windows\system32\kubemibo.dll
2008-12-30 14:22 . 2008-12-30 14:22 2,923 ---hs---- c:\windows\system32\ninobuku.dll
2008-12-29 23:47 . 2008-12-29 23:47 <DIR> d-------- c:\programme\Postal2
2008-12-29 19:21 . 2008-12-29 19:21 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab Setup Files
2008-12-28 01:46 . 2008-12-28 01:54 <DIR> d-------- c:\programme\Alcohol Soft
2008-12-28 01:35 . 2008-12-28 01:35 <DIR> d-------- c:\programme\Lavasoft
2008-12-28 01:35 . 2009-01-12 18:21 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-28 01:35 . 2009-01-12 18:21 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-12-28 01:32 . 2009-01-10 19:33 <DIR> d-------- c:\programme\DAEMON Tools Lite
2008-12-28 01:15 . 2008-12-28 01:15 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\DAEMON Tools Pro
2008-12-28 01:15 . 2008-12-28 01:15 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\DAEMON Tools
2008-12-28 01:14 . 2008-12-28 01:32 <DIR> d-------- c:\programme\DAEMON Tools Toolbar
2008-12-28 01:14 . 2008-12-28 01:14 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\DAEMON Tools Lite
2008-12-28 01:12 . 2008-12-28 01:12 <DIR> d-------- c:\dokumente und einstellungen\NetworkService\Startmen�
2008-12-28 01:10 . 2008-12-28 01:16 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\DAEMON Tools Lite
2008-12-28 01:10 . 2008-12-28 01:10 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-28 01:03 . 2008-12-28 01:03 <DIR> d-------- c:\programme\Yahoo!
2008-12-28 01:03 . 2008-12-28 01:03 <DIR> d-------- c:\programme\FLV Player
2008-12-28 01:03 . 2008-12-28 01:03 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\Yahoo!
2008-12-28 01:03 . 2008-12-28 01:04 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Yahoo! Companion
2008-12-27 23:54 . 2009-01-08 19:37 <DIR> d-------- c:\programme\PeerGuardian2
2008-12-27 23:31 . 2008-12-27 23:31 <DIR> d-------- c:\programme\utorrent
2008-12-27 23:31 . 2009-01-10 19:12 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\uTorrent
2008-12-27 20:18 . 2008-12-27 20:18 <DIR> d-------- c:\programme\Teamspeak2_RC2
2008-12-27 20:18 . 2009-01-15 12:22 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\teamspeak2
2008-12-27 20:18 . 2008-12-27 20:18 34,064 --a------ c:\windows\system32\lhacm.acm
2008-12-27 17:23 . 2008-12-27 17:27 <DIR> d-------- c:\programme\RegCure
2008-12-27 00:24 . 2008-12-27 00:24 0 --a------ c:\windows\nsreg.dat
2008-12-27 00:13 . 2008-12-27 00:13 <DIR> d-------- c:\windows\Sun
2008-12-27 00:12 . 2008-12-27 00:12 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 22:22 . 2005-06-15 03:00 102,400 --a------ c:\windows\system32\tsccvid.dll
2008-12-26 13:53 . 2008-12-26 13:53 <DIR> d-------- c:\dokumente und einstellungen\dudu\Anwendungsdaten\Black Sea Studios

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 22:22 --------- d--h--w c:\programme\InstallShield Installation Information
2009-01-08 22:22 --------- d-----w c:\programme\Gemeinsame Dateien\InstallShield
2008-12-26 23:12 --------- d-----w c:\programme\Java
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-19 16:14 --------- d-----w c:\dokumente und einstellungen\dudu\Anwendungsdaten\Clonk
2008-11-19 13:58 --------- d-----w c:\programme\ATI Technologies
2008-11-19 13:46 --------- d-----w c:\programme\Gemeinsame Dateien\Java
2008-11-19 13:43 --------- d-----w c:\programme\MSBuild
2008-11-19 13:40 --------- d-----w c:\programme\Reference Assemblies
2008-11-19 13:37 --------- d-----w c:\programme\Online-Dienste
2008-11-19 13:36 --------- d-----w c:\programme\Gemeinsame Dateien\Dienste
2008-11-19 13:34 --------- d-----w c:\programme\Windows Media Connect 2
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

2008-04-14 03:23 14336 4fbc75b74479c7a6f829e0ca19df3366 c:\windows\SoftwareDistribution\Download\95722b048b44feeb8b09afd7a4b3cf38\svchost.exe
2004-08-03 23:58 14336 65a819b121eb6fdab4400ea42bdffe64 c:\windows\system32\svchost.exe

2008-04-14 03:22 82432 6a35e2d6f5f052c84ec2ceb296389439 c:\windows\SoftwareDistribution\Download\95722b048b44feeb8b09afd7a4b3cf38\ws2_32.dll
2004-08-03 23:57 82944 d569240a22421d5f670bb6fb6dd522b5 c:\windows\system32\ws2_32.dll

2008-04-13 19:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\95722b048b44feeb8b09afd7a4b3cf38\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2008-04-14 03:22 109056 4bb6a83640f1d1792ad21ce767b621c6 c:\windows\SoftwareDistribution\Download\95722b048b44feeb8b09afd7a4b3cf38\services.exe
2004-08-03 23:58 108544 edb6b81761bd60f32f740bbc40afb676 c:\windows\system32\services.exe

2008-04-14 03:22 13312 afb8261b56cba0d86aeb6df682af9785 c:\windows\SoftwareDistribution\Download\95722b048b44feeb8b09afd7a4b3cf38\lsass.exe
2004-08-03 23:58 13312 183805eb05bca5a1e4aaaed4d2be3690 c:\windows\system32\lsass.exe

2008-04-14 03:22 15360 01b4e6e990b6c5ea8856d96c7fd044b2 c:\windows\SoftwareDistribution\Download\95722b048b44feeb8b09afd7a4b3cf38\ctfmon.exe
2004-08-03 23:57 15360 7ce20569925df6789c31799f0c538f29 c:\windows\system32\ctfmon.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr�ge & legitime Standardeintr�ge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"EVEREST AutoStart"="d:\programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\everest.exe" [2007-06-29 1973344]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-27 68856]
"MsnMsgr"="c:\programme\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2007-03-17 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Base road long save"="c:\dokumente und einstellungen\All Users\Anwendungsdaten\File dvd base road\Acid bin.exe" [2008-12-26 716800]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"msnmsgr"="c:\programme\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]
"IE7"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-11-23 01:36 203720 c:\programme\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-12-10 10:02 216520 c:\programme\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-12-17 23:23 2107224 c:\programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Spiele\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Programme\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\Programme\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\Programme\\utorrent\\utorrent.exe"=
"c:\\Programme\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindServiceAE.exe"=
"c:\\Programme\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"d:\\Spiele\\EA Games\\Command & Conquer Die ersten 10 Jahre\\Command & Conquer™ Tiberian Sun™\\SUN\\Game.exe"=
"c:\\Programme\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Programme\\Alcohol Soft\\Alcohol 120\\AxCmd.exe"=
"c:\\Programme\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Programme\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Programme\\Reallusion\\CrazyTalk for Skype\\CT4Skype.exe"=
"d:\\Spiele\\Warcraft III\\Warcraft III.exe"=
"c:\\Dokumente und Einstellungen\\dudu\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:war3 hosting
"6112:UDP"= 6112:UDP:war3 hosting2

R3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\kerneld.wnt [2007-08-28 20856]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-01-08 25216]
R4 CGVPNCliSrvc;CyberGhost VPN Client;c:\programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe [2009-01-08 1940992]
S3 gAGP440p;gAGP440p;\??\c:\dokume~1\dudu\LOKALE~1\Temp\gAGP440p.sys --> c:\dokume~1\dudu\LOKALE~1\Temp\gAGP440p.sys [?]
.
Inhalt des "geplante Tasks" Ordners

2009-01-15 c:\windows\Tasks\Auf Updates f�r Windows Live Toolbar pr�fen.job
- c:\programme\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-15 c:\windows\Tasks\RegCure Program Check.job
- c:\programme\RegCure\RegCure.exe [2007-08-02 09:20]

2009-01-11 c:\windows\Tasks\RegCure.job
- c:\programme\RegCure\RegCure.exe [2007-08-02 09:20]
.
.
------- Zus�tzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
IE: &Windows Live Search - c:\programme\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
FF - ProfilePath - c:\dokumente und einstellungen\dudu\Anwendungsdaten\Mozilla\Firefox\Profiles\n6e2rh98.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\programme\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 13:00:44
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

c:\windows\explorer.exe [900] 0x85EFE020

Scanne versteckte Autostarteintr�ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\d:\programme\Everest Ultimate Engineer Edition v.4.00.1053 beta\kerneld.wnt"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-01-15 13:03:05 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-01-15 12:03:02

Vor Suchlauf: 6.695.714.816 Bytes frei
Nach Suchlauf: 7,155,249,152 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

318 --- E O F --- 2009-01-15 12:02:39

#11
AdvancedSetup

Posted 15 January 2009 - 09:05 PM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

thanks. Please run the following.

Update your Anti-Virus to the latest definitions and do a FULL SCAN then

Update and Scan with Malwarebytes' Anti-Malware

Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then run this again
Please download the following scanning tool. GMER
[indent]

Open the zip file and copy the file gmer.exe to your Desktop.
Double click on gmer.exe and run it.
It may take a minute to load and become available.
Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
DO NOT Click on the SCAN button.
This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
Click OK and quit the GMER program.

[/indent]

Then post back all logs including a NEW HJT log.

#12
AdvancedSetup

Posted 21 January 2009 - 07:10 AM

Forum Deity

Administrators
22,568 posts

Gender:Male
Location:US

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Ron Lewis
Manager, Online Support

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

Back to Resolved HijackThis Logs · Next Unread Topic →