Spyware

P

peter9

New Member
Hey,
I forgot it that i have spywares on my pc so i take a abo by world of warcraft and wrote there my bank notes.. should i have fear or doesnt matter it?
sry for my bad english..^^
 
g25racer said:
To find out if you do have spyware do the following. Download and install hijackthis from the link below. Then run it a click "Do a system scan only". When its done click "save log". Then copy all the text and paste it here in a new post.

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Click "Download Hijackthis Installer"
Click to expand...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:00, on 20.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programme\AntiVir PersonalEdition Classic\sched.exe
D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Tobit ClipInc\Server\ClipInc-Server.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
D:\Programme\Razer\Copperhead\razerhid.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
D:\Programme\Razer\Copperhead\razerofa.exe
C:\Programme\QuickTime\QTTask.exe
D:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\rundll32.exe
D:\Programme\SPYWAREfighter\spftray.exe
D:\Programme\SPYWAREfighter\spfprc.exe
C:\Programme\Messenger\msmsgs.exe
D:\Programme\DAEMON Tools\daemon.exe
D:\Programme\iPod\bin\iPodService.exe
D:\Programme\ICQ6\ICQ.exe
D:\Programme\NETGEAR\WG111v2\WG111v2.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: (no name) - {488E9F44-5521-4D51-91D0-2B047C1A1DF6} - C:\WINDOWS\system32\khfDtspo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {94df66a0-807e-2098-cec4-9410bfa492fa} - {af294afb-0149-4cec-8902-e7080a66fd49} - C:\WINDOWS\system32\gsrdipuw.dll
O2 - BHO: MU Online Toolbar Helper - {D3138B39-C8A6-440B-9D42-50F766AEA8C7} - C:\Programme\MU Online Toolbar\v3.2.0.0\MU_Online_Toolbar.dll (file missing)
O2 - BHO: (no name) - {DA01E35B-10AB-4850-9CE2-117C6ECFC625} - C:\WINDOWS\system32\cdm32.dll
O2 - BHO: (no name) - {FAAF4503-E52D-4B3B-9B12-D408F13AD817} - C:\WINDOWS\system32\awtrQJAR.dll
O3 - Toolbar: MU Online Toolbar - {B9D1647F-A66A-4695-B249-07901A45FF59} - C:\Programme\MU Online Toolbar\v3.2.0.0\MU_Online_Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [audiag] C:\WINDOWS\system32\audconf.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] D:\Programme\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MBBalloon] C:\Programme\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [7c5b98a2] rundll32.exe "C:\WINDOWS\system32\ldqjafso.dll",b
O4 - HKLM\..\Run: [BM7f68ab3e] Rundll32.exe "C:\WINDOWS\system32\hkyedknd.dll",s
O4 - HKLM\..\Run: [spywarefighterguard] D:\Programme\SPYWAREfighter\spftray.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Programme\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ICQ] "D:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [ClipIncSrvTray] "D:\Tobit ClipInc\Player\ClipIncTray.exe"
O4 - HKLM\..\Policies\Explorer\Run: [homepage.monitor.exe] C:\Programme\Media-Codec\isamonitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Programme\Media-Codec\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Programme\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Sinus 1054 data.lnk = D:\Programme\DT\Sinus 1054 data\Wifiusb.exe
O4 - Global Startup: Sinus 154 stick WLAN Manager.lnk = D:\Programme\DT\Sinus 154 stick\Wifiusb.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140169522687
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll e1.dll
O20 - Winlogon Notify: audmgr - audmgr32.dll (file missing)
O20 - Winlogon Notify: awtrQJAR - C:\WINDOWS\SYSTEM32\awtrQJAR.dll
O20 - Winlogon Notify: vmhevnet - C:\WINDOWS\system32\vmhevnet.dll (file missing)
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\system32\vwlummc.dll (file missing)
O22 - SharedTaskScheduler: {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - hubbsi - (no file)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - D:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - D:\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Programme\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: SPYWAREfighterRP - SpamFighter APS - D:\Programme\SPYWAREfighter\spfprc.exe

--
End of file - 8796 bytes
 
1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
 
ceewi1 said:
1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
Click to expand...

ComboFix 08-06-19.2 - Tobias 2008-06-20 11:22:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1469 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Tobias\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinAntiVirus Pro 2006
C:\WINDOWS\BM7f68ab3e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\av.cpl
C:\WINDOWS\system32\awtrQJAR.dll
C:\WINDOWS\system32\cjknupvb.ini
C:\WINDOWS\system32\dkfwonrh.ini
C:\WINDOWS\system32\dxiygmrb.dll
C:\WINDOWS\system32\gsrdipuw.dll
C:\WINDOWS\system32\khfDtspo.dll
C:\WINDOWS\system32\ldqjafso.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nfolsfti.dll
C:\WINDOWS\system32\opstDfhk.ini
C:\WINDOWS\system32\opstDfhk.ini2
C:\WINDOWS\system32\osfajqdl.ini
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tbeprqjo.ini
C:\WINDOWS\system32\tkvfxhsm.dll
C:\WINDOWS\system32\xvfhhwtv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_FWSVC
-------\Legacy_VSPF
-------\Legacy_VSPF_HK
-------\Service_FOPN
-------\Service_FWSvc
-------\Service_vspf
-------\Service_vspf_hk


((((((((((((((((((((((( Dateien erstellt von 2008-05-20 bis 2008-06-20 ))))))))))))))))))))))))))))))
.

2008-06-20 01:01 . 2008-06-20 01:01 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Application
2008-06-19 12:37 . 2008-06-19 12:37 40,960 --a------ C:\WINDOWS\system32\lldnigjn.dll
2008-06-17 20:12 . 2008-06-17 20:12 40,960 --a------ C:\WINDOWS\system32\mmjtadxu.dll
2008-06-17 18:17 . 2008-06-17 18:18 <DIR> d-------- C:\Dokumente und Einstellungen\Hubert\Anwendungsdaten\ICQ
2008-06-15 14:26 . 2008-06-17 19:56 1,314 ---hs---- C:\WINDOWS\system32\iwdjflyq.ini
2008-06-15 14:23 . 2008-06-15 14:23 40,960 --a------ C:\WINDOWS\system32\iyjevsfg.dll
2008-06-14 14:21 . 2008-06-14 14:21 40,960 --a------ C:\WINDOWS\system32\cvjgmoic.dll
2008-06-11 16:53 . 2008-04-14 17:51 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 09:30 --------- d-----w C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\Skype
2008-06-19 10:34 --------- d-----w C:\Programme\ICQToolbar
2008-06-18 11:05 --------- d-----w C:\Dokumente und Einstellungen\Hubert\Anwendungsdaten\OpenOffice.org2
2008-06-17 18:11 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-06-06 11:40 --------- d-----w C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\teamspeak2
2008-05-31 16:00 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 22:34 --------- d-----w C:\Programme\CASIO
2008-05-03 11:06 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-04-28 18:22 --------- d-----w C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\OpenOffice.org2
2008-04-28 13:16 1,541,896 ----a-w C:\WINDOWS\CISUnins.exe
2008-04-28 13:16 1,541,896 ----a-w C:\WINDOWS\CICUnins.exe
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2006-08-19 11:01 17 -c--a-w C:\Dokumente und Einstellungen\Tobias\getfile.dat
2003-02-28 11:32 11,776 -c--a-w C:\WINDOWS\inf\dt154stickoem_wxp.exe
2002-11-14 21:32 55,808 -c--a-w C:\WINDOWS\inf\devcon154stick.exe
2002-11-14 14:32 55,808 -c--a-w C:\WINDOWS\inf\devcon.exe
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA01E35B-10AB-4850-9CE2-117C6ECFC625}]
2007-04-10 19:31 13769 --a------ C:\WINDOWS\system32\cdm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-02-09 17:00 25388584]
"Uniblue RegistryBooster2"="D:\Programme\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"DAEMON Tools"="D:\Programme\DAEMON Tools\daemon.exe" [2007-04-04 00:29 165784]
"ICQ"="D:\Programme\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"ClipIncSrvTray"="D:\Tobit ClipInc\Player\ClipIncTray.exe" [2008-04-18 18:08 584704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2004-06-11 12:15 83968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"audiag"="C:\WINDOWS\system32\audconf.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 15:12 90112 C:\WINDOWS\soundman.exe]
"razer"="D:\Programme\Razer\Copperhead\razerhid.exe" [2005-10-08 16:27 155648]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2007-10-19 21:16 286720]
"iTunesHelper"="D:\Programme\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"MBBalloon"="C:\Programme\HOTALBUMMyBOX\MBBalloon.exe" [2006-12-15 12:45 787096]
"Sony Ericsson PC Suite"="C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"Adobe Reader Speed Launcher"="D:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RegistryMechanic"="" []
"BM7f68ab3e"="C:\WINDOWS\system32\hkyedknd.dll" [ ]
"spywarefighterguard"="D:\Programme\SPYWAREfighter\spftray.exe" [2008-02-21 15:37 115344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:57 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hubbsi"= {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\system32\vwlummc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\audmgr]
audmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmhevnet]
C:\WINDOWS\system32\vmhevnet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\WINDOWS\system32\l3codecp.acm
"msacm.l3codec"= C:\WINDOWS\system32\l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chater.exe]
C:\WINDOWS\cc5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sserrvv]
C:\WINDOWS\sserrvv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Programme\\Steam\\SteamApps\\sh1n3y\\counter-strike source\\hl2.exe"=
"D:\\Programme\\Steam\\SteamApps\\sh1n3y\\day of defeat source\\hl2.exe"=
"D:\\Programme\\iTunes\\iTunes.exe"=
"D:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2007-12-25 19:52]
R2 ClipInc001;ClipInc 001;D:\Tobit ClipInc\Server\ClipInc-Server.exe 001 []
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 18:53]
R3 SpyFighter;SpyFighter Guard Device;D:\Programme\SPYWAREfighter\spyfighter.sys [2008-02-21 15:38]
R3 SPYWAREfighterRP;SPYWAREfighterRP;"D:\Programme\SPYWAREfighter\spfprc.exe" [2008-02-21 15:37]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-19 14:27]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 16:11]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 16:11]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 16:11]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 16:11]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 16:11]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 16:11]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 16:11]

.
Inhalt des "geplante Tasks" Ordners
"2008-06-03 12:25:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programme\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 11:27:34
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Programme\AntiVir PersonalEdition Classic\sched.exe
D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Tobit ClipInc\Server\ClipInc-Server.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\WgaTray.exe
D:\Programme\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Programme\NETGEAR\WG111v2\WG111v2.exe
D:\Programme\iPod\bin\iPodService.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-20 11:37:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 09:37:43

8 Verzeichnis(se), 1,100,050,432 Bytes frei
11 Verzeichnis(se), 1,522,167,808 Bytes frei

189 --- E O F --- 2008-06-12 07:00:48









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:18, on 20.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programme\AntiVir PersonalEdition Classic\sched.exe
D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Tobit ClipInc\Server\ClipInc-Server.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programme\Razer\Copperhead\razerhid.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\QuickTime\QTTask.exe
D:\Programme\iTunes\iTunesHelper.exe
D:\Programme\Razer\Copperhead\razerofa.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\Programme\SPYWAREfighter\spftray.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Programme\Skype\Phone\Skype.exe
D:\Programme\ICQ6\ICQ.exe
D:\Tobit ClipInc\Player\ClipIncTray.exe
D:\Programme\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programme\SPYWAREfighter\spfprc.exe
D:\Programme\iPod\bin\iPodService.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
D:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MU Online Toolbar Helper - {D3138B39-C8A6-440B-9D42-50F766AEA8C7} - C:\Programme\MU Online Toolbar\v3.2.0.0\MU_Online_Toolbar.dll (file missing)
O2 - BHO: (no name) - {DA01E35B-10AB-4850-9CE2-117C6ECFC625} - C:\WINDOWS\system32\cdm32.dll
O3 - Toolbar: MU Online Toolbar - {B9D1647F-A66A-4695-B249-07901A45FF59} - C:\Programme\MU Online Toolbar\v3.2.0.0\MU_Online_Toolbar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [audiag] C:\WINDOWS\system32\audconf.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] D:\Programme\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MBBalloon] C:\Programme\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM7f68ab3e] Rundll32.exe "C:\WINDOWS\system32\hkyedknd.dll",s
O4 - HKLM\..\Run: [spywarefighterguard] D:\Programme\SPYWAREfighter\spftray.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Programme\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ICQ] "D:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [ClipIncSrvTray] "D:\Tobit ClipInc\Player\ClipIncTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Programme\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Sinus 1054 data.lnk = D:\Programme\DT\Sinus 1054 data\Wifiusb.exe
O4 - Global Startup: Sinus 154 stick WLAN Manager.lnk = D:\Programme\DT\Sinus 154 stick\Wifiusb.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140169522687
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: audmgr - audmgr32.dll (file missing)
O20 - Winlogon Notify: vmhevnet - C:\WINDOWS\system32\vmhevnet.dll (file missing)
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\system32\vwlummc.dll (file missing)
O22 - SharedTaskScheduler: {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - hubbsi - (no file)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - D:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - D:\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: SPYWAREfighterRP - SpamFighter APS - D:\Programme\SPYWAREfighter\spfprc.exe

--
End of file - 8292 bytes
 
My sincere apologies for the delay, I must have missed your response to this thread.

The main Vundo infection has been removed, but there are still some remnants.

Please delete the version of ComboFix you have and download an updated one from http://download.bleepingcomputer.com/sUBs/ComboFix.exe.

  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\lldnigjn.dll
C:\WINDOWS\system32\mmjtadxu.dll
C:\WINDOWS\system32\iwdjflyq.ini
C:\WINDOWS\system32\iyjevsfg.dll
C:\WINDOWS\system32\cvjgmoic.dll
C:\WINDOWS\system32\cdm32.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA01E35B-10AB-4850-9CE2-117C6ECFC625}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM7f68ab3e"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hubbsi"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\audmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmhevnet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chater.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sserrvv]
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. How is your system running now?
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
You must log in or register to reply here.
Back
Top