Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse windows\system32\ssqro.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
druid2005

druid2005

    Member

  • Member
  • PipPip
  • 15 posts
Help!

I've got this nasty and somehow unremoveable windows\system32\ssqro.dll-horse, and VundoFix can't find it... Antivir finds it regularilly but can't remove it..

What can I do?

Thx! druid
  • 0

Advertisements


#2
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Hello. :whistling:

Please do this:

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, here we go: :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:40, on 16.09.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Network Monitor\netmon.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Opera\Opera.exe
C:\Dokumente und Einstellungen\druid\Desktop\VundoFix.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O1 - Hosts: 127.0.1.254 stlupdate.rs4u.com #rs4u_uninstall_mark
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Sygate Personal Firewall] Slinder.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Slinder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580 (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P32 "EPSON Stylus COLOR 580 (Kopie 1)" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LevelOne 11g Wireless USB.lnk = C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137759702170
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZHJ1aWQ\command.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
  • 0

#4
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#5
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay... that took a while :whistling:

But I'm finally updated! :blink:
  • 0

#6
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Good. :whistling: Can I look at a new Hijackthis log please?
  • 0

#7
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sure!

Logfile of HijackThis v1.99.1
Scan saved at 13:13:39, on 16.09.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Network Monitor\netmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O1 - Hosts: 127.0.1.254 stlupdate.rs4u.com #rs4u_uninstall_mark
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Sygate Personal Firewall] Slinder.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Slinder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580 (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P32 "EPSON Stylus COLOR 580 (Kopie 1)" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LevelOne 11g Wireless USB.lnk = C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137759702170
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZHJ1aWQ\command.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
  • 0

#8
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Ok let's continue. :whistling:

First off, do you know this program?

C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe

=====================================

Download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer
=====================================

Uninstall Programs
  • Click Start » Run » type: appwiz.cpl » OK
  • Find and remove the following program(s) (if present):

    Network Monitor

  • Close Add/Remove Programs window after uninstalling.
=====================================



1. Click Start > Run > type: sc stop "Network Monitor" > OK
2. Click Start > Run > type: sc delete "Network Monitor" > OK

3. Click Start > Run > type: sc stop ServiceHost > OK
4. Click Start > Run > type: sc delete ServiceHost > OK

=====================================




Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O4 - HKLM\..\Run: [Sygate Personal Firewall] Slinder.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Slinder.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

If you didn't put this in your HOSTS file, then check it as well:

O1 - Hosts: 127.0.1.254 stlupdate.rs4u.com #rs4u_uninstall_mark


After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================

I want you to set Windows to show hidden files and folders, click here to learn how.

=====================================

Reboot into Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
=====================================



We need to search for a file. Click Start » Search » For Files and Folders.
Expand Search Options:
  • Check - Advanced Options
  • Check - Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the "Search for files and folders" named box:

Slinder.exe

If any of these file/s are found please delete them.

=====================================

Locate and delete the following file(s), if present : C:\WINDOWS\shost.exe
Locate and delete the following folder(s), if present : C:\Program Files\FREEPROD
C:\Programme\Network Monitor\
Tell me if you can't delete/find any of these files/folders.

=====================================

Restart your computer

=====================================

In your next reply, please include these log(s):
  • HijackThis log (new)

Edited by Jag11, 16 September 2006 - 05:47 AM.

  • 0

#9
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, through with this.. :whistling:

The Level-One stuff is the software that came with my usb wlan stick.

The stupid search-dog couldn't find a slinder.exe. Deleted the other stuff.

Here is the log:
  • 0

#10
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
...erm... forgotten the log...


Logfile of HijackThis v1.99.1
Scan saved at 14:31:52, on 16.09.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
C:\Programme\Opera\Opera.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580 (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P32 "EPSON Stylus COLOR 580 (Kopie 1)" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LevelOne 11g Wireless USB.lnk = C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137759702170
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
  • 0

Advertisements


#11
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts

The Level-One stuff is the software that came with my usb wlan stick.

Ok, thanks for letting me know that.

Next:

I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe
  • Right-click on it, then select Rename.
  • Name it something like: jet.exe (or whatever you want)
  • Then double-click jet.exe to scan and then post the new logfile.
Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run an online scan at Panda's ActiveScan
  • Please go here using Internet Explorer.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open, click the big Check Now button.
    • Enter your Country.
    • Enter your State/Province.
    • Enter your e-mail address and click send.
    • Select either Home User or Company.
    • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • When the download is complete, click on My Computer to start the scan.
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the Panda report along with a new Hijackthis log.
==

Post:

1. New Hijackthis log
2. Panda log
  • 0

#12
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, now I'm scared! :blink: What does AntiVir do the hole day? Well, I'm just happy that I don't do any online banking... :whistling:

Anyway, the ATF-Cleaner crashes for no apparent reason. Opera on top is grey, I can't select it...

Here the logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:53:38, on 17.09.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Hijackthis\jet.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580 (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P32 "EPSON Stylus COLOR 580 (Kopie 1)" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LevelOne 11g Wireless USB.lnk = C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137759702170
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe

...and the Panda stuff


Incident Status Location

Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USYP_0001_N76M2004NetInstaller.exe
Adware:adware/dollarrevenue Not disinfected c:\windows\drsmartload.dat
Adware:adware/maxifiles Not disinfected c:\programme\gemeinsame dateien\Download
Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\druid\Lokale Einstellungen\Temp\nsd5.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\druid\Lokale Einstellungen\Temp\nsi42.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\druid\Lokale Einstellungen\Temp\nsy35.tmp
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Dokumente und Einstellungen\druid\Lokale Einstellungen\Temporary Internet Files\Content.IE5\LKIP0G4C\WinFixer2005ScannerInstallDE[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Programme\Gemeinsame Dateien\Windows\services32.exe
Adware:Adware/Maxifiles Not disinfected C:\Programme\Hijackthis\backups\backup-20060916-140609-233.dll
Adware:Adware/SearchAid Not disinfected C:\RECYCLER\S-1-5-21-1715567821-1958367476-682003330-500\Dc2\netmon.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\awvts.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\W1FS2YI8\installer[1].exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\mljjg.dll
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\vtsqo.dll
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\vturp.dll
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:Adware/CommAd Not disinfected C:\WINDOWS\ZHJ1aWQ\asappsrv.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\ZHJ1aWQ\tJLYuqk.vbs
  • 0

#13
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Ok let's continue.. :whistling:

Download Killbox
  • Save it to your Desktop.
  • In the event you already have Killbox, this is a new version that I need you to download.
  • Double-click Killbox.exe to run it.
  • Select Delete on Reboot.
  • Click on the All Files button.
  • Copy the words below (inside the box) by left clicking and covering all the text then right click inside the highlighted area and choose Copy:

    c:\windows\system32\atmtd.dll
    c:\windows\downloaded program files\USYP_0001_N76M2004NetInstaller.exe
    c:\windows\drsmartload.dat
    C:\WINDOWS\system32\awvts.dll
    C:\Programme\Gemeinsame Dateien\Windows\services32.exe 
    C:\WINDOWS\uninstall_nmon.vbs
    c:\programme\gemeinsame dateien\Download
    C:\WINDOWS\system32\i
    C:\WINDOWS\ZHJ1aWQ\
    
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes when prompted to restart your computer. Click OK at any PendingFileRenameOperations prompt.
NOTES :
  • If your computer does not restart automatically, please restart it manually.
  • If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
=====================================

Then empty your Recycle Bin

Download Brute Force Uninstaller to your desktop.
  • Right click the file on your Desktop, and choose Extract All.
  • Click Next.
  • In the box to choose where to extract the files to:
  • Click Browse.
  • Click on the + sign next to My Computer
  • Click on Local Disk (C:) or whatever your primary drive is.
  • Click Make New Folder
  • Type in BFU
  • Click Next, and uncheck the Show Extracted Files box and then click Finish.
Right-click Here and choose "Save As" (or "Save Target As") in order to download Alcra Plus Remover.
  • Save it in the same folder you made earlier (c:\BFU)
=====================================

Run Brute Force Uninstaller

Go to Start » My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Beside the white box field, click the folder icon: Posted Image : select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
=====================================
  • Click Start » Run » type: Notepad » OK
  • Copy (Ctrl+C) and paste (Ctrl+V) the following text below (inside the box) to Notepad.

    REGEDIT4
    
    [-hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL]
    
    
  • Make sure there are no black spaces before REGEDIT4 and there should be one blank line at the end.
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it FixME.reg and save it on your desktop.
  • Its icon should look like this : Posted Image
  • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.
=====================================

Download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer
=====================================

Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will make a log in C:\vundofix.txt, please include that in your next reply along with a new Hijackthis log.

  • 0

#14
druid2005

druid2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, VundoFix didn't find anything, here is the log:


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:30:02 16.09.2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:32:52 16.09.2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:38:07 16.09.2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:38:36 16.09.2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:55:52 16.09.2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 11:43:59 16.09.2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 11:54:27 16.09.2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 13:45:34 16.09.2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 13:03:49 17.09.2006

Listing files found while scanning....

No infected files were found.



...and this is what HiJack has to say:

Logfile of HijackThis v1.99.1
Scan saved at 13:09:44, on 17.09.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Hijackthis\jet.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580 (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P32 "EPSON Stylus COLOR 580 (Kopie 1)" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LevelOne 11g Wireless USB.lnk = C:\Programme\DDC\LevelOne_USB_802.11g_Utility\LevelOneWlan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137759702170
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
  • 0

#15
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Ok here's next.


==

Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\awvts.dll in the first filename box
  • Browse for this filename: C:\WINDOWS\system32\mljjg.dll in the second filename box
  • Browse for this filename: C:\WINDOWS\system32\vtsqo.dll in the third filename box
  • Browse for this filename: C:\WINDOWS\system32\vturp.dll in the forth filename box
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
==

1. Download combofix.exe from one of these locations -

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Click Start » Run - then copy/paste this into the run box & click OK :

"%userprofile%\desktop\combofix.exe" /v awvts mljjg vtsqo vturp

3. When finished, it shall produce a log for you. Post that log in your next reply.

NOTE : Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP