Edit: I just noticed ... the log of Combofix is in German... if you need me to translate it I will do this.. but I hope it is clear otherwise .. sorry
thank you very much for the fast reply:
This is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:43:24, on 24.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.www.daemo...rch.com/defaultR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.bitcomet....finish/?l=en_usO2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - C:\WINDOWS\system32\wvUlijKa.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\Office\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Programme\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Programme\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\Programme\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\Office\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programme\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Office\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\Office\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: wvUlijKa - C:\WINDOWS\SYSTEM32\wvUlijKa.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5922 bytes
_______________________________________________________________
And this is the Combofix - log:
ComboFix 08-04-22.5 - Muh^^ 2008-04-24 15:19:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.647 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Muh^^\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\efcDVljk.dll
C:\WINDOWS\system32\wvUlijKa.dll
.
((((((((((((((((((((((( Dateien erstellt von 2008-03-24 bis 2008-04-24 ))))))))))))))))))))))))))))))
.
2008-04-24 14:38 . 2008-04-24 14:38 <DIR> d-------- C:\Programme\Trend Micro
2008-04-23 09:36 . 2008-04-23 09:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-19 12:05 . 2007-10-07 21:10 1,534,850 --a------ C:\WINDOWS\The_Pathway_to_Enlightenment.jpg
2008-04-13 21:08 . 2008-04-13 21:08 <DIR> d--h----- C:\BJPrinter
2008-04-13 21:08 . 2004-06-07 14:00 116,736 --a------ C:\WINDOWS\system32\CNMLM69.DLL
2008-04-13 21:08 . 2004-06-05 00:34 86,016 --a------ C:\WINDOWS\system32\CNMCP69.exe
2008-04-13 21:08 . 2004-06-07 14:00 7,680 --a------ C:\WINDOWS\system32\CNMVS69.DLL
2008-04-13 20:38 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-13 20:38 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-11 21:23 . 2008-04-11 21:23 <DIR> d-------- C:\Dokumente und Einstellungen\Muh^^\Anwendungsdaten\Media Player Classic
2008-04-05 19:34 . 2008-04-05 19:34 2,163,200 --a------ C:\WINDOWS\system32\kernel1.exe
2008-03-24 15:39 . 2005-05-26 16:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-03-24 15:39 . 2008-03-24 15:39 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-03-24 15:39 . 2008-03-24 15:39 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 13:23 9,050,144 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-24 13:21 111,260 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-20 06:01 --------- d-----w C:\Dokumente und Einstellungen\Muh^^\Anwendungsdaten\mIRC
2008-04-13 12:18 --------- d-----w C:\Dokumente und Einstellungen\Muh^^\Anwendungsdaten\Hamachi
2008-04-07 18:57 --------- d-----w C:\Programme\Opera
2008-04-02 18:11 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-03-24 13:36 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-03-24 00:16 1,588,736 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-03-13 16:09 1,577,472 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-03-12 19:38 1,575,424 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-03-09 18:16 1,574,912 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-03-05 20:23 1,566,720 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-04 21:24 3,028,480 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-03-04 21:24 1,565,696 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-03-02 13:23 --------- d-----w C:\Programme\Java
2008-03-02 13:21 --------- d-----w C:\Programme\Gemeinsame Dateien\Java
2008-02-24 23:09 1,543,680 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-02-19 22:24 1,529,856 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-02-18 16:56 1,528,832 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-16 09:16 1,527,808 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-13 23:06 1,513,472 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-12 22:57 1,503,232 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-12 12:16 1,488,896 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-11 23:11 1,488,384 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-07 23:37 1,486,848 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-06 21:57 1,485,824 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-31 22:30 1,468,416 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-29 22:27 1,456,128 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-28 22:10 1,455,616 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-26 09:52 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2008-01-25 01:40 1,444,352 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
.
------- Sigcheck -------
2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-02-23 12:33 359040 6140801b9c2cacdf601aa0282b5bfd91 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-02-23 12:33 359040 6140801b9c2cacdf601aa0282b5bfd91 C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Programme\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 20:31 1372160]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:57 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 21:06 262401]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:57 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:58 1667584 C:\Programme\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"gusvc"=3 (0x3)
"helpsvc"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Programme\\mIRC\\mirc.exe"=
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-24 15:22:47
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> D:\Programme\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Programme\Stardock\ObjectDock\ObjectDock.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-04-24 15:25:43 - machine was rebooted [Muh^^]
ComboFix-quarantined-files.txt 2008-04-24 13:25:35
8 Verzeichnis(se), 2,311,958,528 Bytes frei
11 Verzeichnis(se), 3,082,903,552 Bytes frei
140
________________________________________________________________________________
__
Didn't all go according to the manual but I hope it helps
Regards
Alex
Edited by LaBlubbAlex, 24 April 2008 - 07:31 AM.