[Daemon]

Persistent, you got rid of one but the other is still there - please repeat my last post.

[Advertisements]

i repeated the last step and a messege appeared which said "PendingFileRenameOperations Regestry Data has been removed by External Process" after i klicked yes when having been aksed for the reboot ....

[lc.chris]

i repeated the last step and a messege appeared which said "PendingFileRenameOperations Regestry Data has been removed by External Process" after i klicked yes when having been aksed for the reboot ....

[Daemon]

Click OK at that prompt, reboot and post a fresh HJT log.

[lc.chris]

this is the log after the error ...

Logfile of HijackThis v1.99.1
Scan saved at 18:31:26, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Programme\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Programme\ICQ\Icq.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


after rebooting the ehe.exe will be there again i guess ... i just fixed it with hjt like you told me to .... but the pc dind`t reboot after i wanted to delete it with the killbox ...

Edited by lc.chris, 30 July 2005 - 10:34 AM.

[Daemon]

Reboot and post a new log.

[lc.chris]

fresh log :


Logfile of HijackThis v1.99.1
Scan saved at 18:37:07, on 30.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
E:\Programme\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Dokumente und Einstellungen\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.de/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Programme\corel12\Languages\DE\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081105 serial=dr12wex-1504397-kty lang=DE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Programme\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



seems like it worked even with the error appearing ...

[Daemon]

Yes, well done - you got it that time. Looks OK now - how is it running?

[lc.chris]

it`s running much better .... faster when surfing with IE and no more annoying pop ups even after reboot ^^

but ad-aware se still shows me about 30 vx2 files and infected regestry keys ... i gonna delete them and do e reboot maybe they won`t re-appear

[lc.chris]

YEAH ,.... reoved them and they dind`t come back .....

[bleep] 100 x THX !!!!!! You guys from geekstogo forum are really great !

[Daemon]

You're welcome - glad to help

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.