Logfile of HijackThis v1.99.1 Scan saved at 12:23:29, on 27.03.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Java\jre1.5.0_11\bin\jusched.exe D:\Programme\iTunes\iTunesHelper.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\WinFast\WFTVFM\WFWIZ.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Programme\iPod\bin\iPodService.exe C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Winamp\winamp.exe C:\Dokumente und Einstellungen\Ray\Desktop\hijackthis_199\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ray-production.de/RayProduction/forum R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\Programme\FlashFXP\IEFlash.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Steam] "D:\Programme\Steam\Steam.exe" -silent O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Office\Office10\OSA.EXE O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\Office\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe 2007-03-26 17:12 d-------- C:\Programme\WarRock 2007-03-20 22:50 d-------- C:\Programme\HLSW 2007-03-20 19:47 d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\NVIDIA 2007-03-15 18:37 d-------- C:\Programme\CUE Splitter 2007-03-15 14:20 d-------- C:\WINDOWS\pss 2007-03-13 17:30 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys 2007-03-13 17:30 25,856 --a------ C:\WINDOWS\system32\drivers\hidbth.sys 2007-03-13 17:30 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2007-03-12 05:21 d-------- C:\Programme\Font Fitting Room Deluxe 2007-03-12 05:21 d-------- C:\DOKUME~1\Ray\ANWEND~1\Font Fitting Room Deluxe 2007-03-07 22:25 d-------- C:\DOKUME~1\Ray\TV-Browser 2007-03-07 22:24 d-------- C:\Programme\TV-Browser 2007-03-07 22:06 49,152 --------- C:\WINDOWS\system32\TempDel.EXE 2007-03-07 16:11 d-------- C:\Programme\WinFast 2007-03-07 16:03 9,469 --a------ C:\WINDOWS\system32\drivers\WINFOXIO.sys 2007-03-07 16:03 d-------- C:\WINDOWS\system32\WinFox 2007-03-07 16:03 d-------- C:\WINDOWS\system32\WinFast 2007-03-07 16:03 d-------- C:\DOKUME~1\Ray\WINDOWS 2007-03-07 15:54 d-------- C:\WinFast WorkArea 2007-03-07 04:14 27,392 --a------ C:\WINDOWS\system32\drivers\ULCDRHlp.sys 2007-03-07 03:52 9,728 --a------ C:\WINDOWS\system32\drivers\cxavxbar.sys 2007-03-07 03:52 50,816 --a------ C:\WINDOWS\system32\drivers\cx88tune.sys 2007-03-07 03:52 162,944 --a------ C:\WINDOWS\system32\drivers\cx88vid.sys 2007-03-07 03:35 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-03-07 03:35 3,440 --a------ C:\WINDOWS\undo.reg 2007-03-07 03:35 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-03-07 03:35 d-------- C:\Programme\Trojan Remover 2007-03-07 02:58 d-------- C:\DOKUME~1\Ray\ANWEND~1\gtk-2.0 2007-03-07 02:58 d-------- C:\DOKUME~1\Ray\.thumbnails 2007-03-07 02:54 d-------- C:\DOKUME~1\Ray\ANWEND~1\Nvu 2007-03-07 02:48 d-------- C:\DOKUME~1\Ray\.gimp-2.2 2007-03-07 02:45 d-------- C:\Programme\GIMP-2.0 2007-03-07 02:44 d-------- C:\Programme\Gemeinsame Dateien\GTK 2007-03-06 14:14 d-a------ C:\DOKUME~1\ALLUSE~1\ANWEND~1\TEMP 2007-03-06 14:14 d-------- C:\DOKUME~1\Ray\ANWEND~1\Simply Super Software 2007-03-06 14:12 d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Trojan Remover 2007-03-05 20:39 d-------- C:\Programme\KONAMI 2007-02-28 23:04 d-------- C:\DOKUME~1\Ray\Xpage backup 2007-02-28 22:42 d--h----- C:\Programme\Zero G Registry 2007-02-28 22:41 d--h----- C:\DOKUME~1\Ray\InstallAnywhere (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-26 22:32 -------- d--h----- C:\Programme\installshield installation information 2007-03-26 16:25 -------- d-------- C:\DOKUME~1\Ray\ANWEND~1\teamspeak2 2007-03-25 08:14 70580 --a------ C:\WINDOWS\system32\perfc007.dat 2007-03-25 08:14 405118 --a------ C:\WINDOWS\system32\perfh007.dat 2007-03-24 18:54 -------- d-------- C:\DOKUME~1\Ray\ANWEND~1\skype 2007-03-19 16:32 -------- d-------- C:\Programme\flashget 2007-03-07 16:12 -------- d-------- C:\Programme\Gemeinsame Dateien\ulead systems 2007-03-05 20:33 -------- d-------- C:\Programme\winamp 2007-03-04 23:55 -------- d-------- C:\Programme\divx 2007-03-02 01:04 -------- d-------- C:\Programme\smartftp client 2.0 2007-02-26 00:33 3316 --a------ C:\WINDOWS\mozver.dat 2007-02-26 00:31 -------- d-------- C:\Programme\Gemeinsame Dateien\xing shared 2007-02-25 22:51 -------- d-------- C:\Programme\viennasoft 2007-02-23 06:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe 2007-02-23 06:29 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-02-23 06:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 06:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 06:29 129784 --------- C:\WINDOWS\system32\pxafs.dll 2007-02-23 06:29 118520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-02-23 06:29 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-02-23 06:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 06:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-02-23 06:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-02-23 06:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-02-23 06:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-02-23 06:25 639066 --a------ C:\WINDOWS\system32\divx.dll 2007-02-23 06:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll 2007-02-23 06:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-02-23 06:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll 2007-02-23 06:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-02-23 06:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-02-23 06:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 06:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-02-20 03:35 -------- d-------- C:\Programme\mirc 2007-02-20 01:16 -------- d-------- C:\Programme\Gemeinsame Dateien\sncp106 2007-02-19 14:41 -------- d-------- C:\Programme\ebesucher-browser 2007-02-16 23:00 -------- d-------- C:\Programme\smartftp client 2.0 setup files 2007-02-16 16:22 -------- d-------- C:\DOKUME~1\Ray\ANWEND~1\real 2007-02-16 16:18 -------- d-------- C:\Programme\real 2007-02-16 03:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2007-02-14 19:07 -------- d-------- C:\Programme\java (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "Steam"="\"D:\\Programme\\Steam\\Steam.exe\" -silent" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "iTunesHelper"="\"D:\\Programme\\iTunes\\iTunesHelper.exe\"" "Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions" "avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" "CmUsbSound"="RunDll32 cmcnfgu.cpl,CMICtrlWnd" "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "WinFast Schedule"="C:\\Programme\\WinFast\\WFTVFM\\WFWIZ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Ray^Startmenü^Programme^Autostart^Xfire.lnk] "path"="C:\\Dokumente und Einstellungen\\Ray\\Startmenü\\Programme\\Autostart\\Xfire.lnk" "backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\Xfire\\xfire.exe " "item"="Xfire" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Trjscan" "hkey"="HKLM" "command"="C:\\Programme\\Trojan Remover\\Trjscan.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9560d86e-531a-11db-901a-806d6172696f}] Shell\AutoRun\command E:\install.exe ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-27 12:30:30