AntiVir Guard meldet ununterbrochen Spyware TR/Agent / mljgf.dll |
||
---|---|---|
#0
| ||
08.10.2007, 20:10
...neu hier
Beiträge: 3 |
||
|
||
08.10.2007, 21:18
Ehrenmitglied
Beiträge: 6028 |
#2
Entferne auf C: \Qoobox--->Papierkorb leeren
Schliesse alle Fenster und starte Hijack This Klicke: Do a Systemscan only Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei O2 - BHO: (no name) - {957C10F8-578E-412B-88C2-7A1C5A721210} - C:\WINDOWS\System32\mljgf.dll (file missing) O20 - Winlogon Notify: cbxxxvt - C:\WINDOWS\SYSTEM32\cbxxxvt.dll klicke: Fix checked Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst Download Avenger zum Desktop Alle Fenster muessen geschlossen sein Starte Avenger Anhaken Input script manually Die "Lupe" rechts anklicken - View/edit script (wird sich öffnen) kopiere rein: Files to delete: C:\WINDOWS\system32\fgjlm.ini C:\WINDOWS\system32\rpgsfewc.ini C:\WINDOWS\system32\fgjlm.bak2 C:\WINDOWS\system32\ibmlogac.ini C:\WINDOWS\system32\fgjlm.bak1 C:\WINDOWS\system32\cbxxxvt.dll Klicke die grüne Ampel das Script wird nun ausgeführt, dann wird der PC nach Bestätigung (yes) neustarten nach dem Neustart erscheint ein Log vom Avenger, kopiere es ab - mit rechtem Mausklick - kopieren - einfügen Und ein log von Hijack This __________ MfG Argus |
|
|
||
08.10.2007, 21:52
...neu hier
Themenstarter Beiträge: 3 |
#3
Danke für die schnelle Hilfe!!
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\nsoldjvi ******************* Script file located at: \??\C:\WINDOWS\System32\rfaemsfj.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\fgjlm.ini deleted successfully. File C:\WINDOWS\system32\rpgsfewc.ini deleted successfully. File C:\WINDOWS\system32\fgjlm.bak2 deleted successfully. File C:\WINDOWS\system32\ibmlogac.ini deleted successfully. File C:\WINDOWS\system32\fgjlm.bak1 deleted successfully. File C:\WINDOWS\system32\cbxxxvt.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:52:07, on 08.10.2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\PMJ151LA.BIN C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\WLTRAY.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\hijack\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Senden an &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://xxxxxxxxxxxxxxxxxxx96397ad767654b4b8128ebd418f766b5ed1ea8f1b5beda1d7b7acba4/whalecom0/iNotes6W.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://xxxxxxxxxxxxxxxnalSite/WhlCompMgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D2AB70AD-AA6D-4ED0-B0BD-1BCC1512C7D7}: NameServer = 192.168.1.1 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\Common\Database\bin\fbserver.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 6597 bytes Dieser Beitrag wurde am 08.10.2007 um 23:49 Uhr von baenker editiert.
|
|
|
||
08.10.2007, 21:59
Ehrenmitglied
Beiträge: 6028 |
#4
Entferne auf C:\avenger\ backup.zip --->Papierkorb leeren
Systemwiederherstellung Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. Neu Starten Dann wieder aktivieren (Häkchen entfernen) Dein Java software ist veraltet, Download jre-6u3-windows-i586-p.exe Scrolle runter nach ---->Java Runtime Environment (JRE) 6u3 The Java SE Runtime Environment (JRE) allows end-users to run Java applications. Klicke auf " Download " Setze in haeckchen bei --->"Accept License Agreement". Klicke “Windows Offline Installation, Multi-language” um “jre-6-windows-i586.exe” zum Desktop zu installieren Schliesse alle Programme auch dein Webbrowser Ueber "Start -> Einstellungen -> Systemsteuerung -> Software Und entferne alle aeltere versionen von Java Runtime Environment (JRE of J2SE) Auch auf C:\Programme\ Java entfernen! Nachdem alles entfernt wurde ---> Rechner neu starten Installiere jetzt vom Desktop aus ---> “jre-6u3-windows-i586-p-s.exe ” Stelle Antivir so ein wie hier beschrieben http://board.protecus.de/t23979.htm __________ MfG Argus |
|
|
||
08.10.2007, 23:47
...neu hier
Themenstarter Beiträge: 3 |
#5
Erledigt (und bis jetzt auch noch keinerlei AVGuard Popup's erhalten)
Thnx für die Tipps! Was empfiehlt ihr für eine Real-Time protection? |
|
|
||
09.10.2007, 00:05
Ehrenmitglied
Beiträge: 6028 |
||
|
||
Habe seit ein paar Tagen immer wieder Spyware auf meinem Rechner (TR/Agent, betroffenes File: C:\Windows\System32\mljgf.dll
Danke für Eure Hilfe!
ComboFix-Log
ComboFix 07-10-07.2 - xxx 2007-10-08 19:50:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.437 [GMT 2:00]
Running from: C:\Documents and Settings\xxx\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\xxx\Application Data\macromedia\Flash Player\#SharedObjects\XJTQMKWW\www.broadcaster.com
C:\Documents and Settings\xxx\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\xxx\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\fad.sys
.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.
2007-10-08 19:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 19:01 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-03 19:01 <DIR> d-------- C:\Documents and Settings\xxx\Application Data\WholeSecurity
2007-10-02 18:56 521,581 ---hs---- C:\WINDOWS\system32\fgjlm.bak2
2007-10-01 19:13 6,513 ---hs---- C:\WINDOWS\system32\fgjlm.bak1
2007-10-01 19:08 35,328 --a------ C:\WINDOWS\system32\cbxxxvt.dll
2007-10-01 18:23 <DIR> d-------- C:\youtube
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 23:48 --------- d-------- C:\Documents and Settings\xxx\Application Data\Azureus
2007-09-09 19:12 --------- d-------- C:\Program Files\Video_deluxe_2007_PLUS
2007-09-09 12:24 --------- d-------- C:\Program Files\Goya_burnR
2007-09-09 12:21 --------- d-------- C:\Program Files\Goya_burnR_mxcdr
2007-09-07 19:27 --------- d-------- C:\Program Files\Avira
2007-09-07 19:27 --------- d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-08-27 22:37 --------- d-------- C:\Documents and Settings\xxx\Application Data\Deneba
2007-08-27 22:35 --------- d-------- C:\Program Files\Deneba
2007-08-12 13:53 --------- d-------- C:\Program Files\IrfanView
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{957C10F8-578E-412B-88C2-7A1C5A721210}]
C:\WINDOWS\System32\mljgf.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 06:59 C:\WINDOWS\BCMSMMSG.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 15:18]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-20 09:10]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [2007-03-16 18:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:50]
"NVIEW"="nview.dll,nViewLoadHook" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-25 20:11]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxxvt]
cbxxxvt.dll 2007-10-01 19:08 35328 C:\WINDOWS\system32\cbxxxvt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Program Files\ICQLite\ICQLite.exe" -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\System32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\PROGRA~1\VIDEO_~1\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
WDBtnMgr.exe
R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R2 PMJ151NM;Panasonic DVC Web Camera;C:\WINDOWS\System32\DRIVERS\PMJ151NM.sys
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\Common\Database\bin\fbserver.exe
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\System32\drivers\srs_sscfilter_i386.sys
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 19:52:21
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-08 19:52:49
C:\ComboFix-quarantined-files.txt ... 2007-10-08 19:52
.
--- E O F ---
HJT-Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55:58, on 08.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {957C10F8-578E-412B-88C2-7A1C5A721210} - C:\WINDOWS\System32\mljgf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Senden an &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://xxxxxxxxxxx28ebd418f766b5ed1ea8f1b5beda1d7b7acba4/whalecom0/iNotes6W.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://xhlCompMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2AB70AD-AA6D-4ED0-B0BD-1BCC1512C7D7}: NameServer = 192.168.1.1
O20 - Winlogon Notify: cbxxxvt - C:\WINDOWS\SYSTEM32\cbxxxvt.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\Common\Database\bin\fbserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6572 bytes
Datfind.bat - Log
Directory of C:\WINDOWS\system32
08.10.2007 18:36 25'577 nvModes.001
08.10.2007 18:28 2'206 wpa.dbl
07.10.2007 18:44 518'128 fgjlm.ini
07.10.2007 17:23 693'661 rpgsfewc.ini
07.10.2007 17:20 521'581 fgjlm.bak2
05.10.2007 10:07 279'552 swreg.exe
03.10.2007 19:05 693'541 ibmlogac.ini
01.10.2007 19:13 6'513 fgjlm.bak1
01.10.2007 19:08 35'328 cbxxxvt.dll
16.09.2007 18:39 25'577 nvModes.dat
Directory of C:\DOCUME~1\xxx\LOCALS~1\Temp
08.10.2007 19:59 96'842 datfind.txt
08.10.2007 19:54 114'688 ~DF1FD9.tmp
08.10.2007 19:53 0 WcesView.log
08.10.2007 19:53 318'369 HiJackThis.zip
08.10.2007 18:37 164'053 WCESLog.log
5 File(s) 693'952 bytes
0 Dir(s) 13'603'119'104 bytes free
Directory of C:\WINDOWS
08.10.2007 18:29 0 0.log
08.10.2007 18:29 159 wiadebug.log
08.10.2007 18:29 50 wiaservc.log
08.10.2007 18:28 2'048 bootstat.dat
03.10.2007 19:01 584'806 setupapi.log
28.09.2007 09:06 135'168 catchme.exe
27.09.2007 23:32 116 NeroDigital.ini
27.09.2007 23:28 438 wincmd.ini
27.09.2007 22:55 164 wcx_ftp.ini
27.09.2007 22:53 54'156 QTFont.qfn
09.09.2007 19:12 56 Videodeluxe.INI
09.09.2007 12:23 46 Goya.INI
08.09.2007 18:56 18'606 Windows Update.log
07.09.2007 19:08 133'394 ntbtlog.txt
03.08.2007 00:03 523 win.ini
Directory of C:\WINDOWS\temp
Directory of C:\WINDOWS\Downloaded Program Files
26.09.2007 01:00 400'127 tcscan8.dat
26.09.2007 01:00 32 virscant.dat
26.09.2007 01:00 5'064'300 virscan9.dat
26.09.2007 01:00 1'819'101 virscan8.dat
26.09.2007 01:00 12'625'198 virscan7.dat
26.09.2007 01:00 2'504 catalog.dat
26.09.2007 01:00 391'801 virscan6.dat
26.09.2007 01:00 6'899 ecbootil.vxd
26.09.2007 01:00 4'599'786 virscan5.dat
26.09.2007 01:00 284'016 ecmsvr32.dll
26.09.2007 01:00 320'253 virscan4.dat
26.09.2007 01:00 150'248 virscan3.dat
26.09.2007 01:00 570'834 virscan2.dat
26.09.2007 01:00 994'246 virscan1.dat
26.09.2007 01:00 124'272 naveng32.dll
26.09.2007 01:00 914'800 navex32a.dll
26.09.2007 01:00 106'244 virscan.inf
26.09.2007 01:00 97'744 scrauth.dat
26.09.2007 01:00 2'267 v.sig
26.09.2007 01:00 11'875 symaveng.cat
26.09.2007 01:00 1'061 symaveng.inf
26.09.2007 01:00 398'092 tcdefs.dat
26.09.2007 01:00 1'829'031 tcscan7.dat
26.09.2007 01:00 224 zdone.dat
26.09.2007 01:00 923'305 tcscan9.dat
26.09.2007 01:00 453 tinf.dat
26.09.2007 01:00 148 tinfidx.dat
26.09.2007 01:00 1'957 tinfl.dat
26.09.2007 01:00 67'619 tscan1.dat
26.09.2007 01:00 3'240 tscan1hd.dat
26.09.2007 01:00 4'778 v.grd
.