I Got Infected By A Trojan Virus And My Anti-virus System Can't Fix It[INACTIVE]

VanVeign

By VanVeign,
in Malware Removal

 Share Followers 0

Recommended Posts

VanVeign

VanVeign

Posted
Posted (edited)

This trojan infected my Windows Live Messenger and send itself about my contacts.

I warned everyone of my friends about that.(sry my english is not that well I'm german...)

My anti-virus system detected it and said it has been deleted but after a while working with my WLM it get the same mistake it beginn to send to everyone who's online a link with its data.

Can anyone help me ??? please!!!!

and now here is my scan:Logfile of HijackThis v1.99.1

Scan saved at 12:55:16, on 10.08.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Norton Internet Security\NISUM.EXE

C:\Programme\Norton Internet Security\ccPxySvc.exe

C:\Programme\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkSrv2K.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Programme\D-Tools\daemon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\T-Online\ISDN SpeedManager\Tomcat.exe

C:\Programme\Java\jre1.5.0_03\bin\jusched.exe

C:\Programme\HP\HP Software Update\HPWuSchd2.exe

C:\Programme\Macrogaming\SweetIM\SweetIM.exe

C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe

C:\Programme\Logitech\iTouch\iTouch.exe

C:\Programme\Logitech\MouseWare\system\em_exec.exe

F:\Tuning\Speedwitch\SpeedswitchXP.exe

C:\Programme\Messenger\msmsgs.exe

C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe

C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe

C:\DOKUME~1\Rene\LOKALE~1\Temp\Temporäres Verzeichnis 2 für hijackthis.zip\HijackThis.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll

O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file)

O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - C:\Dokumente und Einstellungen\Rene\8994435.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Run: [iSDN SpeedManager] "C:\Programme\T-Online\ISDN SpeedManager\Tomcat.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sweetIM] C:\Programme\Macrogaming\SweetIM\SweetIM.exe

O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKCU\..\Run: [speedswitchXP] F:\Tuning\Speedwitch\SpeedswitchXP.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_03\bin\npjpi150_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_03\bin\npjpi150_03.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{29B4CE29-D4BC-4DDF-A32B-AF64B787438B}: NameServer = 217.237.149.142 217.237.150.205

O17 - HKLM\System\CS2\Services\Tcpip\..\{29B4CE29-D4BC-4DDF-A32B-AF64B787438B}: NameServer = 217.237.149.142 217.237.150.205

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - (no file)

O21 - SSODL: printers - {B7806331-08EE-49F8-A101-8529B99144D3} - libmsns.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programme\Norton Internet Security\ccPxySvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Internet Security\NISUM.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Syntek DC-112X Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkSrv2K.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Edited by VanVeign
Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply along with a Combofix log (Link below).

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

**If the SmitfraudFix tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Link to post
Share on other sites
VanVeign

VanVeign

Posted
  • Author
Posted

Here you are:

SmitFraudFix v2.212

Scan done at 14:16:09,62, 16.08.2007

Run from C:\Dokumente und Einstellungen\Rene\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Norton Internet Security\NISUM.EXE

C:\Programme\Norton Internet Security\ccPxySvc.exe

C:\Programme\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkSrv2K.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\Programme\D-Tools\daemon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\T-Online\ISDN SpeedManager\Tomcat.exe

C:\Programme\Java\jre1.5.0_03\bin\jusched.exe

C:\Programme\HP\HP Software Update\HPWuSchd2.exe

C:\Programme\Macrogaming\SweetIM\SweetIM.exe

C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe

C:\Programme\Logitech\iTouch\iTouch.exe

C:\Programme\Logitech\MouseWare\system\em_exec.exe

F:\Tuning\Speedwitch\SpeedswitchXP.exe

C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe

C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\notepad.exe

C:\Programme\Mozilla Firefox\firefox.exe

C:\Programme\Messenger\msmsgs.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Rene

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Rene\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOKUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

C:\DOKUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Rene\FAVORI~1

C:\DOKUME~1\Rene\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme

C:\Programme\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Die derzeitige Homepage"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"coursings"="{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface

DNS Server Search Order: 217.237.149.142

DNS Server Search Order: 217.237.150.205

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29B4CE29-D4BC-4DDF-A32B-AF64B787438B}: NameServer=217.237.149.142 217.237.150.205

HKLM\SYSTEM\CS2\Services\Tcpip\..\{29B4CE29-D4BC-4DDF-A32B-AF64B787438B}: NameServer=217.237.149.142 217.237.150.205

HKLM\SYSTEM\CS3\Services\Tcpip\..\{29B4CE29-D4BC-4DDF-A32B-AF64B787438B}: NameServer=217.237.149.142 217.237.150.205

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Combofix

ComboFix 07-08-14.4 - "Rene" 2007-08-16 13:58:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.137 [GMT 2:00]

* Created a new restore point

ADS removed - svchost.exe: deleted 68 bytes in 1 streams.

ADS removed - ntoskrnl.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\d.exe

C:\Dokumente und Einstellungen\Rene.\aria.txt

C:\Programme\media-codec

C:\Programme\media-codec\ot.ico

C:\Programme\media-codec\ts.ico

C:\temp\17o7

C:\WINDOWS\images012.zip

C:\WINDOWS\images021.zip

C:\WINDOWS\images024.zip

C:\WINDOWS\images027.zip

C:\WINDOWS\images033.zip

C:\WINDOWS\images039.zip

C:\WINDOWS\images066.zip

C:\WINDOWS\images087.zip

C:\WINDOWS\images090.zip

C:\WINDOWS\svchost.exe

C:\WINDOWS\system32\libmsns.dll

C:\WINDOWS\system32\p2pnetworking.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))

2007-08-16 13:57 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-16 13:55 3,014 --a------ C:\WINDOWS\system32\tmp.reg

2007-08-15 10:55 122,880 --a------ C:\DOKUME~1\Rene\81585542.dll

2007-08-11 17:34 <DIR> d-------- C:\Programme\MSN Messenger

2007-08-11 17:32 <DIR> d-------- C:\DOKUME~1\Rene\ANWEND~1\MSNInstaller

2007-08-08 21:48 97,280 --a------ C:\DOKUME~1\Rene\xxvjjg.exe

2007-08-08 21:44 5,120 --a------ C:\WINDOWS\svchost.dll

2007-08-08 21:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

2007-08-08 21:12 116,224 -ra------ C:\WINDOWS\system32\msninet.exe

2007-08-04 14:15 967 --a------ C:\WINDOWS\ScUnin.pif

2007-08-04 14:15 69,632 --a------ C:\WINDOWS\ScUnin.exe

2007-08-04 14:15 29,346 --a------ C:\WINDOWS\scunin.dat

2007-08-04 14:08 97,792 --a------ C:\WINDOWS\system32\LGUICOM.DLL

2007-08-04 14:08 94,208 --a------ C:\WINDOWS\system32\FEELIT.DLL

2007-08-04 14:08 70,798 --a------ C:\WINDOWS\system32\drivers\LMouFlt2.Sys

2007-08-04 14:08 51,486 --------- C:\WINDOWS\system32\drivers\L8042PR2.SYS

2007-08-04 14:08 3,568 --a------ C:\WINDOWS\system32\LMOUSE16.DLL

2007-08-04 14:08 25,502 --a------ C:\WINDOWS\system32\drivers\LHidFlt2.Sys

2007-08-04 14:08 23,372 --------- C:\WINDOWS\system32\LCOINST.DLL

2007-08-04 14:08 19,968 --------- C:\WINDOWS\LOGI_MWX.EXE

2007-08-04 14:08 16,896 --a------ C:\WINDOWS\system32\LMOUSE32.DLL

2007-08-04 14:08 155,648 --a------ C:\WINDOWS\system32\ifc21.dll

2007-08-04 14:08 152,064 --------- C:\WINDOWS\system32\lmoufrc.dll

2007-08-04 14:08 104,960 --a------ C:\WINDOWS\system32\COMNCTR.DLL

2007-08-04 14:07 54,784 --a------ C:\WINDOWS\system32\MSVCI70.DLL

2007-08-04 14:07 37,884 --a------ C:\WINDOWS\system32\drivers\LHidUsb.sys

2007-08-04 14:07 14,092 --a------ C:\WINDOWS\system32\drivers\LCcfltr.sys

2007-08-04 14:07 12,953 --------- C:\WINDOWS\system32\drivers\itchfltr.sys

2007-08-04 14:07 <DIR> d-------- C:\Programme\Logitech

2007-08-04 14:07 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Logitech

2007-08-03 10:19 <DIR> d-------- C:\Programme\BFVCC Server Manager

2007-07-16 17:16 <DIR> dr------- C:\DOKUME~1\LOCALS~1\Favoriten

2007-07-16 00:50 <DIR> dr------- C:\DOKUME~1\LOCALS~1\Eigene Dateien

2007-07-16 00:48 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys

2007-07-16 00:48 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2007-07-16 00:48 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys

2007-07-16 00:48 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2007-07-16 00:48 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys

2007-07-16 00:48 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2007-07-16 00:48 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys

2007-07-16 00:48 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2007-07-16 00:48 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys

2007-07-16 00:48 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2007-07-16 00:48 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys

2007-07-16 00:48 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2007-07-16 00:48 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys

2007-07-16 00:48 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2007-07-16 00:45 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys

2007-07-16 00:45 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2007-07-16 00:41 787,081 --a------ C:\WINDOWS\system32\drivers\StkMini.sys

2007-07-16 00:41 69,632 --a------ C:\WINDOWS\system32\StkWIA.dll

2007-07-16 00:41 650,444 --a------ C:\WINDOWS\system32\drivers\StkPin.sys

2007-07-16 00:41 57,344 --a------ C:\WINDOWS\system32\StkVFW.dll

2007-07-16 00:41 54,272 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll

2007-07-16 00:41 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll

2007-07-16 00:41 4,673 --a------ C:\WINDOWS\system32\drivers\StkScan.sys

2007-07-16 00:41 24,576 --a------ C:\WINDOWS\system32\StkUSD.dll

2007-07-16 00:41 24,576 --a------ C:\WINDOWS\system32\StkSSrv.dll

2007-07-16 00:41 24,576 --a------ C:\WINDOWS\system32\StkSrv2k.exe

2007-07-16 00:41 232,716 --a------ C:\WINDOWS\system32\drivers\StkCamd.sys

2007-07-16 00:41 20,480 --a------ C:\WINDOWS\system32\StkCoIn.dll

2007-07-16 00:41 172,032 --a------ C:\WINDOWS\VideoView.exe

2007-07-16 00:41 17,279 --a------ C:\WINDOWS\system32\drivers\StkSam.sys

2007-07-16 00:41 106,496 --a------ C:\WINDOWS\Stk112X.exe

2007-07-16 00:41 10,479,585 --a------ C:\WINDOWS\system32\drivers\StkPipe.sys

2007-07-16 00:41 <DIR> d-------- C:\WINDOWS\STKDU

2007-07-16 00:41 <DIR> d-------- C:\Programme\videoview

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-16 14:06 --------- d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared

2007-08-14 16:24 --------- d-------- C:\DOKUME~1\Rene\ANWEND~1\Image Zone Express

2007-08-09 11:43 --------- d-------- C:\Programme\Norton Internet Security

2007-08-09 11:43 --------- d-------- C:\Programme\Norton AntiVirus

2007-08-07 00:37 --------- d-------- C:\Programme\Bilder

2007-08-04 14:08 --------- d--h----- C:\Programme\InstallShield Installation Information

2007-08-03 10:22 729088 --a------ C:\WINDOWS\iun6002.exe

2007-08-03 10:20 --------- d-------- C:\Programme\EA GAMES

2007-06-30 11:40 --------- d-------- C:\Programme\TuneUp Utilities 2006

2007-06-24 15:46 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll

2007-06-24 15:46 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll

2007-06-24 15:46 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll

2007-05-14 23:08 417792 --a------ C:\Programme\Video.exe

2007-05-14 23:08 417792 --a------ C:\Programme\Track_03.exe

2007-05-14 23:08 25214 --a------ C:\Programme\B.ico

2007-05-14 23:08 25214 --a------ C:\Programme\A.ico

2007-05-14 23:08 218606 --a------ C:\Programme\c.zip

2007-05-14 23:08 218600 --a------ C:\Programme\a.zip

2007-05-14 23:08 217706 --a------ C:\Programme\b.zip

2007-04-14 11:32 417792 --a------ C:\Programme\Setup.exe

2007-04-10 18:24 78360 --a------ C:\Programme\uy.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5753791b-f607-48ca-814e-91c14d081f9e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9}]

2007-08-15 10:55 122880 --a------ C:\Dokumente und Einstellungen\Rene\81585542.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools-1033"="C:\Programme\D-Tools\daemon.exe" [2004-08-22 17:05]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 04:06]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06]

"Cmaudio"="cmicnfg.cpl" []

"ccRegVfy"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" [2003-10-09 10:27]

"ccApp"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2003-10-09 10:26]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00]

"ISDN SpeedManager"="C:\Programme\T-Online\ISDN SpeedManager\Tomcat.exe" [2003-07-30 13:04]

"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]

"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]

"SweetIM"="C:\Programme\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]

"AceGain LiveUpdate"="C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe" [2004-01-01 03:12]

"zBrowser Launcher"="C:\Programme\Logitech\iTouch\iTouch.exe" [2003-12-01 11:38]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 11:50 C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedswitchXP"="F:\Tuning\Speedwitch\SpeedswitchXP.exe" [2004-05-14 02:30]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00]

C:\Dokumente und Einstellungen\All Users\StartmenÂ\Programme\Autostart\

Adobe Reader - Schnellstart.lnk - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

HP Digital Imaging Monitor.lnk - C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

Microsoft Office.lnk - C:\Programme\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=0 (0x0)

"NoDispBackgroundPage"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoStartMenuMFUprogramsList"=0 (0x0)

"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^EPSON Status Monitor 3 Environment Check 2.lnk]

path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\EPSON Status Monitor 3 Environment Check 2.lnk

backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AceGain LiveUpdate]

C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

"C:\Programme\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISDN SpeedManager]

"C:\Programme\T-Online\ISDN SpeedManager\Tomcat.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

"F:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

C:\Programme\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Programme\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltraDVDMon]

F:\Torren\Programme\UltraDVD\DVDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDesk]

F:\Tuning\TweakNow PowerPack\VirDesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

F:\Programme\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SymWSC"=2 (0x2)

"SNDSrvc"=3 (0x3)

"NVSvc"=2 (0x2)

"gusvc"=3 (0x3)

"EPSONStatusAgent2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"p2p networking"=p2pnetworking.exe

R1 DumaNT;NVIDIA Stereo Helper Service;C:\WINDOWS\system32\DRIVERS\dumant.sys

R1 SSHDRV79;SSHDRV79;\??\C:\WINDOWS\system32\drivers\SSHDRV79.sys

R1 SSHDRV85;SSHDRV85;\??\C:\WINDOWS\system32\drivers\SSHDRV85.sys

R2 StkSSrv;Syntek DC-112X Service;C:\WINDOWS\System32\StkSrv2K.exe

R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;C:\WINDOWS\system32\DRIVERS\avmwan.sys

R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;C:\WINDOWS\system32\DRIVERS\fpcibase.sys

R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys

R3 TOMCATWAN;T-Online DynamicISDN (WDM);C:\WINDOWS\system32\DRIVERS\WTOMCAT.SYS

S3 GMSIPCI;GMSIPCI;\??\E:\INSTALL\GMSIPCI.SYS

S3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\Drivers\itchfltr.sys

S3 MSICPL;MSICPL;\??\E:\install4\MSICPL.sys

S3 NTACCESS;NTACCESS;\??\E:\NTACCESS.sys

S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys

S3 StkMini;Syntek DC-112X;C:\WINDOWS\system32\Drivers\StkMini.sys

S3 StkScan;Syntek DC-112X Filter Driver;C:\WINDOWS\system32\Drivers\StkScan.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f548a1d6-1994-11db-9812-544f4d4c3100}]

AutoRun\command- K:\AUTORUN.EXE

Contents of the 'Scheduled Tasks' folder

2007-08-10 15:36:15 C:\WINDOWS\Tasks\1-Klick-Wartung.job

2007-08-10 18:12:31 C:\WINDOWS\Tasks\Norton AntiVirus - Meinen Computer prüfen.job

2007-08-16 12:06:19 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programme\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-16 14:06:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-16 14:09:32 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-16 14:08

--- E O F ---

Thx for your help ...

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

After this we will still have a little clean up to do, but I think it better to do each fix seperately here.

Warning : running option #2 on a non infected computer will remove your Desktop background.˜

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing