Trojan-gen

Viruses and worms
1

Hi, Avast found the Trojan Gen in the following data of my Window XP System:
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\archive.pst\Archivordner\Overste Ebene des Persönlichen Ordners\gelöchte Objekte\Hallo, hier Bewerbung von Tanja\Private-Fotos_JPG.com.
I remember to these mail, I did not open these mail but I removed it. Now, all programms are running very well (in the first view).

I tried to remove these file, but AVAST is not able to remove it.
As I checked the file separately, the Trojan Gen was also found. As I tried it again to remove the file but in liu, a message from Avast was shown: The process is not able to work with the file, because she is used by an other process.

Spybot did not found the trojan.

Now my queries:

Is it dangerous?
How can I remove the file, or is it not possible to remove the file?

Hope you can help me and pls send a copy of your answer to
schnellbaecher@uftag.de
Thank you

2

Hi Winfried119,

  1. Download these programmes (i.e. in their own folders on your Desktop), but do not run them till I ask you to:

Ewido from: http://shop.element5.com/product.html?productid=531168&affiliateid=200010704
CCleaner from: http://www.filehippo.com/download_ccleaner.html
HijackThis (HJT) from: http://www.spychecker.com/download/download_hijackthis.html

  1. Run CCleaner

  2. Boot PC into Safe Mode (tap the F8 key repeatedly at bootup - or click here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 ).

  3. Run a full scan with Ewido
    Click on scanner. Click on Complete System Scan and the scan will begin.
    While the scan is in progress, you will be prompted to clean files, click OK

When it asks if you want to clean the first file, put a check in the lower left corner of the box that says “Perform action on all infections” then choose clean and click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report. Save the report .txt file to your desktop. Close ewido security

  1. Reboot PC into Normal Mode.

  2.  Run HijackThis, save and post the log in this thread together with the log from Ewido and we will try to help you :-) .

polonus

3

Hi Polonus,

cant download EWIDO.

Now, I send you the logs:
Hope, you can help me,

Best regards

Winfried119

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:49, on 03.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Download\AVCAST\aswUpdSv.exe
C:\Download\AVCAST\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
C:\Programme\ScanSoft\OmniPageSE\opware32.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
C:\Programme\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\anvshell.exe
C:\Download\AVCAST\ashDisp.exe
C:\Download\Scype\SAM\CmSkype.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Iomega\AutoDisk\AD2KClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\WinTV\Ir.exe
C:\Programme\WISO\Sparbuch 2007\rswisoservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Download\AVCAST\ashMaiSv.exe
C:\Download\AVCAST\ashWebSv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.schnellstarten.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.99:3128
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Windows 32 system] win32.exe
O4 - HKLM..\Run: [System Startup] voltio.exe
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [MSVSync] videosync.exe
O4 - HKLM..\Run: [MSCommX] C:\WINDOWS\System32\mscommx.exe
O4 - HKLM..\Run: [liveNote] livenote.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Iomega Startup Options] C:\Programme\Iomega\Common\ImgStart.exe
O4 - HKLM..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [CloneDVDElbyDelay] “C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe” /L ElbyDelay
O4 - HKLM..\Run: [CloneCDElbyCDFL] “C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL
O4 - HKLM..\Run: [Anvshell] anvshell.exe
O4 - HKLM..\Run: [avast!] C:\Download\AVCAST\ashDisp.exe
O4 - HKLM..\Run: [CmSkype] C:\Download\Scype\SAM\CmSkype.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKLM..\RunServices: [Windows 32 system] win32.exe
O4 - HKLM..\RunServices: [System Startup] voltio.exe
O4 - HKLM..\RunServices: [MSVSync] videosync.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Programme\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Iomega Active Disk] C:\Programme\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Skype] “C:\Programme\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOKALER DIENST’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETZWERKDIENST’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [MSVSync] videosync.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [ALUAlert] C:\Programme\Symantec\LiveUpdate\ALUNotify.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [Windows 32 system] win32.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [Windows 32 system] win32.exe (User ‘Default user’)
O4 - Global Startup: AutoStart IR.lnk = C:\Programme\WinTV\Ir.exe
O4 - Global Startup: WISO Urteilsmonitor.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095417194625
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://router.hottinger.biz:8082/activex/AxisCamControl.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Download\AVCAST\aswUpdSv.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Download\AVCAST\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Download\AVCAST\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Download\AVCAST\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RvscomSv - Living Byte Software GmbH, München - C:\Programme\RVS\WCOM\SYSTEM\RVSCOMSV.EXE
O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, München - C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE
O23 - Service: Video Sync Manager (vsync) - Unknown owner - C:\WINDOWS\System32\videosync.exe (file missing)


End of file - 9101 bytes

4

There are a couple of nasty worms visible in this log.

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Try a scan with DrWeb CureIT!

If you can’t download it on the infected computer, do so on another computer, burn it to disc and run it in Safe Mode if possible.

Can you boot into Safe Mode with Networking?

If so, run some online scans.

F-Secure

BitDefender

Panda

Trend Micro Housecall
ESET Online Scanner

5

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [Windows 32 system] win32.exe
O4 - HKLM..\Run: [System Startup] voltio.exe
O4 - HKLM..\Run: [MSCommX] C:\WINDOWS\System32\mscommx.exe
O4 - HKLM..\Run: [MSVSync] videosync.exe
O4 - HKLM..\RunServices: [Windows 32 system] win32.exe
O4 - HKLM..\RunServices: [System Startup] voltio.exe
O4 - HKLM..\RunServices: [MSVSync] videosync.exe
O4 - HKUS\S-1-5-18..\Run: [MSVSync] videosync.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [Windows 32 system] win32.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [Windows 32 system] win32.exe (User ‘Default user’)
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: Video Sync Manager (vsync) - Unknown owner - C:\WINDOWS\System32\videosync.exe (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

@echo off sc stop hpdj sc delete hpdj sc stop Video Sync Manager sc delete Video Sync Manager exit
Next you will need to create the batch fix to do that copy and paste [b]ALL[/b] of the above in the quote box to a notepad file. Then in the text file go to [b]FILE > SAVE AS [/b] and in the dropdown box select [b]SAVE AS TYPE [/b] to[b] ALL FILES [/b] Then in the [b]FILE NAME [/b] box type [b]fix.bat[/b]

This will create a batch file
http://img524.imageshack.us/img524/9383/batmp6.jpg

Then run fix.bat by double clicking you may see a black box appear this is normal

NEXT

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\WINDOWS\System32\mscommx.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\hpdj.exe 
C:\WINDOWS\System32\videosync.exe

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*] Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

6

You know, if you’re gonna jump in where people are trying to help already, you’re just gonna piss people off.

You’re own forum says run some general scans before you seek advice, so why not follow the same rules here?

And if you’re gonna swan in when you feel like it, who’s gonna deal with all those unanswered posts?

http://forum.avast.com/index.php?topic=32908.0

http://forum.avast.com/index.php?topic=32863.0

http://forum.avast.com/index.php?topic=32856.0

http://forum.avast.com/index.php?topic=32891.0

http://forum.avast.com/index.php?topic=32789.0

http://forum.avast.com/index.php?topic=32872.0

7

??? ok

8

If helpers from other forums are going to come here and offer advice, then they need to respond to all requests for help, not miss a dozen and then shoulder out somebody trying to help.

9

Hi FwF,

Even better would be if those that are into malware cleansing here, would be offered a slightly more extended manual than offered here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
And I wonder why this could not be offered in the place intended for it , which is the evangelist’s.

Essexboy, oldman, mauserme etc. could give an exposé there to educate us how exactly to work combofix, sdfix, hijackthis etc. to our mutual benefit. And I also have some additional instruction up on my sleeves to share with others.
I can understand your remark fully, but it is a fact that there is malware around at the moment that cannot be cleansed from computers by scanners alone, it can be done manually, but that is not everybody’s thing.
That general cleansing should be performed before individual help is offered goes without saying, it s normal standard procedure, as far as I am aware. Also the victim should be given advice in general what to do to prevent a further or re-infection (updates, latest Sun Java version, appropriate cleansing programs, and a warning against pseudos and rogue programs),

polonus

10

Hi,

first, I did what Freewheelir adviced me to do. DrWeb CureIT did not found an infection.

Pls, do me the favour and help me by the next steps (I am not an expert)

Thank you,

Winfried 119

11

I suggest continue on with essexboys suggestions. The other scanners didn’t find your problem.

12

???
Hi, thank you essexboy.

Please, do me the favour and explain me more about creating a batch, and what i have to do with these.

Thank you for your support.

Winni

13

If you read his post at http://forum.avast.com/index.php?topic=32483.msg276490#msg276490 again essexboy explains how to create a batch (.bat) file.

14

Hi,

Currently the Spyware program had run it regular scan and something I am not sure has shown it the final report.

Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DXDIIRegExe=dxdllreg.exe

Could anyone please advise what it is and how its effecting my system/computer,

15

Hi shaba -

Please do not double post. Also see my reply to you at the link below.

http://forum.avast.com/index.php?topic=33435.msg280047#msg280047

16

Hi david R.,

I read essexboys explanation how to create a batch. It was part of the answer concerning to my hijack logfile analysis. But, I am afraid, to do anything wrong. Hence, I need a more detailled assertion for my own security.
Especially these questions:
Before click fix checked, do I have to mark all the listed and found entries?
Do I have first to create the batch and then write the files located into the casced with the headline “quote”?
What happens, when I do something wrong, by creating a batch file?

Thank you for your patience,

best regards

17

Yes, check all the lines that are in bold text in essexboy’s post.

The first step in creating the batch file is copying and pasting all the text in the quote box into a notepad. The batch he is having you create will stop 2 services that are causing you problems.

18

How can I open or use a notepad file?
I opend the image shack. What do I have to do?

19

Hi, i worked hard to understand all the steps.
and I did, now what essexboy adviced me to do. But i did not create a batch file. How is working?
Below, you will find the result of OTMoveIT2 by OldTimer:
File/Folder C:\WINDOWS\System32\mscommx.exe not found.
File/Folder C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\hpdj.exe not found.
File/Folder C:\WINDOWS\System32\videosync.exe not found.
[Custom Input]
< C:\WINDOWS\System32\mscommx.exe >
File/Folder C:\WINDOWS\System32\mscommx.exe not found.
< C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\hpdj.exe >
File/Folder C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\hpdj.exe not found.
< C:\WINDOWS\System32\videosync.exe >
File/Folder C:\WINDOWS\System32\videosync.exe not found.

OTMoveIt2 v1.0.20 log created on 02272008_171553

Is everything now done, in essexboys spirit?

Best regards

20

Logfile from Combofix:
ComboFix 08-02-25.3 - Administrator 2008-02-27 17:35:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.194 [GMT 1:00]
ausgeführt von:: C:\Download\Rechnerproblembehandlung\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((( Dateien erstellt von 2008-01-27 bis 2008-02-27 ))))))))))))))))))))))))))))))
.

2008-02-27 17:15 . 2008-02-27 17:15 d-------- C:_OTMoveIt
2008-02-27 16:25 . 2008-02-27 16:25 d-------- C:\Programme\ImageShackToolbar
2008-02-17 12:04 . 2008-02-17 12:04 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-10 19:07 . 2008-02-10 19:07 d-------- C:\Dokumente und Einstellungen\Administrator\DoctorWeb
2008-02-03 22:25 . 2008-02-03 22:25 d-------- C:\Programme\Trend Micro
2008-02-03 18:01 . 2008-02-03 18:01 d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft
2008-02-03 18:01 . 2008-02-03 18:01 d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Grisoft
2008-02-03 18:01 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-03 11:32 . 2008-02-03 11:32 d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Yahoo! Companion
2008-02-03 11:26 . 2008-02-03 11:26 d-------- C:\Programme\Yahoo!

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 15:52 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Skype
2007-12-30 22:02 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Buhl Data Service
2007-12-30 22:01 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Buhl Data Service GmbH
2000-12-15 13:02 100,560 ------w C:\Programme\Win2000PPAHotfix.exe
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Hinweis leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Programme\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208]
“Iomega Active Disk”=“C:\Programme\Iomega\AutoDisk\AD2KClient.exe” [2001-09-13 10:35 45056]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:57 15360]
“swg”=“C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-08-11 11:10 68856]
“Skype”=“C:\Programme\Skype\Phone\Skype.exe” [2007-05-28 13:52 23458344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SSBkgdUpdate”=“C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” [2003-10-14 10:22 155648]
“SetDefPrt”=“C:\Programme\Brother\Brmfl05a\BrStDvPt.exe” [2005-01-26 18:02 49152]
“PaperPort PTD”=“C:\Programme\ScanSoft\PaperPort\pptd40nt.exe” [2005-03-17 16:39 57393]
“Omnipage”=“C:\Programme\ScanSoft\OmniPageSE\opware32.exe” [2002-06-03 11:38 49152]
“nwiz”=“nwiz.exe” [2003-05-02 08:19 323584 C:\WINDOWS\system32\nwiz.exe]
“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2003-05-02 08:19 4640768]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]
“LiveNote”=“livenote.exe” [2002-07-11 14:31 40960 C:\WINDOWS\livenote.exe]
“Iomega Startup Options”=“C:\Programme\Iomega\Common\ImgStart.exe” [2001-01-17 16:33 45056]
“Iomega Drive Icons”=“C:\Programme\Iomega\DriveIcons\ImgIcon.exe” [2001-09-12 10:35 61440]
“IndexSearch”=“C:\Programme\ScanSoft\PaperPort\IndexSearch.exe” [2005-03-17 17:01 40960]
“ControlCenter2.0”=“C:\Programme\Brother\ControlCenter2\brctrcen.exe” [2005-05-17 17:42 933888]
“Cmaudio”=“cmicnfg.cpl”
“CloneDVDElbyDelay”=“C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe” [2002-11-02 07:33 45056]
“CloneCDElbyCDFL”=“C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe” [2002-11-02 07:33 45056]
“Anvshell”=“anvshell.exe” [2003-05-29 08:53 348160 C:\WINDOWS\anvshell.exe]
“avast!”=“C:\Download\AVCAST\ashDisp.exe” [2007-12-04 14:00 79224]
“CmSkype”=“C:\Download\Scype\SAM\CmSkype.exe” [2005-07-12 11:19 421888]
“!AVG Anti-Spyware”=“C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25 6731312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
“SchedulingAgent”=“C:\WINDOWS\System32\mstask.exe”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:57 15360]
“Windows 32 system”=“win32.exe”
“System Startup”=“voltio.exe”
“ALUAlert”=“C:\Programme\Symantec\LiveUpdate\ALUNotify.exe”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Programme\Skype\Phone\Skype.exe”=

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2003-05-19 09:12]
R2 rvsport;RVS Virtual COM Port;C:\WINDOWS\system32\drivers\rvsport.sys [2002-07-19 00:00]
R2 SamVirtualCable;SAM Virtual Cable;C:\WINDOWS\system32\Drivers\samvckmd.sys [2005-03-08 05:55]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2003-09-11 16:29]
R3 SaiH5F0D;SaiH5F0D;C:\WINDOWS\system32\DRIVERS\SaiH5F0D.sys [2006-02-28 11:52]
R3 SaiU5F0D;SaiU5F0D;C:\WINDOWS\system32\DRIVERS\SaiU5F0D.sys [2006-02-28 11:52]
R3 WDMWANMP;NDIS WAN miniport;C:\WINDOWS\system32\DRIVERS\wdmwanmp.sys [2003-01-13 17:41]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;“C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe”
S2 vsync;Video Sync Manager;C:\WINDOWS\System32\videosync.exe
S3 ISDN_u;ISDN USB CAPI;C:\WINDOWS\system32\DRIVERS\ISDN_u.sys [2002-12-25 12:14]
S3 RvscomSv;RvscomSv;C:\Programme\RVS\WCOM\SYSTEM\RVSCOMSV.EXE [2002-07-19 00:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys
S3 TOMCATWAN;T-Online DynamicISDN (WDM);C:\WINDOWS\system32\DRIVERS\WTOMCAT.SYS
S3 USBMSD;USB Mass storage Device Driver;C:\WINDOWS\system32\DRIVERS\USBMSD.SYS [2002-11-22 08:04]

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 17:43:52
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse…

Scanne versteckte Autostart Eintr„ge…

Scanne versteckte Dateien…

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
→ C:\WINDOWS\system32\samvcumd.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
→ C:\WINDOWS\system32\samvcumd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Download\AVCAST\aswUpdSv.exe
C:\Download\AVCAST\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE
C:\Download\AVCAST\ashMaiSv.exe
C:\Download\AVCAST\ashWebSv.exe
C:\WINDOWS\system32\RunDll32.exe
.

.
Zeit der Fertigstellung: 2008-02-27 17:45:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 16:45:43
.
2008-02-27 13:00:13 — E O F —