demoness: Problems with rightfinder.net... Spyware??

Discussion in 'adware, spyware & hijack cleaning' started by demoness, Nov 9, 2003.

Thread Status:
Not open for further replies.
  1. demoness

    demoness Guest

    and anotherone :)
    i have also the problem, here is my log

    Logfile of HijackThis v1.97.3
    Scan saved at 09:51:33, on 09.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\QuickTime\qttask.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\LSAS.exe
    C:\windows\ntconfig\windows\bootup\sysconfig\lsass.exe
    C:\WINDOWS\System32\regloadr.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    C:\WINDOWS\System32\WScript.exe
    C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\Programme\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\scvhost.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\explorex.exe
    C:\Programme\Kazaa Lite\kazaa.kpp
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Roman\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-search.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mslaeg.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Programme\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Programme\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [Windows Explorer Update Build 1142] explorer32.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programme\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\Run: [Configuration Loader] explorex.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [lsass] c:\windows\ntconfig\windows\bootup\sysconfig\lsass.exe
    O4 - HKLM\..\Run: [Registry Loader] regloadr.exe
    O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
    O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] explorex.exe
    O4 - HKLM\..\RunServices: [Registry Loader] regloadr.exe
    O4 - HKCU\..\Run: [TaskTray] C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Programme\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Search.vbs
    O4 - Global Startup: Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
    O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\GEMEIN~1\MSIETS\msiets.dll//iemenu
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir85r321.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/107073bbf6c099286a05/netzip/RdxIE601_de.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/products/camera_servers/AxisCamControl.ocx
    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1042.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
    O19 - User stylesheet: C:\WINDOWS\my.css

    plz help me thx
     
  2. demoness

    demoness Guest

    Re:problems with rightfinder.net... Spyware??

    ok i checked my system with spybot and adaware6 and here is the new log from hijackthis....just ignore my first post sorry

    Logfile of HijackThis v1.97.3
    Scan saved at 10:37:07, on 09.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\LSAS.exe
    C:\windows\ntconfig\windows\bootup\sysconfig\lsass.exe
    C:\WINDOWS\System32\regloadr.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\Programme\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\scvhost.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\explorex.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Roman\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.chello.at
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mslaeg.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Programme\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Programme\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [Windows Explorer Update Build 1142] explorer32.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programme\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\Run: [Configuration Loader] explorex.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [lsass] c:\windows\ntconfig\windows\bootup\sysconfig\lsass.exe
    O4 - HKLM\..\Run: [Registry Loader] regloadr.exe
    O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
    O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] explorex.exe
    O4 - HKLM\..\RunServices: [Registry Loader] regloadr.exe
    O4 - HKCU\..\Run: [TaskTray] C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Programme\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Search.vbs
    O4 - Global Startup: Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
    O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir85r321.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/107073bbf6c099286a05/netzip/RdxIE601_de.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/products/camera_servers/AxisCamControl.ocx
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab


    plz help thx
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi demoness,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-search.net/

    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mslaeg.dll

    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\Run: [Windows Explorer Update Build 1142] explorer32.exe

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\Run: [Configuration Loader] explorex.exe

    O4 - HKLM\..\Run: [lsass] c:\windows\ntconfig\windows\bootup\sysconfig\lsass.exe
    O4 - HKLM\..\Run: [Registry Loader] regloadr.exe
    O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
    O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] explorex.exe
    O4 - HKLM\..\RunServices: [Registry Loader] regloadr.exe

    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Programme\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Search.vbs

    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?

    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/107073bbf6c099286a05/netzip/RdxIE601_de.cab

    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1042.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab

    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
    O19 - User stylesheet: C:\WINDOWS\my.css

    Then reboot and delete:
    C:\Programme\RSNet <= entire folder
    C:\WINDOWS\AddClass.exe
    Search.vbs
    C:\WINDOWS\my.css

    If you are still using NAV, please try and reinstall it. Do a full system scan and if any of the following files are not found, please report back:
    explorer32.exe: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.fraggle.html
    LSAS.exe and regloadr.exe : http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ao.html
    explorex.exe:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.bz.html
    c:\windows\ntconfig\windows\bootup\sysconfig\lsass.exe: ?

    If you no longer use NAV do an online virusscan, you will find several listed here: http://www.wilders.org/free_services_m.htm

    Regards,

    Pieter
     
  4. demoness

    demoness Guest

    thx man you solved my rightfinder problem but as i checked my system with trend micro it found some viruses, i was able to delete them all except for a worm called agobot. maybe you can help me with it too or tell me where i can ask some people thx!
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi demoness,

    So far so good. Could you post a new log, so I can see where we stand?

    TIA,

    Pieter
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    This is your worm:

    C:\WINDOWS\System32\scvhost.exe (Not to be confused with Svchost.exe!)

    However, Hijack This isn't showing where it starts up from.
    Would you please do the following:

    Go to http://tomcoyote.org/hjt/, and download 'Hijack This!'.

    In Hijack This, press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log"

    This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post its contents here.

    And feel free to start your computer in Safe Mode, and delete that C:\WINDOWS\System32\scvhost.exe file (again, make sure to leave Svchost.exe alone! )
     
  7. demoness

    demoness Guest

    here is my new log

    Logfile of HijackThis v1.97.3
    Scan saved at 18:23:44, on 09.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\Programme\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\scvhost.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\explorex.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programme\ICQ\Icq.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Roman\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.at/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [CTStartup] C:\Programme\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Programme\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programme\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [Configuration Loader] explorex.exe
    O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /wait
    O4 - HKLM\..\RunServices: [Configuration Loader] explorex.exe
    O4 - HKCU\..\Run: [TaskTray] C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    O4 - Global Startup: Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
    O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir85r321.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/products/camera_servers/AxisCamControl.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab

    my startuplist will follow in a few seconds.....
     
  8. demoness

    demoness Guest

    here it is

    StartupList report, 09.11.2003, 18:27:00
    StartupList version: 1.52
    Started from : C:\Roman\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\Programme\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\scvhost.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\explorex.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programme\ICQ\Icq.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Roman\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart]
    Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Configuration Loader = explorex.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    TaskTray = C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    Taskbar = C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    RemoteCenter = C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Programme\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [iPIX ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
    CODEBASE = http://www.ipix.com/viewers/ipixx.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\System32\macromed\director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir85r321.cab

    [Autodesk MapGuide ActiveX Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MgAxCtrl.dll
    CODEBASE = http://pub.plan.at/mgaxctrlde.cab

    [HouseCall-Kontrolle]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab

    [CamImage Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
    CODEBASE = http://www.axis.com/products/camera_servers/AxisCamControl.ocx

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [MSN Photo Upload Tool]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
    CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Yahoo! Webcam Viewer Wrapper]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yvwrctl.dll
    CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

    [Tukati Launcher]
    InProcServer32 = C:\WINDOWS\System32\TukatiClientInstaller.dll
    CODEBASE = http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: c:\5261a8eae7ecb0c444108b||c:\ec046c0f1c1ac4774b9d3ee9c4


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll

    --------------------------------------------------
    End of report, 6.664 bytes
    Report generated in 0,031 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    and a very newbie question, but how do i start my pc in safe mode *g* again thx for your help guys
     
  9. demoness

    demoness Guest

    ah i forgot....
    pieter told me to delete the file search.vbs but where is it? can't use the search function in windows....god knows why, maybe because of the virus (btw. a few .exe's doesn't work..for example antivirus programs...but i guess that's because of the virus)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, Scvhost.exe is still there.

    And this one remains to be fixed:

    O4 - HKLM\..\RunServices: [Configuration Loader] explorex.exe

    Have Hijack This fix that one, then reboot into Safe Mode, and delete both the C:\WINDOWS\System32\explorex.exe and scvhost.exe files.
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Let's first get rid of your malware. Search.vbs will no longer be active after having Hijack This fix it and rebooting., so we can attend to that one later one

    And after doing ALL of the above restart your computer, and launch Hijack This again.
    Press "Config" > "Miscellaneous Tools" once more.
    Now, under the "Generate Startuplist log" button, check both the "List also minor sections" and "list empty sections" boxes.

    Next, press "Generate Startuplist Log"

    Go to Edit > select all, copy it and post its contents here.
     
  12. demoness

    demoness Guest

    how do i get into the safe mode?
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  14. demoness

    demoness Guest

    ok the explorex.exe and scvhost.exe are deleted

    StartupList report, 09.11.2003, 19:08:30
    StartupList version: 1.52
    Started from : C:\Roman\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\Programme\Creative\ShareDLL\MediaDet.Exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\scvhost.exe
    C:\Roman\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Dokumente und Einstellungen\winter\Startmenü\Programme\Autostart]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart]
    Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    TaskTray = C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    Taskbar = C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    RemoteCenter = C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    [CTStartup]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}]
    StubPath = rundll32 iesetup.dll,IEAccessUserInst

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registrierungs-Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [{00000075-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB

    [QuickTime Object]
    InProcServer32 = C:\Programme\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [iPIX ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
    CODEBASE = http://www.ipix.com/viewers/ipixx.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\System32\macromed\director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir85r321.cab

    [Autodesk MapGuide ActiveX Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MgAxCtrl.dll
    CODEBASE = http://pub.plan.at/mgaxctrlde.cab

    [HouseCall-Kontrolle]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab

    [JavaBeansBridge.Object]
    InProcServer32 = C:\Programme\JavaSoft\JRE\1.3\bin\beans.ocx
    CODEBASE = http://java.sun.com/products/1.3/jinstall-11-win.cab

    [CamImage Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
    CODEBASE = http://www.axis.com/products/camera_servers/AxisCamControl.ocx

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [MSN Photo Upload Tool]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
    CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Yahoo! Webcam Viewer Wrapper]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yvwrctl.dll
    CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

    [Tukati Launcher]
    InProcServer32 = C:\WINDOWS\System32\TukatiClientInstaller.dll
    CODEBASE = http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI-Treiber: System32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel-Echounterdrückung: system32\drivers\aec.sys (manual start)
    Umgebung für die AFD-Netzwerkunterstützung: \SystemRoot\System32\drivers\afd.sys (autostart)
    Warndienst: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Gatewaydienst auf Anwendungsebene: %SystemRoot%\System32\alg.exe (manual start)
    Anwendungsverwaltung: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    1394-ARP-Clientprotokoll: System32\DRIVERS\arp1394.sys (manual start)
    Asynchroner RAS -Medientreiber: System32\DRIVERS\asyncmac.sys (manual start)
    Standard-IDE/ESDI-Festplattencontroller: System32\DRIVERS\atapi.sys (system)
    Protokoll für ATM ARP-Client: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audiostubtreiber: System32\DRIVERS\audstub.sys (manual start)
    AVP Control Centre Service: "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /service (autostart)
    Intelligenter Hintergrundübertragungsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    MAC-Brücke: System32\DRIVERS\bridge.sys (manual start)
    MAC-Brückenminiport: System32\DRIVERS\bridge.sys (manual start)
    Computerbrowser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Untertiteldecoder: System32\DRIVERS\CCDECODE.sys (manual start)
    CD-ROM-Laufwerktreiber: System32\DRIVERS\cdrom.sys (system)
    Config Loader: "C:\WINDOWS\System32\scvhost.exe" -service (autostart)
    Indexdienst: C:\WINDOWS\System32\cisvc.exe (manual start)
    Ablagemappe: %SystemRoot%\system32\clipsrv.exe (manual start)
    COM+-Systemanwendung: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.EXE (autostart)
    Kryptografiedienste: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
    Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
    Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
    DHCP-Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Laufwerktreiber: System32\DRIVERS\disk.sys (system)
    Verwaltungsdienst für die Verwaltung logischer Datenträger: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Treiber für die Verwaltung logischer Datenträger: System32\DRIVERS\dmio.sys (system)
    Verwaltung logischer Datenträger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel-DLS-Synthesizer: system32\drivers\DMusic.sys (manual start)
    DNS-Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel-DRM-Audioentschlüsselung: system32\drivers\drmkaud.sys (manual start)
    3Com EtherLink XL 90XB/C-Adaptertreiber: System32\DRIVERS\el90xbc5.sys (manual start)
    ElbyCDFL: System32\Drivers\ElbyCDFL.sys (manual start)
    ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
    Creative EMU10K1/EMU10K2 Audio Driver (WDM): system32\drivers\e10kx2k.sys (manual start)
    E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
    ENTECH: \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS (manual start)
    Fehlerberichterstattungsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Ereignisprotokoll: %SystemRoot%\system32\services.exe (autostart)
    COM+-Ereignissystem: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    Fasttrak: system32\drivers\Fasttrak.sys (system)
    Kompatibilität für schnelle Benutzerumschaltung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Diskettencontrollertreiber: System32\DRIVERS\fdc.sys (manual start)
    Diskettenlaufwerktreiber: System32\DRIVERS\flpydisk.sys (manual start)
    Treiber für Volume-Manager: System32\DRIVERS\ftdisk.sys (system)
    Gameport-Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    GMSIPCI: \??\E:\INSTALL\GMSIPCI.SYS (manual start)
    Standardpaketklassifizierung: System32\DRIVERS\msgpc.sys (manual start)
    Hilfe und Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    USB-HID -> COM Driver Service: System32\DRIVERS\HidCom.sys (autostart)
    Microsoft HID-zu-Joystickanschlussaktivierung: System32\DRIVERS\hidgame.sys (manual start)
    Eingabegerätezugang: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Microsoft HID Class-Treiber: System32\DRIVERS\hidusb.sys (manual start)
    i8042-Tastatur- und PS/2-Mausanschluss-Treiber: System32\DRIVERS\i8042prt.sys (system)
    IMAPI-CD-Brenn-COM-Dienste: C:\WINDOWS\System32\imapi.exe (disabled)
    Filtertreiber für IP-Verkehr: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP/IP-Tunneltreiber: System32\DRIVERS\ipinip.sys (manual start)
    Übersetzer für IP-Netzwerkadressen: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC-Treiber: System32\DRIVERS\ipsec.sys (system)
    IR-Enumeratordienst: System32\DRIVERS\irenum.sys (manual start)
    PnP-ISA/EISA-Bus-Treiber: System32\DRIVERS\isapnp.sys (system)
    KAV Monitor Service: "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpm.exe" /service (autostart)
    Tastaturklassentreiber: System32\DRIVERS\kbdclass.sys (system)
    Klif: \??\C:\WINDOWS\System32\Drivers\klif.sys (system)
    Microsoft Kernel-Waveaudiomixer: system32\drivers\kmixer.sys (manual start)
    Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042Pr2.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Arbeitsstationsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.sys (manual start)
    Logitech USB Receiver device driver: system32\drivers\LHidUsb.Sys (manual start)
    Logitech Keyboard Class Filter Driver: System32\DRIVERS\LKbdFlt2.sys (manual start)
    TCP/IP-NetBIOS-Hilfsprogramm: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.sys (manual start)
    Nachrichtendienst: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    NetMeeting-Remotedesktop-Freigabe: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mausklassentreiber: System32\DRIVERS\mouclass.sys (system)
    Maus-HID-Treiber: System32\DRIVERS\mouhid.sys (manual start)
    Redirector für WebDav-Client: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Loopbackadaptertreiber: System32\DRIVERS\loop.sys (manual start)
    Microsoft Proxy für Streaming Clock: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Proxy für Streaming Quality Manager: system32\drivers\MSPQM.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink-Konvertierung: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI-Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    NAV Alert: C:\PROGRA~1\Navnt\alertsvc.exe (manual start)
    NAV Auto-Protect: C:\PROGRA~1\Navnt\navapsvc.exe (manual start)
    NAVAP: \??\C:\WINDOWS\System32\Drivers\navap.sys (manual start)
    NAVENG: \??\C:\PROGRA~1\Navnt\naveng.sys (manual start)
    NAVEX15: \??\C:\PROGRA~1\Navnt\navex15.sys (manual start)
    Microsoft TV-/Videoverbindung: System32\DRIVERS\NdisIP.sys (manual start)
    RAS-NDIS-TAPI-Treiber: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS-Benutzermodus-E/A-Protokoll: System32\DRIVERS\ndisuio.sys (manual start)
    RAS-NDIS-WAN-Treiber: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS-Schnittstelle: System32\DRIVERS\netbios.sys (system)
    NetBios über TCP/IP: System32\DRIVERS\netbt.sys (system)
    Netzwerk-DDE-Dienst: %SystemRoot%\system32\netdde.exe (manual start)
    Netzwerk-DDE-Serverdienst: %SystemRoot%\system32\netdde.exe (manual start)
    Anmeldedienst: %SystemRoot%\System32\lsass.exe (manual start)
    Netzwerkverbindungen: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    1394-Netzwerktreiber: System32\DRIVERS\nic1394.sys (manual start)
    NLA (Network Location Awareness): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Norton Program Scheduler: C:\PROGRA~1\Navnt\npssvc.exe (manual start)
    NT-LM-Sicherheitsdienst: %SystemRoot%\System32\lsass.exe (manual start)
    Wechselmedien: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
    nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
    nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
    Filtertreiber für IPX-Verkehr: System32\DRIVERS\nwlnkflt.sys (manual start)
    Treiber für IPX-Verkehrsweiterleitung: System32\DRIVERS\nwlnkfwd.sys (manual start)
    OHCI-konformer IEEE 1394-Hostcontroller: System32\DRIVERS\ohci1394.sys (system)
    Creative OS Services Driver: System32\drivers\ctoss2k.sys (manual start)
    Treiber für parallelen Anschluss: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
    Plug & Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC-Dienste: %SystemRoot%\System32\lsass.exe (autostart)
    WAN-Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Prozessortreiber: System32\DRIVERS\processr.sys (system)
    Geschützter Speicher: %SystemRoot%\system32\lsass.exe (autostart)
    QoS-Paketplaner: System32\DRIVERS\psched.sys (manual start)
    Treiber für direkte Parallelverbindung: System32\DRIVERS\ptilink.sys (manual start)
    Treiber für automatische RAS-Verbindung: System32\DRIVERS\rasacd.sys (system)
    Verwaltung für automatische RAS-Verbindung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN-Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    RAS-Verbindungsverwaltung: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remotezugriff-PPPOE-Treiber: System32\DRIVERS\raspppoe.sys (manual start)
    Parallelanschluss (direkt): System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Treiber für Terminalserver-Geräteumleitung: System32\DRIVERS\rdpdr.sys (manual start)
    Sitzungs-Manager für Remotedesktophilfe: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Filtertreiber für digitale CD-Audiowiedergabe: System32\DRIVERS\redbook.sys (system)
    Routing und RAS: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote-Registrierung: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    RPC-Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remoteprozeduraufruf (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS-RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Sicherheitskontenverwaltung: %SystemRoot%\system32\lsass.exe (autostart)
    Smartcard-Hilfsprogramm: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smartcard: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Taskplaner: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Sekundäre Anmeldung: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Systemereignisbenachrichtigung: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Sentinel: \SystemRoot\System32\Drivers\SENTINEL.SYS (autostart)
    Serenum-Filtertreiber: System32\DRIVERS\serenum.sys (manual start)
    Treiber für seriellen Anschluss: System32\DRIVERS\serial.sys (system)
    Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shellhardwareerkennung: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    Sony USB-Filtertreiber (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
    Microsoft Kernel-Audiosplitter: system32\drivers\splitter.sys (manual start)
    Druckwarteschlange: %SystemRoot%\system32\spoolsv.exe (autostart)
    Filtertreiber für Systemwiederherstellung: System32\DRIVERS\sr.sys (system)
    Systemwiederherstellungsdienst: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP-Suchdienst: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Windows-Bilderfassung (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    BDA-IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software-Bus-Treiber: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetablesynthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{9C17D49F-82C7-48E8-AE34-9F1B8211AB9B} (manual start)
    SymEvent: \??\C:\Programme\Symantec\SYMEVENT.SYS (manual start)
    Microsoft Kernel-Systemaudiogerät: system32\drivers\sysaudio.sys (manual start)
    Leistungsdatenprotokolle und Warnungen: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telefonie: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP-Protokolltreiber: System32\DRIVERS\tcpip.sys (system)
    Terminalgerätetreiber: System32\DRIVERS\termdd.sys (system)
    Terminaldienste: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Designs: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
    Überwachung verteilter Verknüpfungen (Client): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microcode Updatetreiber: System32\DRIVERS\update.sys (manual start)
    Upload-Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Universeller Plug & Play-Gerätehost: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Unterbrechungsfreie Stromversorgung: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    USB Root Hub (usbport): System32\DRIVERS\usbhub.sys (manual start)
    Miniporttreiber für Microsoft USB Open Host-Controller: System32\DRIVERS\usbohci.sys (manual start)
    USB-Scannertreiber: System32\DRIVERS\usbscan.sys (manual start)
    USB-Massenspeichertreiber: System32\DRIVERS\USBSTOR.SYS (manual start)
    Miniporttreiber für universellen Microsoft USB-Hostcontroller: System32\DRIVERS\usbuhci.sys (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    VIA AGP-Bus-Filter: System32\DRIVERS\viaagp1.sys (system)
    VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
    ViaIde: System32\DRIVERS\viaidexp.sys (system)
    VIAPFD: \SystemRoot\System32\Drivers\VIAPFD.SYS (system)
    Volumeschattenkopie: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows-Zeitgeber: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    RAS-IP-ARP-Treiber: System32\DRIVERS\wanarp.sys (manual start)
    Treiber für Microsoft WINMM-WDM-Audiokompatibilität: system32\drivers\wdmaud.sys (manual start)
    Webclient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows-Verwaltungsinstrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Treibererweiterungen für Windows-Verwaltungsinstrumentation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI-Leistungsadapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    World Standard Teletext-Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatische Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Konfigurationsfreie drahtlose Verbindung: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Configuration Loader: "C:\WINDOWS\System32\explorex.exe" -service (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll

    --------------------------------------------------
    End of report, 34.072 bytes
    Report generated in 0,125 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    The worm is still there, I'm afraid... The rascal registered itself as a service.

    So go to Start > Run, type Services.msc and hit Enter

    Scroll down to the "Config Loader" service, stop that service, and set it to "disabled".

    Now restart your computer, and delete the C:\WINDOWS\System32\scvhost.exe file again.
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    And after doing that, get rid of that rogue service altogether:

    Go to Start > Run, type Regedit, then press Enter.
    In the left panel, double-click the following:

    HKEY_LOCAL_MACHINE >SYSTEM > CurrentControlSet > Services.

    In the list of Services, locate cfgldr

    Delete that whole Cfgldr subkey. To do this, right-click the said subkey and choose Delete.

    Close the Registry Editor.
     
  17. demoness

    demoness Guest

    ok looking good....done everything you told me and i'm currently checking my system with kaspersky and already found 2 infected files....
    but i think it's looking good because before that last two steps with registry and services I couldn't even start the program
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That's good to hear! :)

    When you're all done, it can't hurt to post one (hopefully final) Hijack This log.
     
  19. demoness

    demoness Guest

    ok hopefully my last log :)

    Logfile of HijackThis v1.97.3
    Scan saved at 21:32:53, on 09.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Navnt\POPROXY.EXE
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    C:\Programme\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\Programme\Creative\ShareDLL\MediaDet.Exe
    C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Roman\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.at/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [CTStartup] C:\Programme\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Programme\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programme\Navnt\POPROXY.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [Configuration Loader] explorex.exe
    O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /wait
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKCU\..\Run: [TaskTray] C:\Programme\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Programme\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\SBAudigy\RemoteCenter\Rc\RcMan.EXE
    O4 - Global Startup: Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
    O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir85r321.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/products/camera_servers/AxisCamControl.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab


    do you need the startuplist too?
    kaspersky found some other infected files too but all are removed now (hopefully). tomorrow i'll tell you if everything is alright but it looks good. if there is still something wrong plz tell me and i will check that tomorrow. thx for all the help
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Not running anymore, but the startup entry is still there:
    O4 - HKLM\..\Run: [Configuration Loader] explorex.exe

    and wondering if you left this one in on purpose:
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programme\Navnt\POPROXY.EXE

    Regards,

    Pieter
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yup, what Pieter said.

    And I'd also have this one fixed:

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    Restart your computer, and uninstall P2P Networking through Add/Remove Programs.
     
  22. demoness

    demoness Guest

    everything works fine....no virus left :)

    everybody big thx for your help....i keep that board in mind :)
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Excellent news! :)

    Glad we were able to help.
     
Thread Status:
Not open for further replies.