Please help! - Another trojan spy smidfraud.c victim
Hello,
first thanks to you for what you are doing for us!
Yesterday suddenly the well known bluescreen fake appeared. I started ad-aware and spybot S&D. After updating they found (don't know anymore who exactly found what) some infected files and put them to quarantaine. So I'm not sure, whether the virus is still present on my computer, but since my display control window doesn't offer access to desktop background-color, I think it is.
I unistalled the psguard-program.
Another info: I have several partitions with 3 systems on my harddisk. So I could boot from another system to access locked system files, if neccessary. My working system is on D:.
Here is the HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 21:26:48, on 23.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\CTHELPER.EXE
D:\Programme\Logitech\iTouch\iTouch.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Programme\iTunes\iTunesHelper.exe
D:\Programme\QuickTime\qttask.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Programme\iPod\bin\iPodService.exe
D:\Programme\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\hjt\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "D:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MOD] D:\Programme\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] D:\Programme\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [PSGuard] D:\Programme\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINNT\system32\hpzipm12.exe
first thanks to you for what you are doing for us!
Yesterday suddenly the well known bluescreen fake appeared. I started ad-aware and spybot S&D. After updating they found (don't know anymore who exactly found what) some infected files and put them to quarantaine. So I'm not sure, whether the virus is still present on my computer, but since my display control window doesn't offer access to desktop background-color, I think it is.
I unistalled the psguard-program.
Another info: I have several partitions with 3 systems on my harddisk. So I could boot from another system to access locked system files, if neccessary. My working system is on D:.
Here is the HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 21:26:48, on 23.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\CTHELPER.EXE
D:\Programme\Logitech\iTouch\iTouch.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Programme\iTunes\iTunesHelper.exe
D:\Programme\QuickTime\qttask.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Programme\iPod\bin\iPodService.exe
D:\Programme\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\hjt\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "D:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MOD] D:\Programme\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] D:\Programme\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [PSGuard] D:\Programme\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINNT\system32\hpzipm12.exe
0
This discussion has been closed.
Comments
Logfile of HijackThis v1.99.1
Scan saved at 21:55:16, on 23.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\CTHELPER.EXE
D:\Programme\Logitech\iTouch\iTouch.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Programme\iTunes\iTunesHelper.exe
D:\Programme\QuickTime\qttask.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Programme\iPod\bin\iPodService.exe
D:\Programme\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\hjt\HijackThis.exe
D:\Programme\Microsoft Office\Office10\OUTLOOK.EXE
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Programme\Microsoft Visual Studio\Common\MSDev98\Bin\MSDEV.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "D:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MOD] D:\Programme\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] D:\Programme\Parallel Tasking\ptask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINNT\system32\hpzipm12.exe
O4 - HKLM\..\Run: [Parallel Tasking] D:\Programme\Parallel Tasking\ptask.exe
Delete this directory.
D:\Programme\Parallel Tasking
Please run at least two of these online scans.
Make sure they are set to clean automatically
Panda Virus Scan
Bit Defender
TrendMicro Housecall
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scans.
sorry for the delay - I forgot to mention that I live in Germany.
I also forgot to say, that I did the panda online scan before I ask here for help! But since I only fixed two entries of the HJT list, I think, it will be still uptodate.
I just made the bitdefender online-scan. It says, there might be still 1 virus, that couldn't be deleted. So here are the logs:
panda:
Incident Status Location
Spyware:Spyware/ISTbar No disinfected D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\iinstall.exe
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.French
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.German
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.Italian
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.Japanese
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.Spanish
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.French
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.German
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.Italian
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.Japanese
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.Spanish
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.french
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.german
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.italian
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.japanese
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.spanish
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.French
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.German
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.Italian
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.japanese
Adware:Adware/PsGuard No disinfected D:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.Spanish
Adware:Adware/Smitfraud No disinfected D:\WINNT\system32\oleadm.dll
Virus:W32/Smitfraud.B Disinfected D:\WINNT\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected D:\WINNT\uninstIU.exe
Virus:Trj/Downloader.YD Disinfected E:\Software\3D_Exploration_v1.81.zip[atl.exe]
Virus:Trj/Downloader.YD Disinfected E:\Software\3D_Exploration_v1.833\gyd.exe
Virus:Trj/Downloader.YD Disinfected E:\Software\3D_Exploration_v1.833.zip[gyd.exe]
Adware:Adware/PsGuard No disinfected H:\Dokumente und Einstellungen\klaus\Lokale Einstellungen\Temp\pft4.tmp\Disk1\data1.cab[Cdlsres.dll]
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.French
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.German
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.Italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.Japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKACodec.Spanish
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.French
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.German
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.Italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.Japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Codecs\WMSDKVCodec.Spanish
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.french
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.german
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\RealMediaWriter.spanish
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.French
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.German
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.Italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\After Effects 6.5\Support Files\Plug-ins\Standard\Format\MediaIO\Writers\WinMediaWriter.Spanish
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKACodec.french
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKACodec.german
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKACodec.italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKACodec.japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKVCodec.french
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKVCodec.german
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKVCodec.italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\codecs\WMSDKVCodec.japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\RealMediaWriter.french
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\RealMediaWriter.german
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\RealMediaWriter.italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\RealMediaWriter.japanese
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\WinMediaWriter.french
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\WinMediaWriter.german
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\WinMediaWriter.italian
Adware:Adware/PsGuard No disinfected H:\Programme\Adobe\Premiere Pro 1.5\MediaIO\writers\WinMediaWriter.japanese
BitDefender Online Scanner
Scan report generated at: Fri, Jun 24, 2005 - 10:36:47
Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistics
Time
01:28:57
Files
842102
Folders
10586
Boot Sectors
5
Archives
7181
Packed Files
97675
Results
Identified Viruses
7
Infected Files
9
Suspect Files
24
Warnings
0
Disinfected
0
Deleted Files
32
Engines Info
Virus Definitions
185196
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\11575.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\11575.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\11575.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\1540.exe
Infected with: Trojan.Downloader.Small.ALR
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\1540.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\1540.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\17726.exe
Infected with: Trojan.P2e.BR
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\17726.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\17726.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\18.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\18.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\18.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\18302.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\18302.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\18302.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\19891.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\19891.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\19891.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21494.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21494.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21494.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21688.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21688.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\21688.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\231.exe
Infected with: Trojan.P2e.BR
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\231.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\231.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\30372.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\30372.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\30372.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\30400.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\30400.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\30400.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\31579.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\31579.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\31579.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\3453.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\3453.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\3453.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\37.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\37.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\37.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\3900.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\3900.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\3900.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\4224.exe
Suspected of: BehavesLike:Trojan.Downloader
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\4224.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\4224.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\68.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\68.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\68.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\69.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\69.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\69.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\6C.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\6C.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\6C.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\73.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\73.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\73.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\82.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\82.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\82.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\83.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\83.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\83.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\85.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\85.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\85.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\A.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\A.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\A.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\B2.exe
Suspected of: BehavesLike:Trojan.HangUp
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\B2.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\B2.exe
Deleted
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\iinstall.exe
Infected with: Trojan.Isbar.267
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\iinstall.exe
Disinfection failed
D:\Dokumente und Einstellungen\Klaus Heyne\Lokale Einstellungen\Temp\iinstall.exe
Deleted
D:\Programme\QuickTime\qttask.exe
Infected with: Trojan.Holax.A.98304.A
D:\Programme\QuickTime\qttask.exe
Disinfection failed
D:\Programme\QuickTime\qttask.exe
Delete failed
D:\Pstools\psexec.exe
Detected with: Application.Remotexec.A
D:\Pstools\psexec.exe
Disinfection failed
D:\Pstools\psexec.exe
Deleted
D:\WINNT\ExeDialer.exe
Infected with: Trojan.P2e.BR
D:\WINNT\ExeDialer.exe
Disinfection failed
D:\WINNT\ExeDialer.exe
Deleted
D:\WINNT\system32\QuickTime\QTPluginInstaller.exe
Infected with: Dropped:Trojan.Holax.A.98304.A
D:\WINNT\system32\QuickTime\QTPluginInstaller.exe
Disinfection failed
D:\WINNT\system32\QuickTime\QTPluginInstaller.exe
Deleted
D:\WINNT\uninstIU.exe
Infected with: Trojan.Agent.EO
D:\WINNT\uninstIU.exe
Disinfection failed
D:\WINNT\uninstIU.exe
Deleted
E:\Projekte\Software\hangup\Debug\hangup.exe
Suspected of: BehavesLike:Trojan.HangUp
E:\Projekte\Software\hangup\Debug\hangup.exe
Disinfection failed
E:\Projekte\Software\hangup\Debug\hangup.exe
Deleted
Logfile of HijackThis v1.99.1
Scan saved at 12:09:33, on 24.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\CTHELPER.EXE
D:\Programme\Logitech\iTouch\iTouch.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\Programme\iTunes\iTunesHelper.exe
D:\Programme\QuickTime\qttask.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Programme\iPod\bin\iPodService.exe
D:\Programme\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\Programme\Mozilla Firefox\firefox.exe
D:\hjt\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "D:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MOD] D:\Programme\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINNT\system32\hpzipm12.exe
D:\WINNT\system32\ms0b920b.dll
D:\WINNT\system32\ms9b1d3f.dll
Download this file and extract it to your desktop.
http://www.bleepingcomputer.com/files/grinler/findholax.zip
Then double-click on the findholax folder that is now on your desktop. Double-click on the findholax.bat file. Select option 1 and copy the text that appears and post it back here.
D:\WINNT\system32\ms9b1d3f.dll
I can't find any of these files.
Here is the findholax output:
Running from D:\Dokumente und Einstellungen\Klaus Heyne\Desktop\findholax
This log will contain a series of tests. Some of the files that are found
could be legitimate so do not delete anything without supervision.
Please provide the output of this listing as a reply to the topic #
where you are receiving help. #
---- Test 1: Files that contain certain strings ----
---- Test 2: Files that are packed with UPX ----
---- Test 3: Files in D:\WINNT\SYSTEM32 matching *.da0 ----
No matches found.
---- Test 4: Files in D:\WINNT\SYSTEM32 matching *.cfg ----
D:\WINNT\SYSTEM32\
asinst.cfg Fri 10 Jan 2003 19:36:14 A.... 128 0,13 K
midimap.cfg Fri 10 Dec 1999 14:00:00 A.... 1 0,00 K
2 items found: 2 files, 0 directories.
Total of file sizes: 129 bytes 0,13 K
Nothing. That's strange. A file search results 200 files matching "ms*.dll"...
Here's the holax output:
Running from D:\Dokumente und Einstellungen\Klaus Heyne\Desktop\findholax
This log will contain a listing of all ms*.dll that are found in D:\WINNT\SYSTEM32
The majority of these files are legitimate files and should not be deleted.
Please provide the output of this listing as a reply to the topic where you are
receiving help.
---- DLLs found in D:\WINNT\SYSTEM32 that match the pattern ms*.dll ----
Try this.
Open notepad, copy and paste next content (bold) in it:
cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit
Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with a long list of all the files present in your system32-folder.
Copy and paste the first 20-30 lines of that log in your next reply.
Here comes the output of the batch file:
Datentr„ger in Laufwerk D: ist System2
Datentr„gernummer: F481-E0D3
Verzeichnis von D:\WINNT\system32
26.06.2005 17:27 4.412 nvapps.xml
25.06.2005 19:42 28.332 BMXBkpCtrlState-{00000002-00000000-0000000B-00001102-00000004-00511102}.rfx
25.06.2005 19:42 20.316 BMXState-{00000002-00000000-0000000B-00001102-00000004-00511102}.rfx
25.06.2005 19:42 20.316 BMXStateBkp-{00000002-00000000-0000000B-00001102-00000004-00511102}.rfx
25.06.2005 19:42 28.332 BMXCtrlState-{00000002-00000000-0000000B-00001102-00000004-00511102}.rfx
25.06.2005 19:42 1.080 settingsbkup.sfm
25.06.2005 19:42 1.080 settings.sfm
25.06.2005 19:42 24 DVCState-{00000002-00000000-0000000B-00001102-00000004-00511102}.dat
25.06.2005 19:42 24 DVCStateBkp-{00000002-00000000-0000000B-00001102-00000004-00511102}.dat
09.06.2005 23:30 217.544 FNTCACHE.DAT
04.05.2005 14:45 884.736 msimsg.dll
04.05.2005 14:45 15.360 msisip.dll
04.05.2005 14:45 271.360 msihnd.dll
04.05.2005 14:45 78.848 msiexec.exe
04.05.2005 14:45 2.890.240 msi.dll
04.05.2005 14:45 15.072 spmsg.dll
29.04.2005 09:16 1.122.576 webvw.dll
04.04.2005 22:06 1.886 qtplugin.log
27.03.2005 14:50 19.012 wmpscheme.xml
14.03.2005 22:28 93 services.log
12.03.2005 09:54 245.008 WINSRV.DLL
12.03.2005 09:54 381.200 USER32.DLL
12.03.2005 09:44 1.634.288 WIN32K.SYS
04.03.2005 08:56 2.383.632 SHELL32.DLL
02.03.2005 15:00 1.737.792 NTKRNLPA.EXE
02.03.2005 15:00 1.716.480 NTOSKRNL.EXE
24.02.2005 14:02 132.096 MSRATING.DLL
24.02.2005 14:02 2.811.904 MSHTML.DLL
Please uninstall Quicktime
Then delete this folder if it still exists.
D:\Programme\QuickTime
If you use Quicktime you will be able to reinstall it later. It's a free download. But the version you have now is infected by the Holax trojan.
Run this online virus scan and post the info from the scan. Also post a new hijackthis log.
Bit Defender
Bit Defender says: No virus found! Thank YOU!!!
Does that really mean, that there is no virus any more on my computer??
If so, how will I get back full access to the display control panel to change background color?
BitDefender Online Scanner
Scan report generated at: Mon, Jun 27, 2005 - 10:00:31
Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistics
Time
01:28:56
Files
842214
Folders
10580
Boot Sectors
5
Archives
7178
Packed Files
97676
Results
Identified Viruses
0
Infected Files
0
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
0
Engines Info
Virus Definitions
185480
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
No virus found.
Here the hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 21:41:22, on 28.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\CTHELPER.EXE
D:\Programme\Logitech\iTouch\iTouch.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Programme\iTunes\iTunesHelper.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Programme\iPod\bin\iPodService.exe
D:\Programme\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\hjt\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] D:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "D:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MOD] D:\Programme\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] D:\Programme\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINNT\system32\hpzipm12.exe
http://www.bleepingcomputer.com/files/reg/smitfraud.reg
Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.
Reboot your computer and you should now be able to change your desktop settings back to how you would like it.
Your log is clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
:celebrate