[help needed please ( Spyware, Virus etc. )] -

help needed please ( Spyware, Virus etc. )
Discuss help needed please ( Spyware, Virus etc. )

Posted by: catweazle

Hi folks,

I would urgently need your help as spyware and viruses are beyond my knowledge. I have searched thru this forum already for some help. ( About Buster, Spybot, Shredder, Panda Antivirus )Know I have come to the stage where I need advise from experts.
I cant get rid of a toolbar ( fastwebsearch I think and some sex pages pop up some times ) and my computer says that 18% is still infected by spyware. I scaned thru with hijack this and this is the result.
Can you please advise me what to do next . Thanks for your help !

Logfile of HijackThis v1.99.0
Scan saved at 21:54:06, on 22.12.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = [url]http://fastsearchweb.com/srh.php?q=%s[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: Richfind - {67E78BA4-E0C5-40F7-9000-86089795F590} - C:\WINDOWS\System32\Q713315.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcgf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [msinfo.exe] msinfo.exe
O4 - HKLM\..\Run: [sp2chek.exe] sp2chek.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe
O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe
O4 - HKLM\..\RunOnce: [netssh.exe] netssh.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: [url]http://*.63.219.181.7[/url]
O15 - Trusted Zone: [url]http://*.search-soft.net[/url]
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - [url]http://express.bilderservice.de/static/download/iedropupload.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103056697268[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - [url]http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE
O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Posted by: smurph

Firstly, there is enuff advice in this section of the forum without asking for it all again!
Use all the anti-malware software in my signature, which is generally what most others are recommending - no one piece of software detects all the problems.
But, once it gets so bad, you will be better to reinstall OS and software etc.
Advise elimination of Norton, which in my experience can't be done without reinstall, unless you're an expert.

Posted by: intercodes

catweazle,

Okie, first turn off system restore [url]http://www.pchell.com/virus/systemrestore.shtml[/url]

Next open your HJT and fix the following, close all your windows except HJT
------------------
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = [url]http://fastsearchweb.com/srh.php?q=%s[/url]

R3 - URLSearchHook: Richfind - {67E78BA4-E0C5-40F7-9000-86089795F590} - C:\WINDOWS\System32\Q713315.dll (file missing)

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll

O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe

O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe

O4 - HKLM\..\Run: [msinfo.exe] msinfo.exe

O4 - HKLM\..\Run: [sp2chek.exe] sp2chek.exe

O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe [B][ If you dont know what this is, fix it] [/B]

O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe

O4 - HKLM\..\RunOnce: [netssh.exe] netssh.exe [B][ If you dont know what this is, fix it] [/B]

O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe

O15 - Trusted Zone: [url]http://*.63.219.181.7[/url]

O15 - Trusted Zone: [url]http://*.search-soft.net[/url]

----------------------------

After fixing this, boot into safe mode by pressing F8 at boot time.
Then clear Internet explorer cache,temorary internet files , cookies, and temp files in windows folders.

In the safe mode, in folder options, check 'show hidden files' and 'show OS files' option. And if the following files are available , delete them

lfjtcdztu.exe
msinfo.exe
iecust.dll
lssrv.exe

Finally download ad-aware se , install ,update and scan the system

Posted by: catweazle

thanks for all the information.
i will stick to your advise and get back to you how succesfull
I was.

Posted by: southernlady

To help keep this in the proper place, and help Intercodes and Dave keep the advice ON TRACK, I am moving this to the HiJack This (Analyze) forum. Liz

Posted by: catweazle

intercodes,

please have a look at my hjt logfile now.

Logfile of HijackThis v1.99.0
Scan saved at 19:52:07, on 23.12.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\Norton Personal Firewall\ccPxySvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - [url]http://express.bilderservice.de/static/download/iedropupload.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103056697268[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - [url]http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE
O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

I have also run ad-aware se over my system as you proposed
and it quarantined this.

ArchiveData(catweazle.bckp)
Referencefile : SE1R23 16.12.2004
==================================================
====

POSSIBLE BROWSER HIJACK ATTEMPT
��
obj[0]=Process : C:\WINDOWS\System32\odcfg.exe
obj[22]=File : C:\Dokumente und Einstellungen\...... .....\Favoriten\Block Popups.url
obj[23]=File : C:\Dokumente und Einstellungen\............\Favoriten\SPYWARE UNINSTALL.url

ALEXA
��
obj[1]=Regkey : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
obj[2]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuText"
obj[3]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[4]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[5]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[6]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[7]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[8]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[18]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[19]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[20]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"

CLARIA
��
obj[9]=Regkey : S-1-5-21-1177238915-1993962763-854245398- 1003\software\microsoft\windows\currentversion\exp
lorer\menuorder\start menu\programs\gain
obj[10]=Regkey : S-1-5-21-1177238915-1993962763-854245398- 1003\\software\microsoft\windows\currentversion\ex
plorer\menuorder\start menu\programs\gain

IEHIJACKER.RICHFIND
��
obj[11]=Regkey : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids
obj[12]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "1"
obj[13]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "2"
obj[14]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "3"
obj[15]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "4"
obj[16]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "5"
obj[17]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "x"
obj[24]=Regkey : software\lawga

TRACKING COOKIE
��
obj[21]=IECache Entry : Cookie:...... .....@as1.falkag.de/

The toolbar has gone, but these strippoker pages still pop up nownagain........

Thanks for all your help !

Posted by: southernlady

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

These are part of your problem. Your home page has been hijacked.

Go here and download all of these: CoolWeb Shredder, CWS Domains, CWS SmartKiller, and Killbox.

Put those and your HiJack log in a folder on your c: drive so the folder may look something like this c:\Malware tools Just name it something YOU will remember.

Next have your hidden files set so that you can see them: [url]http://www.spyware911.net/forum/index.php?showtopic=27[/url]

Then reboot into safe mode: [url]http://www.spyware911.net/safemode.htm[/url] and run the three CWS files, DO NOT TOUCH KILLBOX YET.

Then run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :

Reboot

Empty the Recycle Bin

Then post another log. Liz

Posted by: catweazle

liz,

I' ll get back to you with my results after I did my x-mas preperations ;-))

thanks for all your help !

Posted by: catweazle

here we go liz

unfortunatly could not download cws domains and smartkiller was downloaded but a message came up saying could not find smartkiller on your pc........

Logfile of HijackThis v1.99.0
Scan saved at 23:49:36, on 23.12.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\Norton Personal Firewall\ccPxySvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\pingnet.exe
C:\WINDOWS\System32\odcfg.exe
C:\WINDOWS\System32\getdns.exe
C:\WINDOWS\System32\clfmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - [url]http://express.bilderservice.de/static/download/iedropupload.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103056697268[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - [url]http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE
O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Posted by: intercodes

catweazle,

Turn of system restore ,and fix the following

C:\WINDOWS\System32\pingnet.exe
C:\WINDOWS\System32\odcfg.exe
C:\WINDOWS\System32\getdns.exe
O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing)
O17 -HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244

Next, boot into safe mode, delete [COLOR=red]all the temporary windows files & internet files & cache [/COLOR]
Delete these files , if they are available [You have to enable hidden and Operating System files from folder options ]

*pingnet.exe
*odcfg.exe
*getdns.exe

You have a [COLOR=red]worm[/COLOR] that spawns on a windows vulnerablity.
Download and run this tool.
[url]http://www.paretologic.com/xoftspy/lp/14/[/url]

To stay secure from future attacks, you have to install service pack for your Internet explorer. [or install windows service pack files].

Good Luck

Posted by: catweazle

here is my new log file !

Thanks for all your help, hopefully my computer problems
are solved.
I have a feeling that system is much quicker now.......
Any more tipps, like run a new browser ( but which one ? )
can't install SP2, prob. my software is not genuine as I bought this pc on a cheap at a ' flee market ' !

Logfile of HijackThis v1.99.0
Scan saved at 11:56:49, on 25.12.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\Norton Personal Firewall\ccPxySvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcgf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - [url]http://express.bilderservice.de/static/download/iedropupload.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103056697268[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - [url]http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab[/url]
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE
O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Posted by: intercodes

catweazle,

Cool , I d suggest you to use Firefox. You wont have much troubles with adwares and spywares with this browser. Also keep spybot and ad-aware with a anit-virus scanner all updated.

And fix this

O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcgf.dll

Also delete the file C:\WINDOWS\System32\netcgf.dll

Thats it.

Posted by: catweazle

intercodes,

thanks for all ! You don't know how much I appreciate your knowledge.
Also many many thanks to Southernlady.
You both are stars !

Hopefully my last logfile !

Logfile of HijackThis v1.99.0
Scan saved at 17:42:06, on 25.12.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\Norton Personal Firewall\ccPxySvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - [url]http://express.bilderservice.de/static/download/iedropupload.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103056697268[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - [url]http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab[/url]
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE
O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Posted by: intercodes

catweazle,

Okie, your log is clean. Happy surfin' around :D

-Intercodes

Posted by: catweazle

intercodes,

thanks for all your help ! :D