Hi everyone,

I have today been bothered with a whole lot of pop ups by my Avira Antivir Guard telling me about various malware infections - at some point I was being taken to some Vista Antivir 2008 website (I didn't click on any of the various "system" messages as they looked fishy to me as it were) and tried to fix the problem by downloading and installing Malwarebytes' Anti-Malware (strangely enough I have to cancel some scan for CDBurnerXP during the start-up of the program or it will tell me that it can't find some needed data) as well as running SDFix (version 1.230) in safe mode and then rebooting the machine. Both to no avail.

The endless list of malware programs that has been found so far:
TR/Trash.Gen
TR/Killav.28714
TR/Drop.Softomat.AN
TR/Agent.8704.76
TR/Crypt.XPACK.Gen

Since a flatmate has access to my PC I am not sure whether he surfed or downloaded something bad or whether I simply opened a bad file somewhere. (On a side note: if I open a user account without admin rights on my XP system, can my flatmates actions cause harm to my account and the data that I rely on for my work?)

I have just run a quick scan with Malwarebytes' software after another SDFix attempt and will post the result beneath.

First I will post the SDFix log, after that the Malwarebyte log and finally the HijackThis log file - the programs were executed in that order. I would be very much obliged if you could help me clean my system without me having to reinstall everything (which is especially painful with the RAID system that is not recognised by the WinXP system CD...).




SDFix log:


SDFix: Version 1.230
Run by kurtl on 03.10.2008 at 18:25

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\DOKUME~1\kurtl\LOKALE~1\Temp\desktop_background.zip - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 18:32:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:e7,05,01,3d,40,1e,f2,1a,84,51,55,54,62,04,5e,72,ad,d4,b8,86,63,..
"p0"="f:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:03,eb,89,96,15,ff,54,c1,00,46,dc,88,03,8a,37,75,60,88,4a,54,84,..
"a0"=hex:20,01,00,00,a5,9a,43,85,53,70,9a,20,a5,30,48,be,63,c6,84,cc,5b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ec,bd,f6,40,5e,a7,8d,b5,c4,48,b5,49,d1,4f,63,22,b6,95,55,ca,49,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:add90f25
"s2"=dword:6f38f080
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:e7,05,01,3d,40,1e,f2,1a,84,51,55,54,62,04,5e,72,ad,d4,b8,86,63,..
"p0"="f:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:03,eb,89,96,15,ff,54,c1,00,46,dc,88,03,8a,37,75,60,88,4a,54,84,..
"a0"=hex:20,01,00,00,a5,9a,43,85,53,70,9a,20,a5,30,48,be,63,c6,84,cc,5b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:40,e1,fd,8a,ff,61,bc,5c,96,90,71,27,3f,0a,b5,f1,b1,b4,29,5d,2d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:e7,05,01,3d,40,1e,f2,1a,84,51,55,54,62,04,5e,72,ad,d4,b8,86,63,..
"p0"="f:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:03,eb,89,96,15,ff,54,c1,00,46,dc,88,03,8a,37,75,60,88,4a,54,84,..
"a0"=hex:20,01,00,00,a5,9a,43,85,53,70,9a,20,a5,30,48,be,63,c6,84,cc,5b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:40,e1,fd,8a,ff,61,bc,5c,96,90,71,27,3f,0a,b5,f1,b1,b4,29,5d,2d,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Programme\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Eine DLL-Datei als Anwendung ausf�hren"
"F:\\Programme\\UltraVNC\\winvnc.exe"="F:\\Programme\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"E:\\Programme\\EA GAMES\\Battlefield 2\\BF2.exe"="E:\\Programme\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"E:\\Programme\\Activision\\Marvel - Ultimate Alliance\\game.exe"="E:\\Programme\\Activision\\Marvel - Ultimate Alliance\\game.exe:*:Enabled:game"
"E:\\Programme\\Monte Cristo\\Silverfall\\Silverfall.exe"="E:\\Programme\\Monte Cristo\\Silverfall\\Silverfall.exe:*:Enabled:Silverfall"
"E:\\Programme\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"="E:\\Programme\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe:*:Enabled:mvp2005"
"E:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="E:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"E:\\Programme\\Cyanide\\GameCenter\\GameCenter.exe"="E:\\Programme\\Cyanide\\GameCenter\\GameCenter.exe:*:Enabled:GameCenter"
"E:\\Programme\\America's Army\\System\\ArmyOps.exe"="E:\\Programme\\America's Army\\System\\ArmyOps.exe:*:Enabled:America's Army"
"E:\\Programme\\America's Army\\System\\AAEditor.exe"="E:\\Programme\\America's Army\\System\\AAEditor.exe:*:Enabled:America's Army Mission Editor"
"C:\\Programme\\America's Army Server Manager\\AA Server Manager.exe"="C:\\Programme\\America's Army Server Manager\\AA Server Manager.exe:*:Enabled:America's Army Server Manager"
"C:\\Programme\\America's Army Server Manager\\AA Server Remote Control.exe"="C:\\Programme\\America's Army Server Manager\\AA Server Remote Control.exe:*:Enabled:America's Army Server Remote Control Utility"
"E:\\Programme\\Anno 1701\\Anno1701.exe"="E:\\Programme\\Anno 1701\\Anno1701.exe:*:Enabled:Anno 1701"
"E:\\Programme\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="E:\\Programme\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"F:\\Programme\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="F:\\Programme\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"E:\\Programme\\Sports Interactive\\Football Manager 2008\\fm.exe"="E:\\Programme\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"E:\\Programme\\MiniRacingOnline\\MiniRacingOnLine.exe"="E:\\Programme\\MiniRacingOnline\\MiniRacingOnLine.exe:*:Enabled:MiniRacingOnLine"
"E:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="E:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"E:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="E:\\Programme\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"F:\\Programme\\uTorrent\\uTorrent.exe"="F:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"F:\\Programme\\Skype\\Phone\\Skype.exe"="F:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\Programme\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"="E:\\Programme\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe:*:Enabled:Sid Meier's Civilization IV Colonization"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 93,184 A.SH. --- "C:\Programme\Internet Explorer\IEXPLORE.EXE"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Programme\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Programme\Outlook Express\msimn.exe"
Fri 3 Oct 2008 1,393 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Mon 11 Aug 2008 4,348 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Wed 24 Sep 2008 2,633 ...HR --- "C:\Dokumente und Einstellungen\kurtl\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!





-----------------------------------------------------------------------------------


Malwarebyte's Anti-Malware:


Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1225
Windows 5.1.2600 Service Pack 2

03.10.2008 18:45:58
mbam-log-2008-10-03 (18-45-58).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 46776
Laufzeit: 5 minute(s), 19 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\onfwbsak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rwlfsdmk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)





-----------------------------------------------------------------------------------


HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:26, on 03.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Programme\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
f:\Programme\FileZilla Server\FileZilla Server.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\runservice.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
F:\Programme\StorageIT 2007\StorageItService.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Venturi2\Client\ventc.exe
f:\Programme\UltraVNC\WinVNC.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
F:\Programme\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
F:\Programme\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
F:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Darkfix.exe
F:\Programme\StorageIT 2007\StorageItAgent.exe
F:\Programme\Spybot - Search & Destroy\TeaTimer.exe
F:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\No-IP\DUC20.exe
F:\Programme\OpenOffice.org 2.1\program\soffice.exe
F:\Programme\OpenOffice.org 2.1\program\soffice.BIN
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinVNC] "f:\Programme\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "F:\Programme\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gamma] F:\Darkfix.exe -silent
O4 - HKLM\..\Run: [SitAgent] F:\Programme\StorageIT 2007\StorageItAgent.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup2] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\kurtl\LOKALE~1\Temp\IXP002.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup3] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\kurtl\LOKALE~1\Temp\IXP003.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup4] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\kurtl\LOKALE~1\Temp\IXP004.TMP\"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] f:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: No-IP DUC.lnk = C:\Programme\No-IP\DUC20.exe
O4 - Startup: OpenOffice.org 2.1.lnk = F:\Programme\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CEF587A-542B-47FF-AC75-3D5745A29020}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C799A3B1-E9CE-4FB1-B181-2D3870F85A62}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: onfwbsak - {31597EA0-A0E3-4B8A-B80C-735CADB2776B} - (no file)
O21 - SSODL: rwlfsdmk - {29E4ACCE-2097-4DE7-A063-38AD23B30942} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - F:\Programme\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - f:\Programme\FileZilla Server\FileZilla Server.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StorageItService - Storage IT Oy - F:\Programme\StorageIT 2007\StorageItService.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - f:\Programme\UltraVNC\WinVNC.exe

--
End of file - 9842 bytes



-----------------------------------------------------------------------------------

I am sorry to bother you with such a mess, usually I am able to find my way through the help forums in the internet to solve my issues but this heavy malware infection left me clueless... I do hope one of you will be able to figure out what I can do to resolve this. In any case I am very grateful for the effort you took in coming this far

Thank you in advance,
Des


-----------------------------------------------------------------------------------

Edit: I just realised that the Malwarebyte log is in German - if needed I will try and get an English version of it. I am not sure whether it is vital for solving the problem. Just let me know and I will reinstall the program in English (which I usually do anyway, not sure I had an option there...).

This post has been edited by DesDope: Oct 3 2008, 11:02 AM

Hi, and Welcome to WhatTheTech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Sorry about the delay in responding

If you still need help:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Then I will analyze your log and sort out a fix for you

I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

Also please describe how your computer behaves at the moment.

Thanks.

First of all, thank you for your response, jpshortstuff, very much appreciated. I did as you requested and will post the uninstall_list content straight away:



Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AGEIA PhysX v6.12.02
AMD CPUInfo
AMD Power Monitor
AsusUpdate
Avira AntiVir Personal - Free Antivirus
BaboViolent 2.11
Battlefield 2™
Battlefield 2: Special Forces
Broken Crescent
CCleaner (remove only)
CDBurnerXP Pro 3
CDDRV_Installer
DAEMON Tools Toolbar
Discworld II
DivX Content Uploader
DivX Web Player
Drakensang
Dual-Core Optimizer
DVD Shrink 3.2
EA SPORTS™ NBA LIVE 08
Fenimore Fillmore's Revenge
FileZilla (remove only)
FileZilla Server (remove only)
Football Manager 2008
Fourelle Venturi Personal Client 2.1.1
Geheimakte 2 - Puritas Cordis
GetDataBack for NTFS
GPRO Organiser
Hard to be a God
HijackThis 2.0.2
Hotfix für Windows XP (KB952287)
Impulse
Impulse
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 2
Java™ 6 Update 7
KhalSetup
King's Bounty. The Legend (Remove Only)
Logitech Gaming Software
Logitech SetPoint
Machine Check Analysis Tool
Magic Stones
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
Marvell Miniport Driver
Medieval II Total War
Medieval II Total War : Kingdoms : Americas
Medieval II Total War : Kingdoms : Britannia
Medieval II Total War : Kingdoms : Crusades
Medieval II Total War : Kingdoms : Teutonic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows Media Video 9 VCM
Mozilla Firefox (2.0.0.17)
Mozilla Thunderbird (2.0.0.17)
MSXML 4.0 SP2 (KB936181)
MySQL Connector/ODBC 3.51
Nero 6 Ultra Edition
NHL® 08
No-IP.com DUC (remove only)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NvMixer
OpenOffice.org 2.1
PC Inspector File Recovery
PKR
Pokerkings
Pool Sharks
Pro Evolution Soccer 2008
Project Reality 0.75 Core
ProtectDisc Driver, Version 11
Railroad Tycoon 3
Realtek AC'97 Audio
Sicherheitsupdate für Windows XP (KB923789)
Sicherheitsupdate für Windows XP (KB938464)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950749)
Sicherheitsupdate für Windows XP (KB950759)
Sicherheitsupdate für Windows XP (KB950760)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951698)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB953838)
Sicherheitsupdate für Windows XP (KB953839)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Warlords
Sid Meier's Civilization IV Colonization
Silent Storm
Skype™ 3.5
SpeedFan (remove only)
SPMT
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
StorageIT 2007
StuffIt Expander
Suite Specific
System Requirements Lab
TmNationsForever
Trillian
Typograf4.8f
UltraVNC v1.0.2
Update für Windows XP (KB951072-v2)
VideoLAN VLC media player 0.8.6a
Warcraft III
WC3Banlist
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
WinPcap 3.1
WinRAR Archivierer
WinUHA 2.0 RC1 (2005.02.27)




As for the behaviour of my PC... I tried not to use it in the last days and stick with my notebook whenever possible. But the one thing I noticed while typing this post was that I had 3 freezes lasting for 10-20 seconds each (I could type in the background and the text would show up once the freeze was over). These freezes occured in a time span of approx. 2 minutes and since then nothing. I also realised that yesterday when I had to finish a project - sometimes it simply freezes for quite a long time and then I can go on for an hour with no noticeable slow-down or freeze at all.

Thanks again for your efforts, I hope we will be able to get the PC fixed - otherwise I will have to format and reinstall... well, here is hope.

Hi

You have the DAEMON Tools Toolbar installed on your computer. This is an Adware toolbar that is bundled with the DAEMON tools programs, and is often installed without the user's permission. For more information, see here:
http://www.bleepingcomputer.com/uninstall/...emon-Tools.html
http://www.systemlookup.com/lists.php?list...9A-4E364A424E17

You can uninstall this program by clicking Start >> Control Panel >> Add/Remove Programs.

Remove Poker programs
From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.
I would advise you to go to Add/Remove programs and uninstall your poker programs, namely these ones:
Pokerkings

Here are links to some poker sites regarded as safe for your reference.
1. http://www.pokerstars.net/ - This is a free to use/play site with play money.
2. http://www.pokerstars.com/ - This is a free to use/play site with play money and real money.

You can also uninstall these two Add/Remove entries:
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 2
As they are outdated and are not required (you have the latest version installed already).


I need a fresh HijackThis log as a lot can change in 5 days. Please start HijackThis, and then click Do A System Scan and Save A Logfile, posting the log in your next reply. Then we can begin the cleaning process.

Thanks.

I uninstalled Daemon Tools Toolbar, PokerKings, J2SE Runtime Environment 5.0 Update 11 and Java™ 6 Update 2 (the reason for the Poker programs is my side job as an affiliate - but since we currently do not promote PokerKings I gladly uninstalled their client ). Daemon Tools is still installed but as I understood the Toolbar is the problem rather (and I definitely do not remember allowing a toolbar to be installed as I generally decline such requests). I will copy&paste the new content of HJT's uninstall_list.txt file (just in case) and the HTJ log of the system scan underneath.



Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AGEIA PhysX v6.12.02
AMD CPUInfo
AMD Power Monitor
AsusUpdate
Avira AntiVir Personal - Free Antivirus
BaboViolent 2.11
Battlefield 2™
Battlefield 2: Special Forces
Broken Crescent
CCleaner (remove only)
CDBurnerXP Pro 3
CDDRV_Installer
Discworld II
DivX Content Uploader
DivX Web Player
Drakensang
Dual-Core Optimizer
DVD Shrink 3.2
EA SPORTS™ NBA LIVE 08
Fenimore Fillmore's Revenge
FileZilla (remove only)
FileZilla Server (remove only)
Football Manager 2008
Fourelle Venturi Personal Client 2.1.1
Geheimakte 2 - Puritas Cordis
GetDataBack for NTFS
GPRO Organiser
Hard to be a God
HijackThis 2.0.2
Hotfix für Windows XP (KB952287)
Impulse
Impulse
Java™ 6 Update 7
KhalSetup
King's Bounty. The Legend (Remove Only)
Logitech Gaming Software
Logitech SetPoint
Machine Check Analysis Tool
Magic Stones
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
Marvell Miniport Driver
Medieval II Total War
Medieval II Total War : Kingdoms : Americas
Medieval II Total War : Kingdoms : Britannia
Medieval II Total War : Kingdoms : Crusades
Medieval II Total War : Kingdoms : Teutonic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows Media Video 9 VCM
Mozilla Firefox (2.0.0.17)
Mozilla Thunderbird (2.0.0.17)
MSXML 4.0 SP2 (KB936181)
MySQL Connector/ODBC 3.51
Nero 6 Ultra Edition
NHL® 08
No-IP.com DUC (remove only)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NvMixer
OpenOffice.org 2.1
PC Inspector File Recovery
PKR
Pool Sharks
Pro Evolution Soccer 2008
Project Reality 0.75 Core
ProtectDisc Driver, Version 11
Railroad Tycoon 3
Realtek AC'97 Audio
Sicherheitsupdate für Windows XP (KB923789)
Sicherheitsupdate für Windows XP (KB938464)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950749)
Sicherheitsupdate für Windows XP (KB950759)
Sicherheitsupdate für Windows XP (KB950760)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951698)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB953838)
Sicherheitsupdate für Windows XP (KB953839)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Warlords
Sid Meier's Civilization IV Colonization
Silent Storm
Skype™ 3.5
SpeedFan (remove only)
SPMT
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
StorageIT 2007
StuffIt Expander
Suite Specific
System Requirements Lab
TmNationsForever
Trillian
Typograf4.8f
UltraVNC v1.0.2
Update für Windows XP (KB951072-v2)
VideoLAN VLC media player 0.8.6a
Warcraft III
WC3Banlist
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
WinPcap 3.1
WinRAR Archivierer
WinUHA 2.0 RC1 (2005.02.27)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32:14, on 08.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Programme\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
f:\Programme\FileZilla Server\FileZilla Server.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\runservice.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
F:\Programme\StorageIT 2007\StorageItService.exe
C:\Program Files\Venturi2\Client\ventc.exe
f:\Programme\UltraVNC\WinVNC.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
F:\Programme\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
F:\Programme\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
F:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Darkfix.exe
F:\Programme\StorageIT 2007\StorageItAgent.exe
F:\Programme\Spybot - Search & Destroy\TeaTimer.exe
F:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\No-IP\DUC20.exe
F:\Programme\OpenOffice.org 2.1\program\soffice.exe
F:\Programme\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinVNC] "f:\Programme\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "F:\Programme\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gamma] F:\Darkfix.exe -silent
O4 - HKLM\..\Run: [SitAgent] F:\Programme\StorageIT 2007\StorageItAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [wextract_cleanup2] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\kurtl\LOKALE~1\Temp\IXP002.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup3] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\kurtl\LOKALE~1\Temp\IXP003.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup4] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOKUME~1\kurtl\LOKALE~1\Temp\IXP004.TMP\"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] f:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: No-IP DUC.lnk = C:\Programme\No-IP\DUC20.exe
O4 - Startup: OpenOffice.org 2.1.lnk = F:\Programme\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://F:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CEF587A-542B-47FF-AC75-3D5745A29020}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C799A3B1-E9CE-4FB1-B181-2D3870F85A62}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: onfwbsak - {31597EA0-A0E3-4B8A-B80C-735CADB2776B} - (no file)
O21 - SSODL: rwlfsdmk - {29E4ACCE-2097-4DE7-A063-38AD23B30942} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - F:\Programme\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - f:\Programme\FileZilla Server\FileZilla Server.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StorageItService - Storage IT Oy - F:\Programme\StorageIT 2007\StorageItService.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - f:\Programme\UltraVNC\WinVNC.exe

--
End of file - 9772 bytes



Again, thanks for your effort!!

Hi

Apolgies, I missed this in your uninstall list:
PKR
It appears to be another Poker program. Same recommendations as above. Is this the same as:
C:\Poker\Titan Poker\casino.exe << or is this another program altogether?


Ok, lets get going.

Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
O21 - SSODL: onfwbsak - {31597EA0-A0E3-4B8A-B80C-735CADB2776B} - (no file)
O21 - SSODL: rwlfsdmk - {29E4ACCE-2097-4DE7-A063-38AD23B30942} - (no file)

Close all browsers and windows except for HijackThis and click Fix Checked.

Please reboot your computer.


Now, please update MalwareBytes' AntiMalware and run the program again. If it finds anything, please post the log here (after fixing what it finds). If not, please let me know (no need to post the log).

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply, along with a fresh HijackThis log.

Thanks.

Indeed, PKR is another poker program. As for the casino.exe by Titan Poker... I am actually dazzled to that being there. Will remove both of them. Unfortunately I will have to leave for a meeting now, but I will continue according to your advice as soon as I return. Thank you very much for your efforts!!!