Jump to content


Photo

Internet Explorer has been hijacked


  • This topic is locked This topic is locked
5 replies to this topic

#1 Scouts01

Scouts01

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 12 June 2007 - 10:33 AM

Hallo,

I have a big problem with the Internet Explorer. If I use Google to search for things, the following happens. After the search completed I clicked on a link to go an have a look at the page. At bottom, the browser show the correct link. Then it says accessing the selected page, shortly later it changes and get rerouted to a other page. I don't get rerouted to the same page, but to different ones. Sometimes a popup appears as well. I ran 5 different Anti-Spam programs, but none of them could fix the problem.

Please someone help
Thanks


Here is the HijackThis Logfile

Logfile of HijackThis v1.99.1
Scan saved at 16:33:13, on 12.06.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Drivers\trcboot.exe
C:\Program Files\Pcomnt\PCS_AGNT.EXE
C:\CMF\CMFTDF\CMFWPDF.EXE
C:\WINDOWS\System32\eelogsvc.exe
C:\WINDOWS\System32\eelssrv.exe
C:\EIA\SDA\QckAuditSvr.exe
C:\EIA\USAGE\UsageSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\wm.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Pcomnt\tpam.exe
C:\Program Files\Common Files\Entrust\ESP\eesystry.exe
C:\Program Files\Common Files\Entrust\ESP\eecwatch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\eelssrv.exe
C:\Program Files\Hardcopy\hardcopy.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Star Alliance Auto Update Conduit (English)\en\st_conduit_en.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebase.dlh.de/irj/public/de/lsg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ebase.dlh.de/...ion/cess/deutsc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebase.dlh.de/irj/public/de/lsg
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {A543CD96-EFF3-C298-8F15-83897F0826C8} - C:\WINDOWS\cuuvd1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [CMF User Note] C:\CMF\CMF\CMFUNOTE.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\Pcomnt\tpam.exe"
O4 - HKLM\..\Run: [Mufix] C:\PROGRA~1\INFOCO~1\ACCMGR32\mufix.exe
O4 - HKLM\..\Run: [eelstray] "C:\Program Files\Common Files\Entrust\ESP\eesystry.exe"
O4 - HKLM\..\Run: [espwatchdog] "C:\Program Files\Common Files\Entrust\ESP\eecwatch.exe"
O4 - HKLM\..\Run: [bginfo] "C:\Windows\bginfo.exe" C:\Windows\bginfo.bgi /timer:0
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Hardcopy] "C:\Program Files\Hardcopy\hardcopy.exe"
O4 - HKLM\..\Run: [FreePDF Assistant] "C:\Program Files\FreePDF_XP\fpassist.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\AccessXP\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Snapware.lnk = C:\Program Files\Snapware\Snapware.exe
O4 - Global Startup: Star Alliance Auto Update Conduit (English).lnk = C:\Program Files\Star Alliance Auto Update Conduit (English)\en\st_conduit_en.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ebase.dlh.de/irj/public/de/lsg/region/cess/deutsc
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.lsgsc.com
O17 - HKLM\Software\..\Telephony: DomainName = emea.lsgsc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{540F8CCD-3EB2-4F8D-89A4-96D2EA1A72A6}: NameServer = 10.102.16.20,10.103.103.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.lsgsc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nds.dlh.de,ads.dlh.de,sap.fra.dlh.de,dlh.de,emea.lsgsc.com,lsgsc.com,skychefs.com,zb.lsg.fra.dlh.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.154 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nds.dlh.de,ads.dlh.de,sap.fra.dlh.de,dlh.de,emea.lsgsc.com,lsgsc.com,skychefs.com,zb.lsg.fra.dlh.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.154 85.255.112.67
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - C:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: EESP - C:\WINDOWS\System32\eelsto.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\System32\Drivers\appnnode.exe
O23 - Service: CMF PDF - LAN SuperVision, Inc. - C:\CMF\CMFTDF\CMFWPDF.EXE
O23 - Service: CMF Windows Installer - LAN SuperVision Inc. - C:\CMF\CMFTDF\CMFWINST.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Entrust Entelligence Logging Service (eelogsvc) - Entrust® - C:\WINDOWS\System32\eelogsvc.exe
O23 - Service: Entrust Entelligence Login Service (EELSService) - Entrust® - C:\WINDOWS\System32\eelssrv.exe
O23 - Service: EIA Auditor - Unknown owner - C:\EIA\ETS\EIATSService.exe
O23 - Service: EIA PMP Server (EIAPMP) - Unknown owner - C:\EIA\SDA\QckAuditSvr.exe
O23 - Service: EIA Usage Tracker (EIAUsage) - Lan Supervision - C:\EIA\USAGE\UsageSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM Tracefunktion (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe
O23 - Service: Webroot Spy Sweeper-Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 15 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 19 June 2007 - 10:23 AM

Hi,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from this site:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch, if it does close it.

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.


Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A543CD96-EFF3-C298-8F15-83897F0826C8} - C:\WINDOWS\cuuvd1.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.154 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.154 85.255.112.67


Click on Fix Checked when finished and exit HijackThis.

Delete this file in bold if found.

C:\WINDOWS\cuuvd1.dll

You need to restart your computer again.

Enable SpySweeper.

Note:

If you have problems with your internet connection after this fix, try this.
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.


Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 Scouts01

Scouts01

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 22 June 2007 - 10:40 AM

Hello,

thanks a lot, it worked.

Still sending you the logs, in case you want to have a look at them.


HIJACK-LOG
Logfile of HijackThis v1.99.1
Scan saved at 15:11:42, on 21.06.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Drivers\trcboot.exe
C:\Program Files\Pcomnt\PCS_AGNT.EXE
C:\CMF\CMFTDF\CMFWPDF.EXE
C:\WINDOWS\System32\eelogsvc.exe
C:\WINDOWS\System32\eelssrv.exe
C:\EIA\ETS\EIATSService.exe
C:\EIA\SDA\QckAuditSvr.exe
C:\EIA\USAGE\UsageSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wm.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Pcomnt\tpam.exe
C:\Program Files\Common Files\Entrust\ESP\eesystry.exe
C:\Program Files\Common Files\Entrust\ESP\eecwatch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\eelssrv.exe
C:\Program Files\Hardcopy\hardcopy.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Star Alliance Auto Update Conduit (English)\en\st_conduit_en.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebase.dlh.de/irj/public/de/lsg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ebase.dlh.de/...ion/cess/deutsc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebase.dlh.de/irj/public/de/lsg
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [CMF User Note] C:\CMF\CMF\CMFUNOTE.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\Pcomnt\tpam.exe"
O4 - HKLM\..\Run: [Mufix] C:\PROGRA~1\INFOCO~1\ACCMGR32\mufix.exe
O4 - HKLM\..\Run: [eelstray] "C:\Program Files\Common Files\Entrust\ESP\eesystry.exe"
O4 - HKLM\..\Run: [espwatchdog] "C:\Program Files\Common Files\Entrust\ESP\eecwatch.exe"
O4 - HKLM\..\Run: [bginfo] "C:\Windows\bginfo.exe" C:\Windows\bginfo.bgi /timer:0
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Hardcopy] "C:\Program Files\Hardcopy\hardcopy.exe"
O4 - HKLM\..\Run: [FreePDF Assistant] "C:\Program Files\FreePDF_XP\fpassist.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\AccessXP\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Snapware.lnk = C:\Program Files\Snapware\Snapware.exe
O4 - Global Startup: Star Alliance Auto Update Conduit (English).lnk = C:\Program Files\Star Alliance Auto Update Conduit (English)\en\st_conduit_en.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ebase.dlh.de/irj/public/de/lsg/region/cess/deutsc
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.lsgsc.com
O17 - HKLM\Software\..\Telephony: DomainName = emea.lsgsc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.lsgsc.com
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - C:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: EESP - C:\WINDOWS\System32\eelsto.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\System32\Drivers\appnnode.exe
O23 - Service: CMF PDF - LAN SuperVision, Inc. - C:\CMF\CMFTDF\CMFWPDF.EXE
O23 - Service: CMF Windows Installer - LAN SuperVision Inc. - C:\CMF\CMFTDF\CMFWINST.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Entrust Entelligence Logging Service (eelogsvc) - Entrust® - C:\WINDOWS\System32\eelogsvc.exe
O23 - Service: Entrust Entelligence Login Service (EELSService) - Entrust® - C:\WINDOWS\System32\eelssrv.exe
O23 - Service: EIA Auditor - Unknown owner - C:\EIA\ETS\EIATSService.exe
O23 - Service: EIA PMP Server (EIAPMP) - Unknown owner - C:\EIA\SDA\QckAuditSvr.exe
O23 - Service: EIA Usage Tracker (EIAUsage) - Lan Supervision - C:\EIA\USAGE\UsageSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM Tracefunktion (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe


FIXWAREOUT-LOG
Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdfvj.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\kdfvj.ren 66575 29.08.2002

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="\"C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE\" /SYNC"
"PHIME2002A"="\"C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE\" /IMEName"
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\System32\\igfxpers.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="\"C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe\" /SYNC"
"CMF User Note"="C:\\CMF\\CMF\\CMFUNOTE.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Tpam.exe"="\"C:\\Program Files\\Pcomnt\\tpam.exe\""
"Mufix"="C:\\PROGRA~1\\INFOCO~1\\ACCMGR32\\mufix.exe"
"eelstray"="\"C:\\Program Files\\Common Files\\Entrust\\ESP\\eesystry.exe\""
"espwatchdog"="\"C:\\Program Files\\Common Files\\Entrust\\ESP\\eecwatch.exe\""
"bginfo"="\"C:\\Windows\\bginfo.exe\" C:\\Windows\\bginfo.bgi /timer:0"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"Hardcopy"="\"C:\\Program Files\\Hardcopy\\hardcopy.exe\""
"FreePDF Assistant"="\"C:\\Program Files\\FreePDF_XP\\fpassist.exe\""
"Apoint"="\"C:\\Program Files\\Apoint\\Apoint.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"IndexSearch"="\"C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe\""
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 22 June 2007 - 03:47 PM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 03 July 2007 - 06:59 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button