EXE verschwindet bei Installation (Win2003 Server SP1)

[Luigi01]

Hallo,
ich habe offenbar genau das gleiche Problem wie in diesem Thread besprochen:
http://forums.spybot.info/showthread...ferrerid=21334

Also es lassen sich weder Spybot noch Symantec Antivirus 10 installieren... die exe verschwindet sofort.
Ich lasse mal Hijackthis und F-secure Blacklight laufen und werde die Ergebnisse hier posten. Wäre toll wenn mir jemand helfen könnte! Danke.
Luigi01

[raman]

Alle mal her mit den Infos. Es waere hilfreich, wenn du die hijackthis.exe vor dem Start in test.com umbenennen koenntest

[Luigi01]

Hi, also Schritt 1 aus dem erwähnten Thread hat schon mal geholfen... mit Blacklight hat er 4 hidden Prozesse gefunden die ich mit dem Tool umbenannt habe: hldrrr.exe, wintems.exe, hidr.exe, m_hook.sys
Nun konnte ich nach dem Booten Spybot installieren. Der Scan läuft noch....

Habe hijackthis in test.com umbeannt, hier das Ergebnis:

Logfile of HijackThis v1.99.1
Scan saved at 17:57:25, on 18.04.2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\IBM\icc\cimom\bin\cimlistener.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IBMIASRW.EXE
C:\Program Files\Common Files\IBM\icc\slp\bin\IBMSA.exe
C:\Program Files\Common Files\IBM\icc\slp\bin\slp_srvreg.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\OpenVPN\bin\openvpnserv.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\psxss.exe
C:\Program Files\IBM\Director\cimom\bin\tier1slp.exe
C:\Program Files\IBM\Director\bin\twgipcsv.exe
C:\Program Files\IBM\Director\bin\twgipc.exe
C:\SFU\usr\sbin\init
C:\SFU\usr\sbin\syslogd
C:\Program Files\IBM\Director\bin\twgengsv.exe
C:\SFU\usr\sbin\inetd
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\IBM\icc\cimom\bin\wmicimsv.exe
C:\WINDOWS\system32\PSXRUN.EXE
C:\SFU\usr\sbin\zzInterix
C:\WINDOWS\system32\dllhost.exe
C:\SFU\Mapper\mapsvc.exe
C:\WINDOWS\system32\nfssvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2fmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\Director\bin\twgsrvw.exe
C:\Program Files\IBM\Director\bin\twgescli.exe
C:\SFU\usr\sbin\cron
C:\Program Files\IBM\Director\bin\twgmonit.exe
C:\Program Files\IBM\Director\bin\twgagent.exe
C:\Program Files\IBM\Director\bin\TWGLogEngine.exe
C:\Program Files\IBM\Director\bin\twgsrvxw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\IBM\SQLLIB\BIN\db2systray.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\IBM\Director\bin\twgsrvst.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis\test.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.0.100/w3/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [FTP Server] C:\Tools\FTPSER~1\ftpserv.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [DB2COPY1 - db2systray.exe DB2] "C:\PROGRA~1\IBM\SQLLIB\BIN\db2systray.exe" DB2
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKLM\..\Run: [Spybot] C:\Program Files\Spybot - Search Destroy\SpybotSD.exe /autoimmunize /autoclose /minimized /taskbarhide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Administrator\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Server status.lnk = C:\Program Files\IBM\Director\bin\twgsrvst.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154778229796
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D8902DB-B633-41E3-A949-05771A343973}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{933C7B93-84B2-42D3-810E-2705930400C1}: NameServer = 192.168.0.1
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: IBM Director CIM Listener (cimlistener) - OpenSource Pegasus - C:\Program Files\Common Files\IBM\icc\cimom\bin\cimlistener.exe
O23 - Service: DB2 - DB2COPY1 - DB2 (DB2) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2COPY1) (DB2GOVERNOR_DB2COPY1) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 License Server (DB2COPY1) (DB2LICD_DB2COPY1) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2licd.exe
O23 - Service: DB2 Management Service (DB2COPY1) (DB2MGMTSVC_DB2COPY1) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
O23 - Service: DB2 Security Server (DB2COPY1) (DB2NTSECSERVER_DB2COPY1) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2COPY1) (DB2REMOTECMD_DB2COPY1) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: IBM Automatic Server Restart Service for IPMI (ibms6asr) - IBM Corporation - C:\WINDOWS\system32\IBMIASRW.EXE
O23 - Service: IBM SLP SA (ibmsa) - IBM Corporation - C:\Program Files\Common Files\IBM\icc\slp\bin\IBMSA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: IBM Director Agent SLP Attributes (tier1slp) - IBM Corporation - C:\Program Files\IBM\Director\cimom\bin\tier1slp.exe
O23 - Service: IBM Director Support Program (TWGIPC) - IBM Corporation - C:\Program Files\IBM\Director\bin\twgipcsv.exe
O23 - Service: IBM Director Server (TWGSERVER) - IBM Corporation - C:\Program Files\IBM\Director\bin\twgengsv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: IBM Director Agent WMI CIM Server (wmicimserver) - IBM Corporation - C:\Program Files\Common Files\IBM\icc\cimom\bin\wmicimsv.exe

[Luigi01]

...und hier das Ergebnis des Spybots. Soll ich nun die "Probleme automatisch beheben" lassen?



Win32.Bagle.E: Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_USERS\S-1-5-21-2836882446-377384034-3348228968-500\Software\DateTime4

CasaleMedia: Verfolgender Cookie (Internet Explorer: Administrator) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-04-18 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-04-18 advcheck.dll (1.5.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-18 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-18 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-18 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-18 Includes\KeyloggersC.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-18 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-18 Includes\PUPSC.sbi (*)
2007-04-18 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-18 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-18 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-11 Includes\Trojans.sbi (*)
2007-04-18 Includes\TrojansC.sbi (*)

[raman]

Da ich so den verdacht habe, das der Rechner auch als Firmenrechner genutzt wird, weiss ich nicht, in wie weit du etwas an dem Rechner machen darfst. Es waere nett, wenn du dir da die Erlaubniss fuer einholst, bzw das den Zusataendigen fuer den Rechner machen laesst.

Nur mal soviel. Schaue, ob diese Dateien noch da sin:

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\System32\wins.exe (die ist da)

teste beide Dateien bitte hier: http://www.virustotal.com/en/indexf.html und poste das Ergebniss.

Falls der Service ueberlastet ist, schick die Dateien als passwortgeschuetzes Archiv an

[Luigi01]

Hi Ralf,
ich darf auf dem Server alles machen was ich will. Es ist mein privater Server den ich für mich privat zuhause betreibe.... ja sowas solls geben!
Hab also die beiden Registry Einträge von Spybot beheben lassen.

Bzgl. der Dateien... es gibt das umbenannte wintems.exe.ren und wins.exe

das wintems.exe.ren hab ich nicht getestet.

Complete scanning result of "wins.exe", received in VirusTotal at 04.18.2007, 19:30:32 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.18.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.18.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 no virus found
ClamAV devel-20070416 04.18.2007 no virus found
DrWeb 4.33 04.18.2007 no virus found
eSafe 7.0.15.0 04.18.2007 no virus found
eTrust-Vet 30.7.3576 04.18.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.18.2007 No threat detected
Fortinet 2.85.0.0 04.18.2007 no virus found
F-Prot 4.3.2.48 04.17.2007 no virus found
F-Secure 6.70.13030.0 04.18.2007 no virus found
Ikarus T3.1.1.5 04.18.2007 no virus found
Kaspersky 4.0.2.24 04.18.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.18.2007 no virus found
NOD32v2 2202 04.18.2007 no virus found
Norman 5.80.02 04.18.2007 no virus found
Panda 9.0.0.4 04.18.2007 no virus found
Prevx1 V2 04.18.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 no virus found
Symantec 10 04.18.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1

Whats next?

[raman]

Dann schicke die beiden Dateien bitte an , dann kann ich sie mir mal naeher ansehen, denn normal sind die Datei wins.exe nicht.

Nutze bitte auch noch combofix: http://virus-protect.org/artikel/tools/combofix.html


und fixe folgende Dinge in Hijacthis(anhaken und fix checked druecken):

O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [ISUSPM] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Administrator\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe


Fuer einen Server ist es eigentlich wichtig, "sauber" zu sein. Du solltest deshalb auch eine neuinstallation, bzw rueckspielen eines sauberen Backups ins Auge zu schliessen.

Ich weiss nicht, wie du den Server nutzt, aber da dich dort ein Bagle, bzw Warezov erwischt hat, laesst mich vermuten, das du den Rechner fuer mehr als nur fuer den Serverbetrieb nutzt. Naja, ist bei einem Privatrechner wohl nicht unueblich.......

[Luigi01]

Hi Ralf,
danke für die tolle Hilfe! Ja der Server wird für alles mögliche verwendet... hauptsächlich für Video, Internet, Fotos etc. eben auch für Downloads/Uploads... da muss es passiert sein.

Die Files hab ich gemailt. Allerdings bekomme ich Fehlermeldung vom Mailserver retour:
<virus@rokop-xecurity.de>:
Sorry, I couldn't find any host named rokop-xecurity.de.

Die Keys mit Hijacthis gelöscht.... sind bei neuem Scan dann weg gewesen.

Hier das Combofix Log:

"Administrator" - 07-04-18 20:39:40 Service Pack 1
ComboFix 07-04-18.2V - Running from:


((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))


2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:43 <DIR> d-------- E:\QooBox
2007-04-18 20:39 642 --------- E:\Download\Symantec\ComboFix\ComboFixT\history.bat
2007-04-18 20:39 642 --------- E:\Download\Symantec\ComboFix\ComboFixT\history.bat
2007-04-18 20:39 642 --------- E:\Download\Symantec\ComboFix\ComboFixT\history.bat
2007-04-18 20:39 5,824 --a------ E:\Download\Symantec\ComboFix\ComboFixT\Sys.bat
2007-04-18 20:39 5,824 --a------ E:\Download\Symantec\ComboFix\ComboFixT\Sys.bat
2007-04-18 20:39 5,824 --a------ E:\Download\Symantec\ComboFix\ComboFixT\Sys.bat
2007-04-18 20:39 5,052 --------- E:\Download\Symantec\ComboFix\ComboFixT\NTPBack.exe
2007-04-18 20:39 5,052 --------- E:\Download\Symantec\ComboFix\ComboFixT\NTPBack.exe
2007-04-18 20:39 5,052 --------- E:\Download\Symantec\ComboFix\ComboFixT\NTPBack.exe
2007-04-18 20:39 466 --------- E:\Download\Symantec\ComboFix\ComboFixT\CFCleanUp.bat
2007-04-18 20:39 466 --------- E:\Download\Symantec\ComboFix\ComboFixT\CFCleanUp.bat
2007-04-18 20:39 466 --------- E:\Download\Symantec\ComboFix\ComboFixT\CFCleanUp.bat
2007-04-18 20:39 423 --------- E:\Download\Symantec\ComboFix\ComboFixT\MoveIt.bat
2007-04-18 20:39 423 --------- E:\Download\Symantec\ComboFix\ComboFixT\MoveIt.bat
2007-04-18 20:39 423 --------- E:\Download\Symantec\ComboFix\ComboFixT\MoveIt.bat
2007-04-18 20:39 42,860 --------- E:\Download\Symantec\ComboFix\ComboFixT\ntp.exe
2007-04-18 20:39 42,860 --------- E:\Download\Symantec\ComboFix\ComboFixT\ntp.exe
2007-04-18 20:39 42,860 --------- E:\Download\Symantec\ComboFix\ComboFixT\ntp.exe
2007-04-18 20:39 3,410 --------- E:\Download\Symantec\ComboFix\ComboFixT\FixLSP.bat
2007-04-18 20:39 3,410 --------- E:\Download\Symantec\ComboFix\ComboFixT\FixLSP.bat
2007-04-18 20:39 3,410 --------- E:\Download\Symantec\ComboFix\ComboFixT\FixLSP.bat
2007-04-18 20:39 3,111 --a------ E:\Download\Symantec\ComboFix\ComboFixT\setpath.bat
2007-04-18 20:39 3,111 --a------ E:\Download\Symantec\ComboFix\ComboFixT\setpath.bat
2007-04-18 20:39 3,111 --a------ E:\Download\Symantec\ComboFix\ComboFixT\setpath.bat
2007-04-18 20:39 25,015 --a------ E:\Download\Symantec\ComboFix\ComboFixT\FIND3M.bat
2007-04-18 20:39 25,015 --a------ E:\Download\Symantec\ComboFix\ComboFixT\FIND3M.bat
2007-04-18 20:39 25,015 --a------ E:\Download\Symantec\ComboFix\ComboFixT\FIND3M.bat
2007-04-18 20:39 2,312 --------- E:\Download\Symantec\ComboFix\ComboFixT\Boot.bat
2007-04-18 20:39 2,312 --------- E:\Download\Symantec\ComboFix\ComboFixT\Boot.bat
2007-04-18 20:39 2,312 --------- E:\Download\Symantec\ComboFix\ComboFixT\Boot.bat
2007-04-18 20:39 2,102 --------- E:\Download\Symantec\ComboFix\ComboFixT\NTP.bat
2007-04-18 20:39 2,102 --------- E:\Download\Symantec\ComboFix\ComboFixT\NTP.bat
2007-04-18 20:39 2,102 --------- E:\Download\Symantec\ComboFix\ComboFixT\NTP.bat
2007-04-18 20:39 123,814 --a------ E:\Download\Symantec\ComboFix\ComboFixT\ComboFix.bat
2007-04-18 20:39 123,814 --a------ E:\Download\Symantec\ComboFix\ComboFixT\ComboFix.bat
2007-04-18 20:39 123,814 --a------ E:\Download\Symantec\ComboFix\ComboFixT\ComboFix.bat
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2
2007-04-06 02:42 <DIR> d-------- E:\Gallery2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 20:43 839 --a------ E:\Download\Symantec\ComboFix\ComboFixT\error.log
2007-04-18 20:43 839 --a------ E:\Download\Symantec\ComboFix\ComboFixT\error.log
2007-04-18 20:43 839 --a------ E:\Download\Symantec\ComboFix\ComboFixT\error.log
2007-04-18 20:43 6466 --a------ E:\Download\Symantec\ComboFix\ComboFixT\f3m0.cf
2007-04-18 20:43 4924 --a------ E:\Download\Symantec\ComboFix\ComboFixT\combofix.txt
2007-04-18 20:43 4924 --a------ E:\Download\Symantec\ComboFix\ComboFixT\combofix.txt
2007-04-18 20:43 4924 --a------ E:\Download\Symantec\ComboFix\ComboFixT\combofix.txt
2007-04-18 20:43 4575 --a------ E:\Download\Symantec\ComboFix\ComboFixT\30create2.cf
2007-04-18 20:43 4575 --a------ E:\Download\Symantec\ComboFix\ComboFixT\30create2.cf
2007-04-18 20:43 4575 --a------ E:\Download\Symantec\ComboFix\ComboFixT\30create2.cf
2007-04-18 20:43 395666 --a------ E:\Download\Symantec\ComboFix\ComboFixT\creg.cf
2007-04-18 20:43 395666 --a------ E:\Download\Symantec\ComboFix\ComboFixT\creg.cf
2007-04-18 20:43 395666 --a------ E:\Download\Symantec\ComboFix\ComboFixT\creg.cf
2007-04-18 20:43 237 --a------ E:\Download\Symantec\ComboFix\ComboFixT\catchme.log
2007-04-18 20:43 237 --a------ E:\Download\Symantec\ComboFix\ComboFixT\catchme.log
2007-04-18 20:43 237 --a------ E:\Download\Symantec\ComboFix\ComboFixT\catchme.log
2007-04-18 20:43 13599 --a------ E:\Download\Symantec\ComboFix\ComboFixT\f3m0.cf
2007-04-18 20:43 124 --a------ E:\Download\Symantec\ComboFix\ComboFixT\svctarget.cf
2007-04-18 20:43 124 --a------ E:\Download\Symantec\ComboFix\ComboFixT\svctarget.cf
2007-04-18 20:43 124 --a------ E:\Download\Symantec\ComboFix\ComboFixT\svctarget.cf
2007-04-18 20:43 10032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\f3m0.cf
2007-04-18 20:40 0 --a------ E:\Download\Symantec\ComboFix\ComboFixT\d-del2a.cf
2007-04-18 20:40 0 --a------ E:\Download\Symantec\ComboFix\ComboFixT\d-del2a.cf
2007-04-18 20:40 0 --a------ E:\Download\Symantec\ComboFix\ComboFixT\d-del2a.cf
2007-04-18 20:39 7526 --a------ E:\Download\Symantec\ComboFix\ComboFixT\whitedir.cf
2007-04-18 20:39 7526 --a------ E:\Download\Symantec\ComboFix\ComboFixT\whitedir.cf
2007-04-18 20:39 7526 --a------ E:\Download\Symantec\ComboFix\ComboFixT\whitedir.cf
2007-04-18 20:39 507 --a------ E:\Download\Symantec\ComboFix\ComboFixT\net_svc.cf
2007-04-18 20:39 507 --a------ E:\Download\Symantec\ComboFix\ComboFixT\net_svc.cf
2007-04-18 20:39 507 --a------ E:\Download\Symantec\ComboFix\ComboFixT\net_svc.cf
2007-04-18 20:39 3314 --a------ E:\Download\Symantec\ComboFix\ComboFixT\dll_whitelist.cf
2007-04-18 20:39 3314 --a------ E:\Download\Symantec\ComboFix\ComboFixT\dll_whitelist.cf
2007-04-18 20:39 3314 --a------ E:\Download\Symantec\ComboFix\ComboFixT\dll_whitelist.cf
2007-04-18 20:39 197 --a------ E:\Download\Symantec\ComboFix\ComboFixT\appdatafolders.cf
2007-04-18 20:39 197 --a------ E:\Download\Symantec\ComboFix\ComboFixT\appdatafolders.cf
2007-04-18 20:39 197 --a------ E:\Download\Symantec\ComboFix\ComboFixT\appdatafolders.cf
2007-04-17 03:42 1536 --a------ E:\Download\Symantec\ComboFix\ComboFixT\md5.cf
2007-04-17 03:42 1536 --a------ E:\Download\Symantec\ComboFix\ComboFixT\md5.cf
2007-04-17 03:42 1536 --a------ E:\Download\Symantec\ComboFix\ComboFixT\md5.cf
2007-04-15 03:40 222 --------- E:\Download\Symantec\ComboFix\ComboFixT\v_combofix.cf
2007-04-15 03:40 222 --------- E:\Download\Symantec\ComboFix\ComboFixT\v_combofix.cf
2007-04-15 03:40 222 --------- E:\Download\Symantec\ComboFix\ComboFixT\v_combofix.cf
2007-04-10 03:21 14 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cf
2007-04-10 03:21 14 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cf
2007-04-10 03:21 14 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cf
2007-04-10 01:11 370 --------- E:\Download\Symantec\ComboFix\ComboFixT\whitedirb.cf
2007-04-10 01:11 370 --------- E:\Download\Symantec\ComboFix\ComboFixT\whitedirb.cf
2007-04-10 01:11 370 --------- E:\Download\Symantec\ComboFix\ComboFixT\whitedirb.cf
2007-04-10 01:09 103 --------- E:\Download\Symantec\ComboFix\ComboFixT\executables.cf
2007-04-10 01:09 103 --------- E:\Download\Symantec\ComboFix\ComboFixT\executables.cf
2007-04-10 01:09 103 --------- E:\Download\Symantec\ComboFix\ComboFixT\executables.cf
2007-04-10 01:08 2687 --------- E:\Download\Symantec\ComboFix\ComboFixT\whitelegacy.cf
2007-04-10 01:08 2687 --------- E:\Download\Symantec\ComboFix\ComboFixT\whitelegacy.cf
2007-04-10 01:08 2687 --------- E:\Download\Symantec\ComboFix\ComboFixT\whitelegacy.cf
2007-04-08 02:34 206 --------- E:\Download\Symantec\ComboFix\ComboFixT\notifykeys.cf
2007-04-08 02:34 206 --------- E:\Download\Symantec\ComboFix\ComboFixT\notifykeys.cf
2007-04-08 02:34 206 --------- E:\Download\Symantec\ComboFix\ComboFixT\notifykeys.cf
2007-04-08 02:32 1960 --------- E:\Download\Symantec\ComboFix\ComboFixT\def_safeboot.cf
2007-04-08 02:32 1960 --------- E:\Download\Symantec\ComboFix\ComboFixT\def_safeboot.cf
2007-04-08 02:32 1960 --------- E:\Download\Symantec\ComboFix\ComboFixT\def_safeboot.cf
2007-04-06 17:27 24064 --------- E:\Download\Symantec\ComboFix\ComboFixT\cut.cfexe
2007-04-06 17:27 24064 --------- E:\Download\Symantec\ComboFix\ComboFixT\cut.cfexe
2007-04-06 17:27 24064 --------- E:\Download\Symantec\ComboFix\ComboFixT\cut.cfexe
2007-04-06 17:27 24064 --------- E:\Download\Symantec\ComboFix\ComboFixT\cut.cfexe
2007-04-06 17:27 24064 --------- E:\Download\Symantec\ComboFix\ComboFixT\cut.cfexe
2007-04-06 17:27 24064 --------- E:\Download\Symantec\ComboFix\ComboFixT\cut.cfexe
2007-04-04 02:54 65536 --------- E:\Download\Symantec\ComboFix\ComboFixT\regbindump.cfexe
2007-04-04 02:54 65536 --------- E:\Download\Symantec\ComboFix\ComboFixT\regbindump.cfexe
2007-04-04 02:54 65536 --------- E:\Download\Symantec\ComboFix\ComboFixT\regbindump.cfexe
2007-04-04 02:54 65536 --------- E:\Download\Symantec\ComboFix\ComboFixT\regbindump.cfexe
2007-04-04 02:54 65536 --------- E:\Download\Symantec\ComboFix\ComboFixT\regbindump.cfexe
2007-04-04 02:54 65536 --------- E:\Download\Symantec\ComboFix\ComboFixT\regbindump.cfexe
2007-04-02 14:21 428032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\swreg.cfexe
2007-04-02 14:21 428032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\swreg.cfexe
2007-04-02 14:21 428032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\swreg.cfexe
2007-04-02 14:21 428032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\swreg.cfexe
2007-04-02 14:21 428032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\swreg.cfexe
2007-04-02 14:21 428032 --a------ E:\Download\Symantec\ComboFix\ComboFixT\swreg.cfexe
2007-03-13 10:57 4090 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.loc
2007-03-13 10:57 4090 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.loc
2007-03-13 10:57 4090 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.loc
2007-03-13 10:57 393216 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cfexe
2007-03-13 10:57 393216 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cfexe
2007-03-13 10:57 393216 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cfexe
2007-03-13 10:57 393216 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cfexe
2007-03-13 10:57 393216 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cfexe
2007-03-13 10:57 393216 --------- E:\Download\Symantec\ComboFix\ComboFixT\erunt.cfexe
2007-03-13 10:57 3275 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdntwin.loc
2007-03-13 10:57 3275 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdntwin.loc
2007-03-13 10:57 3275 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdntwin.loc
2007-03-13 10:57 2815 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdntdos.loc
2007-03-13 10:57 2815 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdntdos.loc
2007-03-13 10:57 2815 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdntdos.loc
2007-03-13 10:57 163328 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdnt.e_e
2007-03-13 10:57 163328 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdnt.e_e
2007-03-13 10:57 163328 --------- E:\Download\Symantec\ComboFix\ComboFixT\erdnt.e_e
2007-03-08 03:40 28672 --a------ E:\Download\Symantec\ComboFix\ComboFixT\4321.cfexe
2007-03-08 03:40 28672 --a------ E:\Download\Symantec\ComboFix\ComboFixT\4321.cfexe
2007-03-08 03:40 28672 --a------ E:\Download\Symantec\ComboFix\ComboFixT\4321.cfexe
2007-03-08 03:40 28672 --a------ E:\Download\Symantec\ComboFix\ComboFixT\4321.cfexe
2007-03-08 03:40 28672 --a------ E:\Download\Symantec\ComboFix\ComboFixT\4321.cfexe
2007-03-08 03:40 28672 --a------ E:\Download\Symantec\ComboFix\ComboFixT\4321.cfexe
2007-01-30 00:07 51200 --------- E:\Download\Symantec\ComboFix\ComboFixT\dumphive.cfexe
2007-01-30 00:07 51200 --------- E:\Download\Symantec\ComboFix\ComboFixT\dumphive.cfexe
2007-01-30 00:07 51200 --------- E:\Download\Symantec\ComboFix\ComboFixT\dumphive.cfexe
2007-01-30 00:07 51200 --------- E:\Download\Symantec\ComboFix\ComboFixT\dumphive.cfexe
2007-01-30 00:07 51200 --------- E:\Download\Symantec\ComboFix\ComboFixT\dumphive.cfexe
2007-01-30 00:07 51200 --------- E:\Download\Symantec\ComboFix\ComboFixT\dumphive.cfexe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"FTP Server"="C:\\Tools\\FTPSER~1\\ftpserv.exe"
"CmUsbSound"="RunDll32 cmcnfgu.cpl,CMICtrlWnd"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ISUSPM Startup"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\""
"DB2COPY1 - db2systray.exe DB2"="\"C:\\PROGRA~1\\IBM\\SQLLIB\\BIN\\db2systray.exe\" DB2"
"hldrrr"="C:\\WINDOWS\\system32\\hldrrr.exe"
"Spybot"="C:\\Program Files\\Spybot - Search Destroy\\SpybotSD.exe /autoimmunize /autoclose /minimized /taskbarhide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -scheduler"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"hldrrr"="C:\\WINDOWS\\system32\\hldrrr.exe"
"drvsyskit"="C:\\Documents and Settings\\Administrator\\Application Data\\hidires\\hidr.exe"
"german.exe"="C:\\WINDOWS\\system32\\wintems.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000
"scforceoption"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ RASSFM\0KDCSVC\0WDIGEST\0scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0WinHttpAutoProxySvc\0W32Time\0\0
NetworkService REG_MULTI_SZ 6to4\0DHCP\0DnsCache\0\0
WinErr REG_MULTI_SZ ERsvc\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
tapisrv REG_MULTI_SZ Tapisrv\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
swprv REG_MULTI_SZ swprv\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\EIBSetDateTime.job
C:\WINDOWS\tasks\EIBWetterAlarm.job
C:\WINDOWS\tasks\My Documents Backup.job
C:\WINDOWS\tasks\Router Reboot.job
C:\WINDOWS\tasks\Router Reconnect leebg.selfip.com.job
C:\WINDOWS\tasks\Router Reconnect.job
C:\WINDOWS\tasks\Systemdaten Backup.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-18 20:44:14
E:\ComboFix-quarantined-files.txt ... 07-04-18 20:44

[raman]

Entschuldige, ich habe mich bei der Adresse verschrieben. Muss heissen .:(

Nutze bitte auch noch datfindbat(letzten 30 Tage reichen): http://virus-protect.org/datfindbat.html


Ich muss mal eben schauen, in wie weit Combofix zu Win2003 kompatibel ist.

[Luigi01]

ok .... habs nochmals gemailt.

Hier die datfindbat logs:

Volume in drive C is System
Volume Serial Number is 383B-1F03

Directory of C:\WINDOWS\system32

18.04.2007 17:47 13.646 wpa.dbl
18.04.2007 17:21 5.581 ban_list.txt
17.04.2007 22:08 472.620 perfh009.dat
17.04.2007 22:08 85.564 perfc009.dat
17.04.2007 22:08 568.094 PerfStringBackup.INI
16.04.2007 21:58 24.645 wintems.exe.ren
06.04.2007 02:20 110.192 FNTCACHE.DAT
03.04.2007 22:48 13.511.640 MRT.exe
21.03.2007 06:31 299.520 winsrv.dll
21.03.2007 00:36 14.640 spmsg.dll
19.03.2007 16:35 4.096 w03a2409.dll
06.03.2007 19:55 100 chk-driver.log
05.03.2007 11:40 2.452.480 ntoskrnl.exe
05.03.2007 11:12 2.306.560 ntkrnlpa.exe
02.03.2007 08:10 41.472 mf3216.dll
02.03.2007 08:10 588.800 user32.dll
02.03.2007 08:10 283.648 gdi32.dll
01.03.2007 14:44 1.851.904 win32k.sys
18.02.2007 04:03 122.198 TZLog.log
...

Volume in drive C is System
Volume Serial Number is 383B-1F03

Directory of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

18.04.2007 21:28 426 AcrA02B.tmp
18.04.2007 21:28 426 AcrA02A.tmp
18.04.2007 21:27 20 Serverluigi01.log
3 File(s) 872 bytes
0 Dir(s) 7.226.655.232 bytes free

Directory of C:\WINDOWS

18.04.2007 21:24 236.240 setupapi.log
18.04.2007 21:20 619 win.ini
18.04.2007 17:42 0 0.log
18.04.2007 17:42 2.048 bootstat.dat
18.04.2007 17:39 1.449.047 WindowsUpdate.log
18.04.2007 09:40 1.072.205.824 MEMORY.DMP
18.04.2007 09:24 24.674 PFRO.log
17.04.2007 01:33 116 NeroDigital.ini
16.04.2007 16:38 21.738 ODBC.INI
13.04.2007 03:00 186.370 comsetup.log
13.04.2007 03:00 125.347 ntdtcsetup.log
13.04.2007 03:00 9.758 KB901190.log
13.04.2007 03:00 115.530 certocm.log
13.04.2007 03:00 258.868 tsoc.log
13.04.2007 03:00 1.017.998 iis6.log
13.04.2007 03:00 3.423 imsins.log
13.04.2007 03:00 375.003 ocgen.log
13.04.2007 03:00 23.590 pop3oc.log
13.04.2007 03:00 49.496 LicenOc.log
13.04.2007 03:00 85.544 aspnetocm.log
13.04.2007 03:00 107.618 netfxocm.log
13.04.2007 03:00 231.792 msmqinst.log
13.04.2007 03:00 589.604 FaxSetup.log
13.04.2007 03:00 307.854 uddisetup.log
11.04.2007 12:25 15.395 KB930178.log
11.04.2007 12:25 3.423 imsins.BAK
11.04.2007 12:24 42.534 updspapi.log
11.04.2007 12:24 10.978 KB931784.log
11.04.2007 12:23 13.723 KB932168.log
11.04.2007 01:58 4.549 ODBCINST.INI
11.04.2007 00:57 27.056 Directx.log
05.04.2007 03:00 10.187 KB925902.log
06.03.2007 20:12 1.145.478 dirinst.log
06.03.2007 20:00 4.514 smbusdriver.log
18.02.2007 04:03 27.118 KB931836.log
18.02.2007 04:03 15.219 KB918118.log
18.02.2007 04:02 11.127 KB928090-IE7.log
18.02.2007 04:02 11.444 KB928843.log
18.02.2007 04:02 5.524 KB924667.log
18.02.2007 04:01 11.275 KB926436.log
18.02.2007 04:01 11.895 KB928255.log
11.01.2007 04:00 3.531 KB929969.log
...

Volume in drive C is System
Volume Serial Number is 383B-1F03

Directory of C:\WINDOWS\Temp

18.04.2007 21:25 2.132.386 vpremote.log
18.04.2007 21:24 8.382 SYMEVENT.LOG
18.04.2007 21:22 28.160 mso2D.tmp
27.09.2006 20:34 461.552 Transman.dll
4 File(s) 2.630.480 bytes
0 Dir(s) 7.226.637.824 bytes free


Volume in drive C is System
Volume Serial Number is 383B-1F03

Directory of C:\WINDOWS\Downloaded Program Files

16.04.2007 06:03 69.561 vet.da1
04.04.2007 02:08 7.723.784 vet.dat
03.04.2007 03:50 1.021.504 vete.dll
07.03.2007 05:56 300.680 arclib.dll
...