PDA

View Full Version : Extremely slow computer, trojan warnings


Lupelu
2008-05-24, 12:16
Nice day to everybody!
Let me thank you once again for helping me out with my own computer!("case closed" yesterday) This time it is my friends computer and he seems to have strange problems.

First of all the windows firewall is suddenly off. Spybot found Bifrose.LA and Avira pops with various Trojan warnings. Adaware didn't find anything. Another interresting thing: from time to time an explorer window pops up, having the folder "system32" open.

He can not take care of this himself now, I am helping him out a bit, since I have an access to his computer. He is informed about "his own risk".
The HJT and Kaspersky Scan logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:31, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programme\Olympus\DeviceDetector\DM1Service.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\AsuraDirectMonitor.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\AEWC.EXE
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Programme\Google\Google Talk\googletalk.exe
C:\Programme\LClock\lclock.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\mozilla.org\SeaMonkey\seamonkey.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ycomp/defaults/sp/*http://de.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.direktzu.de/kanzlerin/messages/15283
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ycomp/defaults/su/*http://de.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://de.intl.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AEWC Printing Device] C:\WINDOWS\system32\AsuraDirectMonitor.exe
O4 - HKLM\..\Run: [Atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Programme\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [LClock] C:\Programme\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Startup: Thoosje Sidebar.lnk = C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79BFDA57-A68D-4F1F-A6D6-5ADFAAE92BAB}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Programme\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sgSchedulerService - Unknown owner - C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 9195 bytes

==================================

-------------------------------------------------------------------------------
PROTOKOLL FÜR KASPERSKY ONLINE SCANNER
Samstag, 24. Mai 2008 09:56:50
Betriebssystem: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Version von Kaspersky Online Scanner: 5.0.98.1
Letztes Update der Antiviren-Datenbanken: 23/05/2008
Anzahl der Einträge in den Antiviren-Datenbanken: 799359
-------------------------------------------------------------------------------

Scan-Einstellungen:
Folgende Antiviren-Datenbanken zur Untersuchung verwenden: Erweiterte
Archive untersuchen: ja
Mail-Datenbanken untersuchen: ja

Untersuchungsobjekt - Arbeitsplatz:
C:\
D:\
E:\

Untersuchungsergebnisse:
Untersuchte Objekte insgesamt: 130773
Viren gefunden: 9
Infizierte Objekte gefunden: 67
Verdächtige Objekte gefunden: 0
Untersuchungszeit: 01:07:59

Name des infizierten Objekts / Virusname / Letzte Aktion
C:\WINDOWS\system32\config\system.LOG Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\software.LOG Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\default.LOG Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SECURITY Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SAM Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SAM.LOG Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SECURITY.LOG Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SYSTEM Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SOFTWARE Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\DEFAULT Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SecEvent.Evt Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\AppEvent.Evt Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\config\SysEvent.Evt Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\drivers\sptd.sys Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\CatRoot2\edb.log Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\CatRoot2\tmp.edb Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\AEWC.log Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\h323log.txt Das Objekt ist gesperrt übersprungen
C:\WINDOWS\system32\server.exe Infizierte Objekte: Backdoor.Win32.Bifrose.axj übersprungen
C:\WINDOWS\Debug\PASSWD.LOG Das Objekt ist gesperrt übersprungen
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Das Objekt ist gesperrt übersprungen
C:\WINDOWS\SchedLgU.Txt Das Objekt ist gesperrt übersprungen
C:\WINDOWS\Sti_Trace.log Das Objekt ist gesperrt übersprungen
C:\WINDOWS\wiaservc.log Das Objekt ist gesperrt übersprungen
C:\WINDOWS\wiadebug.log Das Objekt ist gesperrt übersprungen
C:\WINDOWS\WindowsUpdate.log Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\NTUSER.DAT Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\ntuser.dat.LOG Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temp\NERO14766\Toolbar.exe Infizierte Objekte: not-a-virus:AdTool.Win32.MyWebSearch.bm übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temp\Perflib_Perfdata_e0.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Verlauf\History.IE5\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Media Player\CurrentDatabase_360.wmdb Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_MAP_ Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_001_ Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_002_ Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_003_ Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2\setup.exe/data0003/data0004/data0002 Infizierte Objekte: not-a-virus:AdWare.Win32.PurityScan.fk übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2\setup.exe/data0003/data0004 Infizierte Objekte: not-a-virus:AdWare.Win32.PurityScan.fk übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2\setup.exe/data0003/data0005 Infizierte Objekte: Trojan-Downloader.Win32.Agent.ket übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2\setup.exe/data0003/data0009 Infizierte Objekte: Trojan-Downloader.Win32.PurityScan.fy übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2\setup.exe/data0003 Infizierte Objekte: Trojan-Downloader.Win32.PurityScan.fy übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2\setup.exe Inno: infiziert - 5 übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\Tune Up Utilities 2007\TU2007Setup.EXE/wr-1-904.exe Infizierte Objekte: Trojan-Downloader.Win32.Delf.cpy übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\Tune Up Utilities 2007\TU2007Setup.EXE CAB: infiziert - 1 übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\Nero 8 Ultra Edition 8.1.1.3\Nero-8.1.1.3.exe/Toolbar.exe Infizierte Objekte: not-a-virus:AdTool.Win32.MyWebSearch.bm übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\Nero 8 Ultra Edition 8.1.1.3\Nero-8.1.1.3.exe 7-Zip: infiziert - 1 übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\nero-upgrade\Nero-8.3.2.1_deu_update.exe/Toolbar.exe Infizierte Objekte: not-a-virus:AdTool.Win32.MyWebSearch.bm übersprungen
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\nero-upgrade\Nero-8.3.2.1_deu_update.exe 7-Zip: infiziert - 1 übersprungen
C:\Dokumente und Einstellungen\nihil\Cookies\index.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\registry.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\parent.lock Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\history.dat Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\cert8.db Das Objekt ist gesperrt übersprungen
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\key3.db Das Objekt ist gesperrt übersprungen
C:\Programme\Sidebar 2.2\Thoosje Sidebar.log Das Objekt ist gesperrt übersprungen
C:\Programme\Nero\Nero8\Nero BackItUp\BIU1.txt Das Objekt ist gesperrt übersprungen
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP351\A0062579.exe Infizierte Objekte: not-a-virus:PSWTool.Win32.Messen.106 übersprungen
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP352\A0062700.exe Infizierte Objekte: Backdoor.Win32.Bifrose.axj übersprungen
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP353\A0062916.exe Infizierte Objekte: not-a-virus:NetTool.Win32.Calc-DNet.t übersprungen
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP354\change.log Das Objekt ist gesperrt übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkin ... /[From "Gregg Perry" <ttxxuvtuasj@born2program.com>][Date Fri, 26 Oct 2007 18:16:25 +0300]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "Veronique Long" <fayanpivig@t-com.ne.jp>][Date Mon, 22 Oct 2007 10:14:28 -050 ... /text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "Veronique Long" <fayanpivig@t-com.ne.jp>][Date Mon, 22 Oct 2007 10:14:28 -0500]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:49 +020 ... /html Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:49 +0200]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:44 +020 ... /html Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:44 +0200]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxxfme@mail.cookvascular.com.cust.securehostedemail.com>][Date Sat, 29 Sep 2007 22:42:24 +020 ... /text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxxfme@mail.cookvascular.com.cust.securehostedemail.com>][Date Sat, 29 Sep 2007 22:42:24 +0200]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:04:36 +080 ... /html Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:04:36 +0800]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:01:01 +080 ... /html Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:01:01 +0800]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" < ... /[From 6forum@gmx.net][Date Tue, 21 Aug 2007 12:18:05 -0700]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" < ... /[From 6forum@gmx.net][Date Sat, 11 Aug 2007 09:03:19 -0700]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" <drpeppewko@versanet.de>][Date Wed, 04 Apr 2007 08:57:50 +060 ... /text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" <drpeppewko@versanet.de>][Date Wed, 04 Apr 2007 08:57:50 +0600]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magaz ... /[From 6forum@gmx.net][Date Mon, 02 Apr 2007 17:23:56 -0700]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magaz ... /[From 6forum@gmx.net][Date Wed, 28 Mar 2007 01:58:08 -0700]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magaz ... /[From 6forum@gmx.net][Date Sat, 24 Mar 2007 09:47:28 -0700]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 16 Mar 2007 18:06:07 GMT]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Subsystem <MAILER-DAEMON ... /[From 6forum@gmx.net][Date Thu, 22 Mar 2007 07:55:30 -0700]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date Tue, 20 Mar 2007 20:49:18 -0700]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date Tue, 20 Mar 2007 15:31:00 -0700]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\6forum\Inbox MailBerkeleymboxx: infiziert - 28 übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 06 Jul 2007 16:26:34 GMT]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GMT]/UNNAMED/text/[From "Gregg Perry" <ttxxuvtuasj@born2program.com>][Date Fri, 26 Oct 2007 18:16:25 +0300]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 06 Jul 2007 16:26:34 GMT]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GMT]/UNNAMED/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 06 Jul 2007 16:26:34 GMT]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GMT]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 06 Jul 2007 16:26:34 GMT]/UNNAMED/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 06 Jul 2007 16:26:34 GMT]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Trash MailBerkeleymboxx: infiziert - 7 übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNA ... /[From GMX Best Price <mailings@gmx.net>][Date Thu, 08 Nov 2007 12:53:48 GMT]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNA ... /[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GM ... /text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNA ... /[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GMT]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNAMED/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED Infizierte Objekte: Exploit.Win32.PDF-URI.k übersprungen
D:\emails\local\Junk MailBerkeleymboxx: infiziert - 12 übersprungen

Die Untersuchung wurde abgeschlossen.
Shaba
2008-05-24, 15:38
Hi Lupelu

Unfortunately I have some very bad news for you.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
Lupelu
2008-05-24, 15:59
Dear Shaba, thats something I would call Friday the 13th .... OK, I have at least disconnected the computer from the internet. Am going to let my friend know about his options, will get back to you as soon as possible!
Shaba
2008-05-24, 16:01
Hi

That's OK, I'll be waiting :)
Lupelu
2008-05-24, 16:33
So, back again. When I have told him he might want to consider formating and re-installing windows, he just cried out... Shaba, is it possible to try to fix the computer? It's his personal machine, so no confidential data. I will then go on and change some passwords with him using my computer.
Shaba
2008-05-24, 17:19
Hi

Yes we can but I wouldn't personally trust that computer without formatting.

Here (http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.Bifrose.aat&threatid=70540) is eg. what sunbelt says about one bifrose variant.

But if your friend really wants to clean, we can do it :)
Lupelu
2008-05-24, 17:45
Hi Shaba and greetings from rainy Spain. Thank you for the link about Bifrose (I already was running out of arguments), even so it didn't help. If you can, please go on and lets try.
Shaba
2008-05-24, 17:57
Hi

OK, then we'll start with this:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Lupelu
2008-05-24, 18:19
Thank you for the post :-)
Just a question: do I then (after SDFix prompts me to reboot) also restart into a safe mode?
Lupelu
2008-05-24, 18:31
SDFix: Version 1.185
Run by nihil on 24/05/2008 at 17:16

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\klog.dat - Deleted
C:\WINDOWS\system32\server.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 17:25:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 24 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Thu 24 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Thu 24 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Thu 24 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Thu 24 Aug 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Fri 28 Mar 2008 0 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\Cache\Indiv01.tmp"
Mon 19 May 2008 77,312 A.SH. --- "C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\KeyGen.exe"
Thu 15 Nov 2007 329,216 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL3962.tmp"
Tue 6 Nov 2007 288,256 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL0367.tmp"
Thu 15 Nov 2007 304,640 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL1445.tmp"
Thu 15 Nov 2007 307,200 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL3699.tmp"
Thu 15 Nov 2007 317,952 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL1822.tmp"
Thu 15 Nov 2007 317,952 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL2104.tmp"
Thu 15 Nov 2007 320,512 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL2771.tmp"
Sat 17 Nov 2007 343,552 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\~WRL1443.tmp"
Tue 15 May 2007 46,080 ...H. --- "C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Microsoft\Word\~WRL2859.tmp"
Thu 9 Aug 2007 72,192 ...H. --- "C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Microsoft\Word\~WRL1764.tmp"
Sat 10 Nov 2007 81,408 ...H. --- "C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Microsoft\Word\~WRL1766.tmp"
Sat 12 May 2007 19,968 ...H. --- "C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Microsoft\Word\~WRL3823.tmp"
Mon 24 Sep 2007 19,968 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\projects-ideas\lawcity\~WRL2502.tmp"
Mon 24 Sep 2007 31,232 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\projects-ideas\lawcity\~WRL3252.tmp"
Sat 28 Jul 2007 20,992 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL3416.tmp"
Fri 27 Jul 2007 119,296 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL3315.tmp"
Sat 28 Jul 2007 20,992 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL2695.tmp"
Sat 28 Jul 2007 20,992 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL1868.tmp"
Sat 28 Jul 2007 141,824 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0553.tmp"
Sat 28 Jul 2007 161,280 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0690.tmp"
Sat 28 Jul 2007 175,616 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL3293.tmp"
Sat 28 Jul 2007 182,784 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0750.tmp"
Sun 29 Jul 2007 190,976 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL1197.tmp"
Mon 30 Jul 2007 203,264 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0140.tmp"
Fri 3 Aug 2007 20,992 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0232.tmp"
Thu 2 Aug 2007 227,328 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL3532.tmp"
Fri 3 Aug 2007 234,496 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL1323.tmp"
Fri 3 Aug 2007 242,176 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0090.tmp"
Fri 3 Aug 2007 248,320 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL2103.tmp"
Fri 3 Aug 2007 249,344 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL2935.tmp"
Fri 3 Aug 2007 249,344 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL1690.tmp"
Fri 3 Aug 2007 250,880 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0196.tmp"
Sat 4 Aug 2007 258,048 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL3035.tmp"
Sat 4 Aug 2007 278,016 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0327.tmp"
Fri 31 Aug 2007 369,664 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL1761.tmp"
Sat 22 Sep 2007 370,176 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL0782.tmp"
Sun 23 Sep 2007 370,176 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\schwanzlutscher\~WRL2230.tmp"
Wed 7 Nov 2007 44,032 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL2600.tmp"
Thu 8 Nov 2007 69,120 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0397.tmp"
Sat 10 Nov 2007 74,240 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL3393.tmp"
Sat 10 Nov 2007 73,728 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL4022.tmp"
Sat 10 Nov 2007 75,776 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL4026.tmp"
Sat 10 Nov 2007 77,312 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL3829.tmp"
Thu 8 Nov 2007 20,992 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL1255.tmp"
Sun 11 Nov 2007 84,480 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL1290.tmp"
Sun 11 Nov 2007 94,720 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL3614.tmp"
Sun 11 Nov 2007 95,232 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL3196.tmp"
Sun 11 Nov 2007 20,992 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0566.tmp"
Mon 12 Nov 2007 21,504 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL1862.tmp"
Sun 11 Nov 2007 95,744 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0488.tmp"
Mon 12 Nov 2007 108,032 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL1036.tmp"
Mon 12 Nov 2007 119,808 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL4052.tmp"
Mon 12 Nov 2007 123,392 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0762.tmp"
Mon 12 Nov 2007 124,928 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL2086.tmp"
Mon 12 Nov 2007 127,488 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL2662.tmp"
Mon 12 Nov 2007 130,048 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL2098.tmp"
Mon 12 Nov 2007 130,560 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0516.tmp"
Mon 12 Nov 2007 21,504 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL3599.tmp"
Tue 13 Nov 2007 143,360 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0373.tmp"
Tue 13 Nov 2007 151,552 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0663.tmp"
Wed 14 Nov 2007 162,816 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\VierMinuten\~WRL0695.tmp"
Sun 13 Jan 2008 214,016 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\Politisches\~WRL2494.tmp"
Mon 14 Jan 2008 53,760 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\Politisches\~WRL1810.tmp"
Sun 12 Aug 2007 27,136 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\nanona.net\~WRL3177.tmp"
Sun 12 Aug 2007 19,968 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\nanona.net\~WRL0078.tmp"
Mon 6 Aug 2007 20,480 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\zerozeromax\~WRL1318.tmp"
Thu 9 Aug 2007 31,744 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\zerozeromax\~WRL2182.tmp"
Thu 9 Aug 2007 20,480 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\zerozeromax\~WRL4088.tmp"
Thu 9 Aug 2007 30,208 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\zerozeromax\~WRL1115.tmp"
Thu 9 Aug 2007 75,264 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\zerozeromax\~WRL3105.tmp"
Thu 9 Aug 2007 75,264 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\ourdomains\zerozeromax\~WRL3368.tmp"
Wed 6 Jun 2007 40,448 A..H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\streidarein-schas\EVA-Phone\~WRL1373.tmp"
Thu 3 Nov 2005 24,064 A..H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\streidarein-schas\Radunski\~WRL1978.tmp"
Sat 10 Nov 2007 752,128 ...H. --- "C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\meine-Texte\!Finished1s\Ultimo-ESCAT\~WRL2213.tmp"

Finished!

=======================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:27:06, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Olympus\DeviceDetector\DM1Service.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\AsuraDirectMonitor.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\AEWC.EXE
C:\Programme\LClock\lclock.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ycomp/defaults/sp/*http://de.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.direktzu.de/kanzlerin/messages/15283
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ycomp/defaults/su/*http://de.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://de.intl.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AEWC Printing Device] C:\WINDOWS\system32\AsuraDirectMonitor.exe
O4 - HKLM\..\Run: [Atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Programme\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [LClock] C:\Programme\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Startup: Thoosje Sidebar.lnk = C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79BFDA57-A68D-4F1F-A6D6-5ADFAAE92BAB}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Programme\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sgSchedulerService - Unknown owner - C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 9053 bytes
Shaba
2008-05-24, 18:36
Hi

Booting to normal mode was correct :)

Delete these:

C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\iconmaker2
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\Tune Up Utilities 2007Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\Nero 8 Ultra Edition 8.1.1.3

Empty Recycle Bin.

Delete all those bad mails in kaspersky report.

Re-scan with kaspersky.


Post:

- a fresh HijackThis log
- kaspersky report
Lupelu
2008-05-24, 19:47
I figured if you would want me to reboot into the safe one, you would tell me so :)

Anyway, I have done the deleting, just with the mails I had a bit problems. I didn't find the exact path of the mails on D:, nor the actual mails in Thunderbird. So I have deleted everything from the Inbox, Junk etc. folders (according to Kaspersky) in Thunderbird itself, emptied the Trash folders afterwards... was that enough?
Well, I guess I will see in about an hour -> am having Kaspersky doing the online scan.
Shaba
2008-05-24, 19:48
Hi

Yes that should be enough.

Let's see later what are kaspersky results :)
Lupelu
2008-05-24, 21:19
Hi again. The logs are ready...am a bit confused since it doesn't look like the bad mails would be gone.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 24, 2008 8:10:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.1
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799624
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 130188
Number of viruses found: 9
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 01:22:53

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\AEWC.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\nihil\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\nihil\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temp\Perflib_Perfdata_228.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008052420080525\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\nero-upgrade\Nero-8.3.2.1_deu_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\nero-upgrade\Nero-8.3.2.1_deu_update.exe 7-Zip: infected - 1 skipped
C:\Dokumente und Einstellungen\nihil\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\UserData\index.dat Object is locked skipped
C:\Programme\Sidebar 2.2\Thoosje Sidebar.log Object is locked skipped
C:\Programme\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP351\A0062579.exe Infected: not-a-virus:PSWTool.Win32.Messen.106 skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP352\A0062700.exe Infected: Backdoor.Win32.Bifrose.axj skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP353\A0062916.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.t skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0063982.EXE Infected: Backdoor.Win32.Bifrose.axj skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\change.log Object is locked skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0063994.exe Infected: Backdoor.Win32.Bifrose.axj skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064037.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064037.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064038.EXE/wr-1-904.exe Infected: Trojan-Downloader.Win32.Delf.cpy skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064038.EXE CAB: infected - 1 skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0005 Infected: Trojan-Downloader.Win32.Agent.ket skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0009 Infected: Trojan-Downloader.Win32.PurityScan.fy skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003 Infected: Trojan-Downloader.Win32.PurityScan.fy skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe Inno: infected - 5 skipped
C:\SDFix\backups\backups.zip/backups/server.exe Infected: Backdoor.Win32.Bifrose.axj skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
D:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\change.log Object is locked skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkin ... /[From "Gregg Perry" <ttxxuvtuasj@born2program.com>][Date Fri, 26 Oct 2007 18:16:25 +0300]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "Veronique Long" <fayanpivig@t-com.ne.jp>][Date Mon, 22 Oct 2007 10:14:28 -050 ... /text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "Veronique Long" <fayanpivig@t-com.ne.jp>][Date Mon, 22 Oct 2007 10:14:28 -0500]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:49 +020 ... /html Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:49 +0200]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:44 +020 ... /html Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxx ... /[From "George Duncan" <laufeyomqp@bluecube.com>][Date Sun, 14 Oct 2007 18:04:44 +0200]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxxfme@mail.cookvascular.com.cust.securehostedemail.com>][Date Sat, 29 Sep 2007 22:42:24 +020 ... /text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.sec ... /[From "Janson perkins" <perkinsxxfme@mail.cookvascular.com.cust.securehostedemail.com>][Date Sat, 29 Sep 2007 22:42:24 +0200]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:04:36 +080 ... /html Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:04:36 +0800]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:01:01 +080 ... /html Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... ... /[From "Lawhon Danny" <liblitwqj@el-ipsen.dk>][Date Wed, 12 Sep 2007 16:01:01 +0800]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" < ... /[From 6forum@gmx.net][Date Tue, 21 Aug 2007 12:18:05 -0700]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" < ... /[From 6forum@gmx.net][Date Sat, 11 Aug 2007 09:03:19 -0700]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" <drpeppewko@versanet.de>][Date Wed, 04 Apr 2007 08:57:50 +060 ... /text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail D ... /[From "Margarite Arnold" <drpeppewko@versanet.de>][Date Wed, 04 Apr 2007 08:57:50 +0600]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magaz ... /[From 6forum@gmx.net][Date Mon, 02 Apr 2007 17:23:56 -0700]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magaz ... /[From 6forum@gmx.net][Date Wed, 28 Mar 2007 01:58:08 -0700]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magaz ... /[From 6forum@gmx.net][Date Sat, 24 Mar 2007 09:47:28 -0700]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Sub ... /[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 16 Mar 2007 18:06:07 GMT]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Subsystem <MAILER-DAEMON ... /[From 6forum@gmx.net][Date Thu, 22 Mar 2007 07:55:30 -0700]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date T ... /[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date Tue, 20 Mar 2007 20:49:18 -0700]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@virt22v.secure-wi.com>][Date Tue, 20 Mar 2007 15:31:00 -0700]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED/[From 6forum@gmx.net][Date Fri, 16 Mar 2007 01:59:33 -0800]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text/[From Mail Delivery Subsystem <MAILER-DAEMON@6forum.at>][Date Thu, 15 Mar 2007 01:12:15 -0700]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text/[From 6forum@gmx.net][Date Wed, 14 Mar 2007 07:45:37 -0800]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox/[From 6forum@gmx.net][Date Sun, 11 Mar 2007 11:19:52 -0800]/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\6forum\Inbox MailBerkeleymboxx: infected - 28 skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNA ... /[From GMX Best Price <mailings@gmx.net>][Date Thu, 08 Nov 2007 12:53:48 GMT]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNA ... /[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GM ... /text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNA ... /[From GMX Magazin <mailings@gmx-gmbh.de>][Date Fri, 26 Oct 2007 17:23:49 GMT]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNAMED/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html/[From "Allen" <jguerrauo@mailman.sil.at>][Date Tue, 22 May 2007 23:13:00 -0600]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED/html Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html/[From "huseyin hopps" <hoppstzqz@wahwahwillie.com>][Date Sun, 22 Jul 2007 02:04:13 +0100]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED/html Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text/[From "Karst nobile" <nobileoxsj@informatoreonline.it>][Date Sat, 21 Jul 2007 18:04:22 +0400]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED/text Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk/[From Vinit Schiffler <Schifflerbuba@3story.org>][Date Sun, 1 Apr 2007 19:40:16 +0200]/UNNAMED Infected: Exploit.Win32.PDF-URI.k skipped
D:\emails\local\Junk MailBerkeleymboxx: infected - 12 skipped

Scan process completed.

====================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:36, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Olympus\DeviceDetector\DM1Service.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\AsuraDirectMonitor.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\AEWC.EXE
C:\Programme\LClock\lclock.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ycomp/defaults/sp/*http://de.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.direktzu.de/kanzlerin/messages/15283
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ycomp/defaults/su/*http://de.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://de.intl.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AEWC Printing Device] C:\WINDOWS\system32\AsuraDirectMonitor.exe
O4 - HKLM\..\Run: [Atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Programme\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [LClock] C:\Programme\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Startup: Thoosje Sidebar.lnk = C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79BFDA57-A68D-4F1F-A6D6-5ADFAAE92BAB}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Programme\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sgSchedulerService - Unknown owner - C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 8987 bytes
Shaba
2008-05-24, 21:46
Hi

No, they are not gone but they are not the most important things here.

You can ask next your friend if you can delete this entire folder:

D:\emails\
Lupelu
2008-05-25, 00:36
Dear Shaba, I was not able to get in touch with my friend to ask about deleting the whole d:/email folder but I did now at least delete all contents from the d:/email/6forum/ and d:/email/local/ ...those folders I was able to locate and theoretically, if I got it right, those are also the folders(according to Kaspersky) the infected mails are in. Now I am running the Kaspersky Scan again and will post it then with a new HJT log.
Lupelu
2008-05-25, 01:42
Alright, so here I am again... I seem to have been able to get rid of the mails. So here are the logs and I will wait for further instruction from the "trained Finnish eye" :)


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 25, 2008 12:36:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.1
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799624
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 130255
Number of viruses found: 8
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 00:57:40

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\AEWC.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\nihil\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\nihil\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temp\Perflib_Perfdata_228.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008052420080525\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_001_ Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_002_ Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Lokale Einstellungen\Anwendungsdaten\Mozilla\Profiles\default\Cache\_CACHE_003_ Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\nero-upgrade\Nero-8.3.2.1_deu_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Dokumente und Einstellungen\nihil\Desktop\Desktop-Stuff\Progs-Dwnloads\nero-upgrade\Nero-8.3.2.1_deu_update.exe 7-Zip: infected - 1 skipped
C:\Dokumente und Einstellungen\nihil\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\registry.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\parent.lock Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\history.dat Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\cert8.db Object is locked skipped
C:\Dokumente und Einstellungen\nihil\Anwendungsdaten\Mozilla\Profiles\default\a2gv0005.slt\key3.db Object is locked skipped
C:\Dokumente und Einstellungen\nihil\UserData\index.dat Object is locked skipped
C:\Programme\Sidebar 2.2\Thoosje Sidebar.log Object is locked skipped
C:\Programme\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP351\A0062579.exe Infected: not-a-virus:PSWTool.Win32.Messen.106 skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP352\A0062700.exe Infected: Backdoor.Win32.Bifrose.axj skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP353\A0062916.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.t skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0063982.EXE Infected: Backdoor.Win32.Bifrose.axj skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\change.log Object is locked skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0063994.exe Infected: Backdoor.Win32.Bifrose.axj skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064037.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064037.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064038.EXE/wr-1-904.exe Infected: Trojan-Downloader.Win32.Delf.cpy skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064038.EXE CAB: infected - 1 skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0005 Infected: Trojan-Downloader.Win32.Agent.ket skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003/data0009 Infected: Trojan-Downloader.Win32.PurityScan.fy skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe/data0003 Infected: Trojan-Downloader.Win32.PurityScan.fy skipped
C:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\A0064039.exe Inno: infected - 5 skipped
C:\SDFix\backups\backups.zip/backups/server.exe Infected: Backdoor.Win32.Bifrose.axj skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
D:\System Volume Information\_restore{70B02F18-A07E-4F3B-90CC-03A0F9E256B8}\RP355\change.log Object is locked skipped

Scan process completed.

==============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:36:41, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Olympus\DeviceDetector\DM1Service.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\AsuraDirectMonitor.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\AEWC.EXE
C:\Programme\LClock\lclock.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\mozilla.org\SeaMonkey\seamonkey.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ycomp/defaults/sp/*http://de.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.direktzu.de/kanzlerin/messages/15283
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ycomp/defaults/su/*http://de.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://de.intl.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AEWC Printing Device] C:\WINDOWS\system32\AsuraDirectMonitor.exe
O4 - HKLM\..\Run: [Atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Programme\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [LClock] C:\Programme\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Startup: Thoosje Sidebar.lnk = C:\Programme\Sidebar 2.2\Thoosje Sidebar.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79BFDA57-A68D-4F1F-A6D6-5ADFAAE92BAB}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Programme\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sgSchedulerService - Unknown owner - C:\Programme\SystemGuards.com\SystemGuards\sgScheduleService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 9116 bytes
Shaba
2008-05-25, 12:21
Hi

Delete this folder:

C:\SDFix

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
Lupelu
2008-05-25, 12:44
Hi Shaba,

hm, no obvious problems, also the windows firewall is on again. Just the sudden pop-up of the explorer window with the system32 folder open. It happened to me yesterday again, when I have been doing the Kaspersky scan. But since then nothing I would notice ...

Am going to delete that SDFix folder now.
Shaba
2008-05-25, 12:45
Hi

"Just the sudden pop-up of the explorer window with the system32 folder open."

Has this re-occured?
Lupelu
2008-05-25, 12:59
It's been one of the strange things I have been told about (hopefully also mentioned so) before I have posted here. When asked, my friend told me it would happen every now and then. There was no pattern thou. I am having an access to this computer just about 2-3 days now and yesterday it's been the first time. And since yesterday evening it didn't pop again.
Shaba
2008-05-25, 13:01
Hi

OK. Any other issues left?
Lupelu
2008-05-25, 13:02
Nope sir :)
Shaba
2008-05-25, 13:04
Hi

Then I think that your friend is clean :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can fix this, it's a leftover:

R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:
Lupelu
2008-05-25, 13:14
Shaba, in case there is any, I hope you guys will all end up in heaven... thank you very much for your help.

Will follow up on the rest.
Aaah, one question thou. What exactly do I do with the:
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) ?

:)
Shaba
2008-05-25, 13:32
Hi

Open HijackThis, click do a system scan only and checkmark this:

R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all windows including browser and press fix checked.
Lupelu
2008-05-25, 13:59
Thank you Shaba :) Am wishing you great end of the week!
Shaba
2008-05-28, 17:19
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.