View Full Version : got a problem with, at least Smitftaud-C
multicanarias
2008-06-01, 04:43
Hi hello... got a problem with, at least Smitftaud-C i can not resolve...
Please help me with that...
..also when I send a e-mail with an attachment, me and the reciever got a problem. (when I double-click the file to be attached.. it leeds me directly to a other webside, opening a new tab.)
(When the reciever tries to open it, happens the same plus, he can not login again to his e-mail providers side)
I can not open my Admin User-account on Windows-XP...
I tried Smitfraud-Fix in save mode aswell as Spybot....
AVG-free find some virus, but....
a) HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:23:52, on 01.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Windows NT\Zubehör\wordpad.exe
C:\Programme\Orbitdownloader\orbitdm.exe
C:\Programme\Orbitdownloader\orbitnet.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {1C218BC1-B339-40DF-8346-792D2DBAFFB5} - C:\WINDOWS\system32\byXNeDWN.dll (file missing)
O2 - BHO: (no name) - {1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE} - C:\WINDOWS\system32\jkkKcDWq.dll (file missing)
O2 - BHO: (no name) - {281D456D-8F03-4602-81A0-995A6CDAE209} - C:\WINDOWS\System32\xxyxWPhG.dll (file missing)
O2 - BHO: (no name) - {422C522E-FFF1-4614-8F99-A97C6CF39567} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A06BB9E-1F80-44C7-ABC9-46CDD051915C} - C:\WINDOWS\system32\xxyyaXpP.dll (file missing)
O2 - BHO: {ffece1cb-7e1e-299a-91f4-73cd952221c5} - {5c122259-dc37-4f19-a992-e1e7bc1eceff} - C:\WINDOWS\system32\laqeracl.dll (file missing)
O2 - BHO: (no name) - {642B7F53-35C0-4541-BD14-120566C31275} - C:\WINDOWS\System32\awttsSJD.dll (file missing)
O2 - BHO: (no name) - {CB968FCD-C8FB-480B-9DD0-17249FA2597D} - C:\WINDOWS\system32\mlJDwXqQ.dll (file missing)
O2 - BHO: (no name) - {D1F603AC-BF0D-44D2-A41C-2F43ACE4B924} - (no file)
O2 - BHO: (no name) - {E80F4529-6AB7-469E-BB27-4335F045A53F} - C:\WINDOWS\System32\fccccYss.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [5033a726] rundll32.exe "C:\WINDOWS\system32\imwkneld.dll",b
O4 - HKLM\..\Run: [BM530094ba] Rundll32.exe "C:\WINDOWS\system32\antueatc.dll",s
O4 - HKLM\..\Run: [autoload] C:\Dokumente und Einstellungen\Internet\cftmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [autoload] C:\Dokumente und Einstellungen\Internet\cftmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62DB494-23E4-414A-AF27-DBDCF4D4697D}: NameServer = 212.73.32.3 212.73.32.67
O20 - Winlogon Notify: byXNeDWN - byXNeDWN.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Taskplaner (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
--
End of file - 6402 bytes
b)Kaspersky log report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 1:51:47 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 819344
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 87887
Number of viruses found: 13
Number of infected objects: 87
Number of suspicious objects: 54
Duration of the scan process: 01:24:19
Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp12.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp12.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp15.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp15.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp18.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp18.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp20.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp20.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp23.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp23.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp25.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp25.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp27.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp27.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp29.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp29.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp34.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp34.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp37.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp37.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp39.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp39.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp43.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp43.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp48.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp48.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp5.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp5.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp50.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp50.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp53.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp53.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp55.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp55.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp58.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp58.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp60.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp60.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp66.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp66.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp69.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp69.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp72.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp72.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp74.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp74.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp79.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp79.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp81.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp81.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp9.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp9.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\henning\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\file.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\Dokumente und Einstellungen\Internet\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\merzqo9f.default\Cache\63329BDCd01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\merzqo9f.default\Cache\63329BDCd01 RAR: infected - 1 skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\3CEB.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\4B43.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\5B9E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\JETBF0A.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\cssupdate[2].exe Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\manda[4].htm Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\manda[5].htm Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\terrazag11[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Internet\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\vWTP.mdb Object is locked skipped
C:\Programme\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab CAB: infected - 3 skipped
C:\setup.exe/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\setup.exe/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\setup.exe/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\setup.exe/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\setup.exe/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\setup.exe/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\setup.exe/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\setup.exe/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\setup.exe Inno: infected - 12 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0104428.exe Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0105358.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113912.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113915.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119919.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120939.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121938.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ag.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\al.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ay.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\bo.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\bz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\cc.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\logo[1].jpg Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\ed.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ee.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\em.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\en.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ev.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ew.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ex.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ftp34.dll Object is locked skipped
C:\WINDOWS\system32\ga.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\gestlyvo.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\gq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hd.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hn.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ii.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jh.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\kv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ld.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\lg.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\lh.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mdlaiuwg.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\mu.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\nb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ni.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\nk.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\pp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\py.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\qf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\rq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\rr.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sg.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tm.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ua.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\uq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\uu.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\va.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\vv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ya.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\yw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
multicanarias
2008-06-01, 18:52
Hi, hello.... Blade81
Thank you very much for your promt answer. I really appriciate your effort.
You noticed "I don't help with logs thru PM. If you have problems create a thread in the forum, please."
Sorry I am new here and not so deep into... ok.. just a stupid User me ;-)
I dont understand thru PM.
Please be paciant wis me...
Also opening my windows account I get 2 screens with RUDLL ERROR.
C:\WINDOWS\system32\imwkneld.dll
and
C:\WINDOWS\system32\antueatc.dll
Here the both logs you requiered:
a)
ComboFix 08-05-29.1 - Internet 2008-06-01 16:58:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.252 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Datenschutzrichtlinien.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Deinstallieren.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Geschäftsbedingungen.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\WebMediaPlayer.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Website.url
C:\Programme\webmediaplayer
C:\Programme\webmediaplayer\resources\languages_v2.xml
C:\Programme\webmediaplayer\resources\webmedias
C:\Programme\webmediaplayer\skins\classic.skn
C:\Programme\webmediaplayer\sqlite3.dll
C:\Programme\webmediaplayer\uninst.exe
C:\Programme\webmediaplayer\WebMediaPlayer.exe
C:\setup.exe
C:\WINDOWS\BM530094ba.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\shwol.dll
C:\WINDOWS\system32\bdfyvwmc.ini
C:\WINDOWS\system32\bvaudwym.ini
C:\WINDOWS\system32\DJSsttwa.ini
C:\WINDOWS\system32\DJSsttwa.ini2
C:\WINDOWS\system32\dlenkwmi.ini
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\fgogshfw.ini
C:\WINDOWS\system32\gestlyvo.dll
C:\WINDOWS\system32\GhPWxyxx.ini
C:\WINDOWS\system32\GhPWxyxx.ini2
C:\WINDOWS\system32\gwuialdm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdlaiuwg.dll
C:\WINDOWS\system32\MoppsBeg.ini
C:\WINDOWS\system32\MoppsBeg.ini2
C:\WINDOWS\system32\ovyltseg.ini
C:\WINDOWS\system32\PpXayyxx.ini
C:\WINDOWS\system32\PpXayyxx.ini2
C:\WINDOWS\system32\QqXwDJlm.ini
C:\WINDOWS\system32\QqXwDJlm.ini2
C:\WINDOWS\system32\qvwliegx.ini
C:\WINDOWS\system32\qWDcKkkj.ini
C:\WINDOWS\system32\qWDcKkkj.ini2
C:\WINDOWS\system32\rfqdfbkk.ini
C:\WINDOWS\system32\ssYccccf.ini
C:\WINDOWS\system32\ssYccccf.ini2
C:\WINDOWS\system32\wschsncm.ini
C:\WINDOWS\system32\ybKUBJlm.ini
C:\WINDOWS\system32\ybKUBJlm.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_Schedule
-------\Service_Schedule
((((((((((((((((((((((( Dateien erstellt von 2008-05-01 bis 2008-06-01 ))))))))))))))))))))))))))))))
.
2008-06-01 03:01 . 2008-05-08 02:06 25,088 --a------ C:\Dokumente und Einstellungen\Internet\cftmon.exe
2008-06-01 03:01 . 2008-05-08 02:06 25,088 --a------ C:\Dokumente und Einstellungen\henning\cftmon.exe
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:15 . 2008-06-01 03:13 5,120 --a------ C:\Dokumente und Einstellungen\henning\ftp34.dll
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-30 12:45 . 2008-06-01 16:49 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-30 12:45 . 2008-06-01 16:49 5,120 --a------ C:\Dokumente und Einstellungen\Internet\ftp34.dll
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\MessengerPlus! 3
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\Adverts
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 17:07 . 2008-05-08 17:07 0 --a------ C:\WINDOWS\system32\gu.exe
2008-05-08 16:40 . 2008-05-08 16:40 55,296 --a------ C:\WINDOWS\system32\va.exe
2008-05-08 16:35 . 2008-05-08 16:35 55,296 --a------ C:\WINDOWS\system32\sf.exe
2008-05-08 16:01 . 2008-05-08 16:01 55,296 --a------ C:\WINDOWS\system32\uu.exe
2008-05-08 15:50 . 2008-05-08 15:50 55,296 --a------ C:\WINDOWS\system32\ii.exe
2008-05-08 15:30 . 2008-05-08 15:31 55,296 --a------ C:\WINDOWS\system32\ew.exe
2008-05-08 15:18 . 2008-05-08 15:18 55,296 --a------ C:\WINDOWS\system32\zv.exe
2008-05-08 05:00 . 2008-05-08 05:00 55,296 --a------ C:\WINDOWS\system32\vv.exe
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-06 21:25 . 2008-05-06 21:25 55,296 --a------ C:\WINDOWS\system32\al.exe
2008-05-06 21:17 . 2008-05-10 01:08 25,088 --a------ C:\Dokumente und Einstellungen\Internet\file.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
2008-05-05 02:11 . 2008-05-05 02:11 0 --a------ C:\WINDOWS\system32\pg.exe
2008-05-05 01:32 . 2008-05-05 01:32 55,296 --a------ C:\WINDOWS\system32\hn.exe
2008-05-04 16:28 . 2008-05-11 01:05 <DIR> d-------- C:\henningfotos
2008-05-04 16:12 . 2008-05-11 01:05 <DIR> d-------- C:\efi-camera-02
2008-05-04 14:49 . 2008-05-04 14:50 55,296 --a------ C:\WINDOWS\system32\ed.exe
2008-05-04 14:16 . 2008-05-04 14:16 55,296 --a------ C:\WINDOWS\system32\cc.exe
2008-05-04 14:10 . 2008-05-04 14:10 55,296 --a------ C:\WINDOWS\system32\ee.exe
2008-05-03 17:30 . 2008-05-03 17:30 55,296 --a------ C:\WINDOWS\system32\gq.exe
2008-05-03 15:49 . 2008-05-03 15:49 55,296 --a------ C:\WINDOWS\system32\nb.exe
2008-05-03 13:17 . 2008-05-03 14:56 0 --a------ C:\WINDOWS\system32\li.exe
2008-05-03 00:53 . 2008-05-08 17:00 55,296 --a------ C:\WINDOWS\system32\rq.exe
2008-05-01 23:27 . 2008-05-01 23:27 55,296 --a------ C:\WINDOWS\system32\lh.exe
2008-05-01 22:55 . 2008-05-01 22:55 55,296 --a------ C:\WINDOWS\system32\jf.exe
2008-05-01 22:34 . 2008-05-01 22:34 55,296 --a------ C:\WINDOWS\system32\sl.exe
2008-05-01 21:37 . 2008-05-01 21:37 55,296 --a------ C:\WINDOWS\system32\lg.exe
2008-05-01 21:06 . 2008-05-01 21:06 55,296 --a------ C:\WINDOWS\system32\bo.exe
2008-05-01 17:28 . 2008-05-01 17:28 0 --a------ C:\WINDOWS\system32\rg.exe
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 08:07 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-04 10:19 --------- d-----w C:\Programme\Game_Maker7
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE}]
C:\WINDOWS\system32\jkkKcDWq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{281D456D-8F03-4602-81A0-995A6CDAE209}]
C:\WINDOWS\System32\xxyxWPhG.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A06BB9E-1F80-44C7-ABC9-46CDD051915C}]
C:\WINDOWS\system32\xxyyaXpP.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c122259-dc37-4f19-a992-e1e7bc1eceff}]
C:\WINDOWS\system32\laqeracl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{642B7F53-35C0-4541-BD14-120566C31275}]
C:\WINDOWS\System32\awttsSJD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB968FCD-C8FB-480B-9DD0-17249FA2597D}]
C:\WINDOWS\system32\mlJDwXqQ.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E80F4529-6AB7-469E-BB27-4335F045A53F}]
C:\WINDOWS\System32\fccccYss.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-03-01 07:01 180736]
"VodafoneUSBPP.exe"="C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe" [2007-08-08 21:29 974848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5033a726"="C:\WINDOWS\system32\imwkneld.dll" [ ]
"BM530094ba"="C:\WINDOWS\system32\antueatc.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]
"Microsoft Oftice"="C:\WINDOWS\System32\msmsgs.exe" [ ]
"Microsoft Windows Driver"="C:\WINDOWS\rundll32.exe" [ ]
"Windows Networking Monitoring"="C:\WINDOWS\System32\mdm.exe" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNeDWN]
byXNeDWN.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18433e52-f6b4-11dc-a7fe-0048546e5a95}]
\Shell\AutoRun\command - H:\AutoRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 17:04:12
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-01 17:08:00 - machine was rebooted [henning]
ComboFix-quarantined-files.txt 2008-06-01 16:07:55
14 Verzeichnis(se), 1,672,294,400 Bytes frei
18 Verzeichnis(se), 1,782,493,184 Bytes frei
228 --- E O F --- 2008-05-28 19:22:30
b)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21, on 2008-06-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE} - C:\WINDOWS\system32\jkkKcDWq.dll (file missing)
O2 - BHO: (no name) - {281D456D-8F03-4602-81A0-995A6CDAE209} - C:\WINDOWS\System32\xxyxWPhG.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A06BB9E-1F80-44C7-ABC9-46CDD051915C} - C:\WINDOWS\system32\xxyyaXpP.dll (file missing)
O2 - BHO: {ffece1cb-7e1e-299a-91f4-73cd952221c5} - {5c122259-dc37-4f19-a992-e1e7bc1eceff} - C:\WINDOWS\system32\laqeracl.dll (file missing)
O2 - BHO: (no name) - {642B7F53-35C0-4541-BD14-120566C31275} - C:\WINDOWS\System32\awttsSJD.dll (file missing)
O2 - BHO: (no name) - {CB968FCD-C8FB-480B-9DD0-17249FA2597D} - C:\WINDOWS\system32\mlJDwXqQ.dll (file missing)
O2 - BHO: (no name) - {E80F4529-6AB7-469E-BB27-4335F045A53F} - C:\WINDOWS\System32\fccccYss.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
O4 - HKLM\..\Run: [5033a726] rundll32.exe "C:\WINDOWS\system32\imwkneld.dll",b
O4 - HKLM\..\Run: [BM530094ba] Rundll32.exe "C:\WINDOWS\system32\antueatc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: byXNeDWN - byXNeDWN.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 5326 bytes
You noticed "I don't help with logs thru PM. If you have problems create a thread in the forum, please."
Sorry I am new here and not so deep into... ok.. just a stupid User me ;-)
I dont understand thru PM.
Hi
PM means private messages :) That is just meant to tell users not to post their logs to my private message account. You've done just right :bigthumb:
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\MessengerPlus! 3
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\Adverts
Looks like MessengerPlus! 3 might be installed with sponsors. Please uninstall MessengerPlus! 3 for now. You may reinstall it without sponsors when system is clean in case you need it :)
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Dokumente und Einstellungen\Internet\cftmon.exe
C:\Dokumente und Einstellungen\henning\cftmon.exe
C:\Dokumente und Einstellungen\henning\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\Dokumente und Einstellungen\Internet\ftp34.dll
C:\WINDOWS\system32\gu.exe
C:\WINDOWS\system32\va.exe
C:\WINDOWS\system32\sf.exe
C:\WINDOWS\system32\uu.exe
C:\WINDOWS\system32\ii.exe
C:\WINDOWS\system32\ew.exe
C:\WINDOWS\system32\zv.exe
C:\WINDOWS\system32\vv.exe
C:\WINDOWS\system32\al.exe
C:\Dokumente und Einstellungen\Internet\file.exe
C:\WINDOWS\system32\pg.exe
C:\WINDOWS\system32\hn.exe
C:\WINDOWS\system32\ed.exe
C:\WINDOWS\system32\cc.exe
C:\WINDOWS\system32\ee.exe
C:\WINDOWS\system32\gq.exe
C:\WINDOWS\system32\nb.exe
C:\WINDOWS\system32\li.exe
C:\WINDOWS\system32\rq.exe
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\jf.exe
C:\WINDOWS\system32\sl.exe
C:\WINDOWS\system32\lg.exe
C:\WINDOWS\system32\bo.exe
C:\WINDOWS\system32\rg.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{281D456D-8F03-4602-81A0-995A6CDAE209}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A06BB9E-1F80-44C7-ABC9-46CDD051915C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c122259-dc37-4f19-a992-e1e7bc1eceff}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{642B7F53-35C0-4541-BD14-120566C31275}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB968FCD-C8FB-480B-9DD0-17249FA2597D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E80F4529-6AB7-469E-BB27-4335F045A53F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5033a726"=-
"BM530094ba"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Oftice"=-
"Microsoft Windows Driver"=-
"Windows Networking Monitoring"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNeDWN]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).
multicanarias
2008-06-01, 23:37
Hi Blade81....
followed your step by step instructions.
Here are the 3 reports.
Thank you very much indeed.
a) Combofix
ComboFix 08-05-29.1 - Internet 2008-06-01 18:49:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.269 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Internet\Desktop\CFScript.rtf
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Dokumente und Einstellungen\henning\cftmon.exe
C:\Dokumente und Einstellungen\henning\ftp34.dll
C:\Dokumente und Einstellungen\Internet\cftmon.exe
C:\Dokumente und Einstellungen\Internet\file.exe
C:\Dokumente und Einstellungen\Internet\ftp34.dll
C:\WINDOWS\system32\al.exe
C:\WINDOWS\system32\bo.exe
C:\WINDOWS\system32\cc.exe
C:\WINDOWS\system32\ed.exe
C:\WINDOWS\system32\ee.exe
C:\WINDOWS\system32\ew.exe
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\gq.exe
C:\WINDOWS\system32\gu.exe
C:\WINDOWS\system32\hn.exe
C:\WINDOWS\system32\ii.exe
C:\WINDOWS\system32\jf.exe
C:\WINDOWS\system32\lg.exe
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\li.exe
C:\WINDOWS\system32\nb.exe
C:\WINDOWS\system32\pg.exe
C:\WINDOWS\system32\rg.exe
C:\WINDOWS\system32\rq.exe
C:\WINDOWS\system32\sf.exe
C:\WINDOWS\system32\sl.exe
C:\WINDOWS\system32\uu.exe
C:\WINDOWS\system32\va.exe
C:\WINDOWS\system32\vv.exe
C:\WINDOWS\system32\zv.exe
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\All Users\Desktop\webmediaplayer.lnk
C:\Dokumente und Einstellungen\henning\cftmon.exe
C:\Dokumente und Einstellungen\henning\ftp34.dll
C:\Dokumente und Einstellungen\Internet\cftmon.exe
C:\Dokumente und Einstellungen\Internet\file.exe
C:\Dokumente und Einstellungen\Internet\ftp34.dll
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\habyro.dat
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\habyro_nav.dat
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\habyro_navps.dat
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\cftmon.exe
C:\WINDOWS\system32\al.exe
C:\WINDOWS\system32\bo.exe
C:\WINDOWS\system32\cc.exe
C:\WINDOWS\system32\da.exe
C:\WINDOWS\system32\ec.exe
C:\WINDOWS\system32\ed.exe
C:\WINDOWS\system32\ee.exe
C:\WINDOWS\system32\ew.exe
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\gq.exe
C:\WINDOWS\system32\gu.exe
C:\WINDOWS\system32\hn.exe
C:\WINDOWS\system32\ii.exe
C:\WINDOWS\system32\jf.exe
C:\WINDOWS\system32\lg.exe
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\li.exe
C:\WINDOWS\system32\nb.exe
C:\WINDOWS\system32\pg.exe
C:\WINDOWS\system32\qd.exe
C:\WINDOWS\system32\rg.exe
C:\WINDOWS\system32\rq.exe
C:\WINDOWS\system32\rz.exe
C:\WINDOWS\system32\sf.exe
C:\WINDOWS\system32\sl.exe
C:\WINDOWS\system32\ue.exe
C:\WINDOWS\system32\uu.exe
C:\WINDOWS\system32\va.exe
C:\WINDOWS\system32\vb.exe
C:\WINDOWS\system32\vj.exe
C:\WINDOWS\system32\vv.exe
C:\WINDOWS\system32\xn.exe
C:\WINDOWS\system32\xu.exe
C:\WINDOWS\system32\zv.exe
.
((((((((((((((((((((((( Dateien erstellt von 2008-05-01 bis 2008-06-01 ))))))))))))))))))))))))))))))
.
2008-06-01 17:27 . 2008-06-01 17:51 24,006 --a------ C:\spybot-out-02.rtf
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
2008-05-04 16:28 . 2008-05-11 01:05 <DIR> d-------- C:\henningfotos
2008-05-04 16:12 . 2008-05-11 01:05 <DIR> d-------- C:\efi-camera-02
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 08:07 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-27 01:49 55,296 ----a-w C:\WINDOWS\system32\yw.exe
2008-04-26 22:55 55,296 ----a-w C:\WINDOWS\system32\ga.exe
2008-04-26 21:49 62,168 ----a-w C:\WINDOWS\system32\tw.exe
2008-04-26 21:27 62,168 ----a-w C:\WINDOWS\system32\ag.exe
2008-04-26 21:18 62,168 ----a-w C:\WINDOWS\system32\jh.exe
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-22 20:51 62,168 ----a-w C:\WINDOWS\system32\zj.exe
2008-04-18 22:58 55,296 ----a-w C:\WINDOWS\system32\rr.exe
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-10 13:27 55,296 ----a-w C:\WINDOWS\system32\kv.exe
2008-04-08 13:35 55,296 ----a-w C:\WINDOWS\system32\tm.exe
2008-04-07 21:48 55,296 ----a-w C:\WINDOWS\system32\ya.exe
2008-04-07 21:20 55,296 ----a-w C:\WINDOWS\system32\ua.exe
2008-04-07 00:04 55,296 ----a-w C:\WINDOWS\system32\mz.exe
2008-04-06 22:52 55,296 ----a-w C:\WINDOWS\system32\hw.exe
2008-04-06 00:32 55,296 ----a-w C:\WINDOWS\system32\bz.exe
2008-04-04 20:59 40,960 ----a-w C:\WINDOWS\system32\em.exe
2008-04-04 10:19 --------- d-----w C:\Programme\Game_Maker7
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-04-04 09:27 43,444 ----a-w C:\WINDOWS\system32\hj.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 18:16 55,296 ----a-w C:\WINDOWS\system32\ay.exe
2008-03-30 17:27 55,296 ----a-w C:\WINDOWS\system32\py.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-25 20:47 55,296 ----a-w C:\WINDOWS\system32\jb.exe
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-22 09:51 55,296 ----a-w C:\WINDOWS\system32\en.exe
2008-03-22 09:46 55,296 ----a-w C:\WINDOWS\system32\ld.exe
2008-03-22 09:16 55,296 ----a-w C:\WINDOWS\system32\hd.exe
2008-03-21 11:14 55,296 ----a-w C:\WINDOWS\system32\sg.exe
2008-03-21 10:51 55,296 ----a-w C:\WINDOWS\system32\cb.exe
2008-03-21 10:05 55,296 ----a-w C:\WINDOWS\system32\ni.exe
2008-03-21 10:01 55,296 ----a-w C:\WINDOWS\system32\mu.exe
2008-03-20 20:04 55,296 ----a-w C:\WINDOWS\system32\ex.exe
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 21:25 55,296 ----a-w C:\WINDOWS\system32\pp.exe
2008-03-19 21:06 55,296 ----a-w C:\WINDOWS\system32\uq.exe
2008-03-19 20:55 55,296 ----a-w C:\WINDOWS\system32\zp.exe
2008-03-17 20:20 55,296 ----a-w C:\WINDOWS\system32\tl.exe
2008-03-16 11:19 55,296 ----a-w C:\WINDOWS\system32\ev.exe
2008-03-16 02:37 55,296 ----a-w C:\WINDOWS\system32\zf.exe
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2008-03-15 16:36 55,296 ----a-w C:\WINDOWS\system32\nk.exe
2008-03-11 20:32 55,296 ----a-w C:\WINDOWS\system32\qf.exe
2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.39,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 16:02:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 16:41:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]
C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 18:50:59
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-01 18:52:53
ComboFix-quarantined-files.txt 2008-06-01 17:52:48
ComboFix2.txt 2008-06-01 16:08:01
14 Verzeichnis(se), 1,779,216,384 Bytes frei
18 Verzeichnis(se), 1,767,165,952 Bytes frei
242 --- E O F --- 2008-05-28 19:22:30
b) Kapersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 10:20:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 820756
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 74938
Number of viruses found: 12
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 01:30:47
Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\temp\JET9A3E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\vWTP.mdb Object is locked skipped
C:\Programme\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab CAB: infected - 3 skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\henning\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\file.exe.vir Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\QooBox\Quarantine\C\setup.exe.vir Inno: infected - 12 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\al.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bo.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cc.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ed.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ee.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ew.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gestlyvo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hn.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ii.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lg.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lh.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mdlaiuwg.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sl.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uu.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\va.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0104428.exe Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0105358.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113912.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113915.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119919.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120939.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121938.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122948.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122949.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122951.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122956.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122967.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122968.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122970.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122981.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122982.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122984.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe Inno: infected - 12 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122997.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122998.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123167.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123169.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123170.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123171.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123172.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123173.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123174.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123175.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123176.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123177.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123178.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123180.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123181.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123182.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123183.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123184.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123186.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123189.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123190.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123191.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123192.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123193.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123194.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123195.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ag.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ay.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\bz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\logo[1].jpg Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\em.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\en.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ev.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ex.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ga.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hd.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jh.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\kv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ld.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mu.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ni.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\nk.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\pp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\py.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\qf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\rr.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sg.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tm.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ua.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\uq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ya.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\yw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
c) HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23, on 2008-06-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 4151 bytes
Hi
Start hjt, do a system scan, check:
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
Close browsers and other windows. Click fix checked.
Download
SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe)
and save it to your desktop. (If you can't download with this computer try to get it downloaded on some other one.)
Please then reboot your computer in Safe Mode by doing the
following :
Restart your computer
After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press
Enter
.
Choose your usual account.
In Safe Mode, double click the SDFix.exe file. Click Install in appearing window,
Open the extracted folder and double click RunThis.bat to
start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool
will be running and removing files.
When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum.
Then we continue. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\yw.exe
C:\WINDOWS\system32\ga.exe
C:\WINDOWS\system32\tw.exe
C:\WINDOWS\system32\ag.exe
C:\WINDOWS\system32\jh.exe
C:\WINDOWS\system32\zj.exe
C:\WINDOWS\system32\rr.exe
C:\WINDOWS\system32\kv.exe
C:\WINDOWS\system32\tm.exe
C:\WINDOWS\system32\ya.exe
C:\WINDOWS\system32\ua.exe
C:\WINDOWS\system32\mz.exe
C:\WINDOWS\system32\hw.exe
C:\WINDOWS\system32\bz.exe
C:\WINDOWS\system32\em.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\ay.exe
C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\jb.exe
C:\WINDOWS\system32\en.exe
C:\WINDOWS\system32\ld.exe
C:\WINDOWS\system32\hd.exe
C:\WINDOWS\system32\sg.exe
C:\WINDOWS\system32\cb.exe
C:\WINDOWS\system32\ni.exe
C:\WINDOWS\system32\mu.exe
C:\WINDOWS\system32\ex.exe
C:\WINDOWS\system32\pp.exe
C:\WINDOWS\system32\uq.exe
C:\WINDOWS\system32\zp.exe
C:\WINDOWS\system32\tl.exe
C:\WINDOWS\system32\ev.exe
C:\WINDOWS\system32\zf.exe
C:\WINDOWS\system32\nk.exe
C:\WINDOWS\system32\qf.exe
Folder::
C:\Programme\NavExcel
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log & SDFix report).
multicanarias
2008-06-03, 12:40
Hi Blade81....
thank you very much...
Kiitoksia oikein paljon.....
I got a lot of important work to do on my computer now...
I am worried now... :-/
following your instuctions.. would it be better doing my work what can not wait first?
I got a lot of important work to do on my computer now...
Hi
Infected and important don't fit too well into same sentence. If possible try to do working on clean system until this case is clear.
multicanarias
2008-06-03, 22:03
Hi Blade81...
thanks for your answer towards my worries.....
here the logs and reports:
a) SDFix report
b) ComboFix resultant log
c) Kaspersky report
a) SDFix report
SDFix: Version 1.187
Run by henning on 2008-06-03 at 18:40
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\tl.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 18:48:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Programme\\Mozilla Firefox\\firefox.exe"="C:\\Programme\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"="C:\\Programme\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:AVG Control Center"
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"="C:\\Programme\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet"
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"="C:\\Programme\\Orbitdownloader\\orbitnet.exe:*:Disabled:Orbit"
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"="C:\\Programme\\Orbitdownloader\\orbitdm.exe:*:Disabled:Orbit"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 10 Feb 2007 6,219,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Tue 3 May 2005 65,024 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\~WRL0001.tmp"
Tue 3 May 2005 22,016 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\~WRL0759.tmp"
Sun 27 Apr 2008 24,064 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL0005.tmp"
Sun 27 Apr 2008 24,064 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL0157.tmp"
Sun 27 Apr 2008 24,064 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL2243.tmp"
Sun 27 Apr 2008 31,232 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL3479.tmp"
Sun 27 Apr 2008 24,576 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL3999.tmp"
Mon 21 Jun 2004 135,168 A..HR --- "C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll"
Mon 21 Jun 2004 143,360 A..HR --- "C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe"
Sat 10 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7db416e8f76cad78f81bba90a96d7bb0\download\BITAA.tmp"
Wed 14 Aug 2002 65,088 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Wed 14 Aug 2002 12,732 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Wed 14 Aug 2002 26,424 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Wed 14 Aug 2002 28,062 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Wed 14 Aug 2002 10,710 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Wed 14 Aug 2002 10,083 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Wed 14 Aug 2002 10,257 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Wed 14 Aug 2002 29,499 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Wed 14 Aug 2002 12,660 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Wed 14 Aug 2002 11,031 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Wed 14 Aug 2002 17,952 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Wed 14 Aug 2002 9,424 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Wed 14 Aug 2002 13,673 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Wed 14 Aug 2002 14,438 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Wed 14 Aug 2002 7,243 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Wed 14 Aug 2002 24,767 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Wed 14 Aug 2002 7,463 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Wed 14 Aug 2002 10,286 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Wed 14 Aug 2002 25,460 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Wed 14 Aug 2002 28,866 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Wed 14 Aug 2002 14,438 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Wed 14 Aug 2002 8,544 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Wed 14 Aug 2002 33,149 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Wed 14 Aug 2002 47,826 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI1394.SYS"
Wed 14 Aug 2002 35,340 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Wed 14 Aug 2002 14,378 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Wed 14 Aug 2002 37,984 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Wed 14 Aug 2002 44,828 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Wed 14 Aug 2002 29,628 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPICD.SYS"
Wed 14 Aug 2002 49,750 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIEHCI.SYS"
Wed 14 Aug 2002 49,242 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Wed 14 Aug 2002 50,606 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Wed 14 Aug 2002 161,792 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Wed 14 Aug 2002 174,080 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\bootsrv16.sys"
Wed 14 Aug 2002 21,971 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BTCDROM.SYS"
Wed 14 Aug 2002 30,955 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BTDOSM.SYS"
Wed 14 Aug 2002 202,517 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\CMDS.EXE"
Wed 14 Aug 2002 374,038 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\CMDS16.EXE"
Wed 14 Aug 2002 22,158 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\COUNTRY.SYS"
Wed 14 Aug 2002 1,608 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DEVICE.COM"
Wed 14 Aug 2002 15,345 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DISPLAY.SYS"
Wed 14 Aug 2002 7,840 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DLSHELP.SYS"
Wed 14 Aug 2002 56,821 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\E.EXE"
Wed 14 Aug 2002 64,425 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\FLASHPT.SYS"
Wed 14 Aug 2002 32,396 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\GUEST.EXE"
Wed 14 Aug 2002 14,160 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\HIMEM.SYS"
Wed 14 Aug 2002 10,898 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\KEYB.COM"
Wed 14 Aug 2002 53,556 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Wed 14 Aug 2002 15,777 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MODE.COM"
Wed 14 Aug 2002 37,681 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MOUSE.COM"
Wed 14 Aug 2002 354,304 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\msbootsrv16.sys"
Wed 14 Aug 2002 21,180 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MSCDEX.EXE"
Wed 14 Aug 2002 354,263 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\Net.exe"
Wed 14 Aug 2002 8,513 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\NETBIND.COM"
Wed 14 Aug 2002 41,302 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Wed 14 Aug 2002 129,240 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\OHCI.EXE"
Wed 14 Aug 2002 28,439 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\Paralink.com"
Wed 14 Aug 2002 13,770 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\PROTMAN.EXE"
Wed 14 Aug 2002 130,980 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\UHCI.EXE"
Wed 14 Aug 2002 11,854 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Wed 14 Aug 2002 52,715 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Wed 14 Aug 2002 62,391 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Wed 14 Aug 2002 11,491 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Wed 14 Aug 2002 17,791 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Wed 14 Aug 2002 17,043 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Wed 14 Aug 2002 11,786 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Wed 14 Aug 2002 18,300 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Wed 14 Aug 2002 48,224 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Wed 14 Aug 2002 13,360 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Wed 14 Aug 2002 9,190 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Wed 14 Aug 2002 12,567 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Wed 14 Aug 2002 44,640 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Wed 14 Aug 2002 56,896 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Wed 14 Aug 2002 44,640 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Wed 14 Aug 2002 9,692 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Wed 14 Aug 2002 9,537 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Wed 14 Aug 2002 32,484 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Wed 14 Aug 2002 52,225 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Wed 14 Aug 2002 48,491 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Wed 14 Aug 2002 50,405 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Wed 14 Aug 2002 33,860 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Wed 14 Aug 2002 50,175 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Wed 14 Aug 2002 50,795 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Wed 14 Aug 2002 48,223 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Wed 14 Aug 2002 48,641 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Wed 14 Aug 2002 49,015 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Wed 14 Aug 2002 53,786 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\command.com"
Wed 14 Aug 2002 44,240 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM"
Wed 14 Aug 2002 42,550 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM"
Finished!
b) ComboFix resultant log
ComboFix 08-05-29.1 - Internet 2008-06-03 18:57:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.302 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Internet\Desktop\CFScript.rtf
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\ag.exe
C:\WINDOWS\system32\ay.exe
C:\WINDOWS\system32\bz.exe
C:\WINDOWS\system32\cb.exe
C:\WINDOWS\system32\em.exe
C:\WINDOWS\system32\en.exe
C:\WINDOWS\system32\ev.exe
C:\WINDOWS\system32\ex.exe
C:\WINDOWS\system32\ga.exe
C:\WINDOWS\system32\hd.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\hw.exe
C:\WINDOWS\system32\jb.exe
C:\WINDOWS\system32\jh.exe
C:\WINDOWS\system32\kv.exe
C:\WINDOWS\system32\ld.exe
C:\WINDOWS\system32\mu.exe
C:\WINDOWS\system32\mz.exe
C:\WINDOWS\system32\ni.exe
C:\WINDOWS\system32\nk.exe
C:\WINDOWS\system32\pp.exe
C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\qf.exe
C:\WINDOWS\system32\rr.exe
C:\WINDOWS\system32\sg.exe
C:\WINDOWS\system32\tl.exe
C:\WINDOWS\system32\tm.exe
C:\WINDOWS\system32\tw.exe
C:\WINDOWS\system32\ua.exe
C:\WINDOWS\system32\uq.exe
C:\WINDOWS\system32\ya.exe
C:\WINDOWS\system32\yw.exe
C:\WINDOWS\system32\zf.exe
C:\WINDOWS\system32\zj.exe
C:\WINDOWS\system32\zp.exe
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Programme\NavExcel
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.htm
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab
C:\WINDOWS\system32\ag.exe
C:\WINDOWS\system32\ay.exe
C:\WINDOWS\system32\bz.exe
C:\WINDOWS\system32\cb.exe
C:\WINDOWS\system32\em.exe
C:\WINDOWS\system32\en.exe
C:\WINDOWS\system32\ev.exe
C:\WINDOWS\system32\ex.exe
C:\WINDOWS\system32\ga.exe
C:\WINDOWS\system32\hd.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\hw.exe
C:\WINDOWS\system32\jb.exe
C:\WINDOWS\system32\jh.exe
C:\WINDOWS\system32\kv.exe
C:\WINDOWS\system32\ld.exe
C:\WINDOWS\system32\mu.exe
C:\WINDOWS\system32\mz.exe
C:\WINDOWS\system32\ni.exe
C:\WINDOWS\system32\nk.exe
C:\WINDOWS\system32\pp.exe
C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\qf.exe
C:\WINDOWS\system32\rr.exe
C:\WINDOWS\system32\sg.exe
C:\WINDOWS\system32\tm.exe
C:\WINDOWS\system32\tw.exe
C:\WINDOWS\system32\ua.exe
C:\WINDOWS\system32\uq.exe
C:\WINDOWS\system32\ya.exe
C:\WINDOWS\system32\yw.exe
C:\WINDOWS\system32\zf.exe
C:\WINDOWS\system32\zj.exe
C:\WINDOWS\system32\zp.exe
.
((((((((((((((((((((((( Dateien erstellt von 2008-05-03 bis 2008-06-03 ))))))))))))))))))))))))))))))
.
2008-06-03 18:52 . 2008-06-03 18:53 19,855 --a------ C:\spybot-out-03.rtf
2008-06-03 18:37 . 2008-06-03 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 18:32 . 2008-06-03 18:50 <DIR> d-------- C:\SDFix
2008-06-03 18:07 . 2008-06-03 18:07 360 --a------ C:\notiy spybot.rtf
2008-06-02 17:46 . 2008-06-03 10:25 <DIR> d-------- C:\GRIT-PDF
2008-06-02 15:35 . 2008-06-02 15:35 2,315,008 --a------ C:\GRIT-ANG-BAU-01.pdf
2008-06-01 17:27 . 2008-06-01 17:51 24,006 --a------ C:\spybot-out-02.rtf
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
2008-05-04 16:28 . 2008-05-11 01:05 <DIR> d-------- C:\henningfotos
2008-05-04 16:12 . 2008-05-11 01:05 <DIR> d-------- C:\efi-camera-02
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 08:07 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-04 10:19 --------- d-----w C:\Programme\Game_Maker7
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.39,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 16:02:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-03 17:46:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-03 17:37:30 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:30 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-03 17:37:22 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:22 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 17:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-10-08 13:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 13:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]
C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 18:59:24
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-03 19:01:21
ComboFix-quarantined-files.txt 2008-06-03 18:01:15
ComboFix2.txt 2008-06-01 17:52:54
ComboFix3.txt 2008-06-01 16:08:01
16 Verzeichnis(se), 1,764,728,832 Bytes frei
20 Verzeichnis(se), 1,760,526,336 Bytes frei
223 --- E O F --- 2008-05-28 19:22:30
c) Kaspersky report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 8:51:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 825918
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 75260
Number of viruses found: 12
Number of infected objects: 159
Number of suspicious objects: 0
Duration of the scan process: 01:31:57
Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\temp\JETC455.tmp Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060320080604\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\vWTP.mdb Object is locked skipped
C:\Programme\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\henning\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\file.exe.vir Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll.vir Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe.vir Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir CAB: infected - 3 skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\QooBox\Quarantine\C\setup.exe.vir Inno: infected - 12 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ag.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\al.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ay.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bo.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bz.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cc.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ed.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ee.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\em.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\en.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ev.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ew.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ex.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ga.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gestlyvo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hd.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hj.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hn.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hw.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ii.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jh.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ld.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lg.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lh.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mdlaiuwg.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mu.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mz.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ni.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nk.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pp.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\py.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rr.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sg.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sl.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tm.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tw.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ua.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uu.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\va.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ya.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yw.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zj.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zp.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\SDFix\backups\backups.zip/backups/tl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113912.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113915.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119919.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120939.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121938.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122948.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122949.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122951.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122956.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122967.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122968.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122970.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122981.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122982.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122984.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe Inno: infected - 12 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122997.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122998.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123167.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123169.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123170.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123171.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123172.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123173.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123174.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123175.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123176.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123177.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123178.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123180.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123181.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123182.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123183.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123184.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123186.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123189.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123190.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123191.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123192.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123193.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123194.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123195.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP410\A0123510.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP410\A0123514.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123598.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123599.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123600.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123601.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123602.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123603.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123604.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123605.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123606.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123607.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123608.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123609.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123610.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123611.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123612.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123613.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123614.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123615.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123616.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123617.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123618.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123619.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123620.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123621.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123622.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123623.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123624.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123625.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123626.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123627.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123628.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123629.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123630.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123631.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123632.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123633.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123634.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\logo[1].jpg Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
multicanarias
2008-06-03, 22:04
d) new htj log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54, on 2008-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62DB494-23E4-414A-AF27-DBDCF4D4697D}: NameServer = 212.73.32.3 212.73.32.67
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 4237 bytes
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
Folder::
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log (without forgetting above meantioned ComboFix resultant log) in your next reply.
multicanarias
2008-06-04, 01:23
Hi Blade81....
thanks for the quick answer......
this getting almoust adictive here.... :-) (big smile)...
as soon as done I will go to send the logs etc...
Could you please discribe what I actually got...
... are this trojans and / more...?
Thank you very much imdeed...
Hi
Ok. I'll be waiting :)
Could you please discribe what I actually got...
... are this trojans and / more...?
Found infections are mainly trojans.
multicanarias
2008-06-05, 09:11
Hi Blade81...
excuse please the delay of the log files etc.....
Doing my work on a other equipment. As soon as possible I will follow your instructions and send the files.
Thanks....
No problem. Take your time :)
multicanarias
2008-06-05, 23:25
Hi Blade81....
finally I had some time to run your last step by step asvice.
Thanks a lot.....
a) Combo Fix log
b) Malwarebytes log
c) htj log
I also got some questions:
What do you think about installing SP3 now... or shall I wait untill it improves?
A program like Poker TH what connects it self to the browser... can I find out if this program is save?
When I am downloading free or shareware I use www.icrfast.com, paying each time with 3 sms, 4,50€ to
get 100% garantie no virus and spyware. Is this save?
Is there anywhere something like a trustfull "black list" of websites?
Ones having a clean system (...I hope ;-).. how do I keep it clean?
Finally I heard about this free online schools for anti-virus and malware.. what is your opinion?
..I hope I dont been asking to much in one go -)
a) Combo Fix log
ComboFix 08-05-29.1 - Internet 2008-06-05 20:29:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.256 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Internet\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\desktop.ini
.
((((((((((((((((((((((( Dateien erstellt von 2008-05-05 bis 2008-06-05 ))))))))))))))))))))))))))))))
.
2008-06-05 09:06 . 2008-06-05 11:10 1,726 --a------ C:\mitsu-01.rtf
2008-06-05 07:31 . 2008-06-05 07:31 1,150,677 --a------ C:\tuer-adeje.pdf
2008-06-05 07:28 . 2008-06-05 07:28 430,079 --a------ C:\tuer-adeje001.jpg
2008-06-03 20:57 . 2008-06-03 20:57 <DIR> d-------- C:\Dokumente und Einstellungen\henning\Anwendungsdaten\Talkback
2008-06-03 18:52 . 2008-06-03 20:56 75,877 --a------ C:\spybot-out-03.rtf
2008-06-03 18:37 . 2008-06-03 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 18:32 . 2008-06-03 18:50 <DIR> d-------- C:\SDFix
2008-06-03 18:07 . 2008-06-03 18:07 360 --a------ C:\notiy spybot.rtf
2008-06-02 17:46 . 2008-06-03 10:25 <DIR> d-------- C:\GRIT-PDF
2008-06-02 15:35 . 2008-06-02 15:35 2,315,008 --a------ C:\GRIT-ANG-BAU-01.pdf
2008-06-01 17:27 . 2008-06-01 17:51 24,006 --a------ C:\spybot-out-02.rtf
2008-06-01 17:08 . 2008-06-01 17:08 <DIR> d-------- C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 17:08 . 2008-06-01 17:08 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 12:30 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.39,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 16:02:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 19:32:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-03 17:37:30 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:30 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-03 17:37:22 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:22 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 17:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-10-08 13:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 13:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18433e52-f6b4-11dc-a7fe-0048546e5a95}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{962ecf60-f3ac-11dc-a7dd-0048546e5a95}]
\Shell\AutoRun\command - H:\AutoRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 20:34:05
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-05 20:38:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 19:38:16
ComboFix2.txt 2008-06-03 18:01:22
ComboFix3.txt 2008-06-01 17:52:54
ComboFix4.txt 2008-06-01 16:08:01
16 Verzeichnis(se), 1,690,222,592 Bytes frei
20 Verzeichnis(se), 1,702,227,968 Bytes frei
163 --- E O F --- 2008-05-28 19:22:30
b) Malwarebytes log
Malwarebytes' Anti-Malware 1.14
Database version: 829
22:09:30 2008-06-05
mbam-log-6-5-2008 (22-09-30).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 110762
Time elapsed: 35 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP399\A0110239.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP400\A0111287.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c) htj log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13, on 2008-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 4073 bytes
multicanarias
2008-06-05, 23:32
Hi Blade81...
me again...
every time when (since the last session) I place a note here, I recieve emidiatly in my e-mail strange mail from unknown senders with a photo attach with 430 KB.
Example:
from "Tia ISRAEL" no subject
from "Tristin MURLEY"
..sounds dodgy no...?
What do you think about installing SP3 now... or shall I wait untill it improves?
Some people have had problems with it. I might suggest to wait for a bit.
A program like Poker TH what connects it self to the browser... can I find out if this program is save?
Haven't used those poker programs myself so can't unfortunately say for sure.
When I am downloading free or shareware I use www.icrfast.com, paying each time with 3 sms, 4,50€ to
get 100% garantie no virus and spyware. Is this save?
Haven't heard about this site before and can't say anything about it.
Is there anywhere something like a trustfull "black list" of websites?
Ones having a clean system (...I hope ;-).. how do I keep it clean?
You can install MVPS Hosts file that's a kind of black list. I'll give instructions when we'll get this clean. :)
Finally I heard about this free online schools for anti-virus and malware.. what is your opinion?
If you have passion to learn new then why not.
About those emails you got.. Are you still getting them? Let's see if GMER can find something.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
multicanarias
2008-06-06, 09:26
Hi Blade81..
thanks for your time and all the replies...
Here the gmer log file...
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-06 08:22:22
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.14 ----
? Combo-Fix.sys Das System kann die angegebene Datei nicht finden. !
? C:\ComboFix\catchme.sys Das System kann den angegebenen Pfad nicht finden. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.14 ----
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetSysColor 7E368E78 5 Bytes JMP 10021170 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetSysColorBrush 7E368EAB 5 Bytes JMP 100211E0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!SetScrollInfo 7E369056 7 Bytes JMP 10021060 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetScrollInfo 7E370DA2 7 Bytes JMP 10020FB0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!ShowScrollBar 7E37F2B3 5 Bytes JMP 10021130 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetScrollPos 7E37F6C4 5 Bytes JMP 10020FF0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!SetScrollPos 7E37F710 5 Bytes JMP 100210A0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetScrollRange 7E37F747 5 Bytes JMP 10021020 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!SetScrollRange 7E37F95B 5 Bytes JMP 100210E0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!EnableScrollBar 7E3B7DDD 7 Bytes JMP 10020F70 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\prodrv06 \Device\ProDrv06 E174E008
Device \Driver\prohlp02 \Device\ProHlp02 E1018088
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
---- EOF - GMER 1.0.14 ----
Looks just ok :)
Could it had been pure coincidence that you got those spam messages to your email address after posting here? Have you got those now?
multicanarias
2008-06-06, 10:53
Hi.....
don't got any now...
but I do a hjt log later, I think it happend after this procedure...
And you think my system is clean now? :-)
Hi
The latest logs are good at least :) You could run Kaspersky scanner once more (include as an attachment if it doesn't fit into your post) so I can see if it finds anything else than already quarantined or bad system restore items. We'll deal those in the final phase.
multicanarias
2008-06-06, 14:10
Hi hello...
got the kaspersky report but I can not attach it... my text smilies are On and dont work neather and I can not use the text options in the header... ???
Thanks...
Hi
Could you archive it into zip file and then attach it to your reply? :)
multicanarias
2008-06-07, 07:58
Hi Blade81....
The problem is actually that I can not use any option anymore (here while Iam writing) in the grey Message Box!!! No text option, no smilies, nothing..
I can not attach anything....
Do you got any idea or a suggestion please?
Hi
Did you change your profile settings? Upload the file here (http://www.sendspace.com/) and post back download link.
multicanarias
2008-06-08, 01:44
Hi Blade81....
thanks for the upload link... here you can find the last kaspersky report:
http://www.sendspace.com/file/rexeo4
Sorry silly USER me... ;-) what do you ment here with: "profile settings"
With profile settings I mean the user CP (http://forums.spybot.info/usercp.php).
Time to get those Kaspersky findings by resetting system restore and by uninstalling ComboFix. Instructions below.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
multicanarias
2008-06-08, 12:53
Hi, hello Blade81..
thanks for your reply...
Now the smilies and text options here at the forum work again...
(I never changed anything in the User CP)
Done the first bit of your step by step instructions, but I can not type anything in the runbox of ComboFix course it starts scanning before I can do something.
So Iam unable to uninstall it.:red:
I stopped here.. Please tell me what I shall do....
Hi
Let's try removing with a batch file.
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
c:
cd\Dokumente und Einstellungen\Internet\Desktop\
ComboFix /u
Double-click on fixes.bat file to execute it.
multicanarias
2008-06-08, 20:56
Hi Blade81....
1000s of questions by now... :angel: please
a)
I still got now...
"adblock_0.7.5.4.-fx+tb+sm.xpi"
"Malwarebytes' Anti-Malware"
"mbam-setup.exe"
"gmer" Folder
"gmer.zip"
"AFT-Clener.exe"
"HJTInstall.exe"
"HijackThis"
..on my Desktop, what shall I do with them?
b)
The only update on the windows update site avaiable been for now SP3, I left this for later...
Trying to update Office I got the note "Cookies are blocked". I changed this three times.
First time to "high" than to "Middle" than I activated "Popups"
Still it shows "Cookies are blocked" and I can not download.
What shall I do here?
c)
After installing Comodo BOCLEAN and rebooting and opening my admin-account I been dirtectly promptet to install a new version of flashplayer.
It mentioned "Security Bulletin APSB08-11"
Is this ok, save?
Does this programm have to runed by myself and does it interfier with such as AVG + Spybot or others?
I guess I have this question towards all the other new installations... :bow:
d)
SpywareBlaster installed... it tried to upload the new updates but on came so far too intend to connect to server...
it blocked on the blank page of internet explorer...
c)
I downloaded and unziped iespyad...
Thats it? ..or do I have to run it or install it?
in the ie-folder I dont found any further exe-file..
e)
..for beeing a "chicken" :scratch: I dont installed host file yet...
f) finally I am with the firewalls...
I got the windowsXP-professional-firewall but I heard its not the best at all....
is there a free one, better?
I am asking for "free" not course I dont whant to spend but this time in live Iam broke and dont got any penny. :red:
g)
how do I set up my remote control in windows XP?
h)
I downloaded and installed AVG and Spybot on a friends computer, he got each a brandnew version I dont recieve by a simple update.
Should or can I download just "on top"?
i)
In one of the treads here I reed that a update of java is esencial in security matters? Whats your opinion here?
j)
Last but not least...
Normally I surf with modzilla... any suggestions here?
Thank you very much in deed for all your help... and sorry for so many questions.
a) These can be deleted:
"adblock_0.7.5.4.-fx+tb+sm.xpi"
"mbam-setup.exe"
"gmer" Folder
"gmer.zip"
"AFT-Clener.exe"
"HJTInstall.exe"
"HijackThis" <--uninstall thru add/remove programs
I suggest to keep Malwarebytes' Anti-Malware and run it maybe once or twice a month.
b) Try to use temporarily low setting.
c) That Flash Player update is very critical and it's more than recommended to install it. Running it won't interfere with any program.
d) You might want to try a bit later again. Personally I prefer MVPS hosts file better. Basically both do same job.
c) There should be install.bat file to do the installation.
e) What was the question here? ;)
f) I gave you a list of free alternatives in previous post. Comodo Firewall Pro for example would be a good choice.
g) Remote control? I'm sorry but don't quite understand. Could you give more details, please?
h) Personally I recommend uninstalling old version first and then install the later one.
i) If you have Java installed then it's highly recommended to keep it up-to-date.
j) Adblock Plus (http://adblockplus.org/en/installation) and NoScript (https://addons.mozilla.org/firefox/addon/722) are good add-ons for FireFox.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.