PDA

View Full Version : Can't remove Virtumonde


Huygens
2008-06-15, 19:03
Hello,
I scanned my PC in SafeMode with SpyBot several times. Every time spybot finds a virtumond.dll. I can't connect to the Internet with that computer.
Here the Hijack.log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:11, on 15.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Programme\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ICQ6\ICQ.exe
C:\Programme\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\DNA\btdna.exe
C:\Programme\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73355502-FFF6-4662-9812-1C74154B83E7} - C:\WINDOWS\system32\pmnlmjjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {7f600d0f-6eb5-172a-bf84-dc49a8f59788} - {88795f8a-94cd-48fb-a271-5be6f0d006f7} - C:\WINDOWS\system32\tanmjmqy.dll
O2 - BHO: (no name) - {E0580FD9-2BA1-4679-A259-8154202C3038} - C:\WINDOWS\system32\qoMFVnkK.dll
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Programme\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [PMCRemote] C:\Programme\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [80057410] rundll32.exe "C:\WINDOWS\system32\mdgadlpi.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BM8336478c] Rundll32.exe "C:\WINDOWS\system32\sohrjmoq.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8215] command /c del "C:\WINDOWS\system32\pmnlmjjh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC75] cmd /c del "C:\WINDOWS\system32\pmnlmjjh.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [PMCS] "C:\Programme\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programme\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Verknüpfung mit einwahl.lnk = C:\einwahl.bat
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208638006468
O20 - Winlogon Notify: qoMFVnkK - C:\WINDOWS\SYSTEM32\qoMFVnkK.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 6879 bytes
pskelley
2008-06-16, 04:41
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
Huygens
2008-06-16, 11:03
ComboFix 08-06-15.4 - Mr. Pink 2008-06-16 9:37:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.632 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Mr. Pink\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((( Dateien erstellt von 2008-05-16 bis 2008-06-16 ))))))))))))))))))))))))))))))
.

2008-06-15 18:57 . 2008-06-15 18:57 <DIR> d-------- C:\Programme\Microsoft.NET
2008-06-15 18:57 . 2008-06-15 19:10 <DIR> d-------- C:\Programme\HTML Help Workshop
2008-06-15 18:57 . 2008-06-15 19:45 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Merge Modules
2008-06-15 18:57 . 2008-06-15 19:08 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Crystal Decisions
2008-06-15 18:57 . 2008-06-15 19:48 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-06-15 18:55 . 2008-06-15 19:29 <DIR> d-------- C:\Programme\Microsoft Visual Studio .NET 2003
2008-06-15 17:27 . 2008-06-15 17:27 <DIR> d-------- C:\Programme\Trend Micro
2008-06-15 16:15 . 2008-04-19 21:10 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-15 16:15 . 2008-04-19 22:00 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmenü
2008-06-15 16:15 . 2008-04-19 22:00 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-15 16:15 . 2008-06-16 09:40 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-15 16:15 . 2008-04-19 22:00 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-15 16:15 . 2008-04-19 22:00 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-15 16:15 . 2008-04-19 22:00 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-15 15:16 . 2008-06-15 17:12 442 --a------ C:\WINDOWS\wininit.ini
2008-06-15 14:52 . 2008-06-15 14:52 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-15 14:52 . 2008-06-15 23:38 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-06-15 11:54 . 2008-06-15 11:54 <DIR> d-------- C:\Programme\Avira
2008-06-15 11:54 . 2008-06-15 11:54 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-06-15 11:43 . 2008-06-15 11:57 <DIR> d-------- C:\Dokumente und Einstellungen\Mr. Pink\.housecall6.6
2008-06-15 11:40 . 2008-06-15 11:40 <DIR> d-------- C:\WINDOWS\Sun
2008-06-14 13:44 . 2008-06-14 13:44 298 --a------ C:\WINDOWS\w32dasm8.ini
2008-06-11 23:09 . 2008-04-14 17:51 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 23:09 . 2008-04-14 17:51 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-29 11:01 . 2008-05-29 11:02 <DIR> d-------- C:\Programme\GeoGebra
2008-05-29 10:59 . 2008-05-29 10:59 <DIR> d-------- C:\Programme\Java
2008-05-29 10:59 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-29 10:58 . 2008-05-29 10:58 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2008-05-29 10:42 . 2008-05-29 10:42 27,120 --a------ C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-05-29 00:17 . 2008-05-29 00:17 <DIR> d-------- C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\vlc
2008-05-28 23:12 . 2008-05-28 23:12 <DIR> d-------- C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\dvdcss
2008-05-28 23:11 . 2008-05-28 23:11 <DIR> d-------- C:\Programme\VideoLAN
2008-05-28 23:07 . 2008-05-28 23:07 25 --a------ C:\WINDOWS\cdplayer.ini
2008-05-25 15:56 . 2008-05-25 15:56 <DIR> d-------- C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\MathWorks
2008-05-21 23:45 . 2008-05-21 23:45 <DIR> d-------- C:\Programme\Gemeinsame Dateien\xing shared
2008-05-21 23:44 . 2008-05-21 23:44 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Real
2008-05-21 23:44 . 2008-05-21 23:44 <DIR> d-------- C:\Program Files
2008-05-19 18:49 . 2008-05-19 18:49 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FLEXnet
2008-05-19 18:49 . 2008-05-19 18:49 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-19 18:42 . 2008-05-19 18:42 <DIR> d-------- C:\Programme\Bonjour
2008-05-19 18:32 . 2008-05-19 18:32 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Macrovision Shared
2008-05-18 17:50 . 2008-05-18 17:50 <DIR> d-------- C:\Programme\DNA
2008-05-18 17:50 . 2008-05-18 17:50 <DIR> d-------- C:\Programme\BitTorrent
2008-05-18 17:50 . 2008-06-16 09:37 <DIR> d-------- C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\DNA
2008-05-18 17:50 . 2008-05-18 19:04 <DIR> d-------- C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\BitTorrent

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 07:10 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-05-19 16:42 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:56 --------- d-----w C:\Programme\LEd
2008-04-29 18:43 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MiKTeX
2008-04-29 18:22 --------- d-----w C:\Programme\texmf
2008-04-23 13:50 --------- d-----w C:\Programme\FreePDF_XP
2008-04-22 18:26 --------- d-----w C:\Programme\Guitar Pro 5
2008-04-22 07:11 --------- d-----w C:\Programme\Canon
2008-04-22 07:03 --------- d-----w C:\Programme\Gemeinsame Dateien\CANON
2008-04-22 07:01 --------- d--h--w C:\Programme\CanonBJ
2008-04-21 07:01 665,088 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-20 21:37 --------- d-----w C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\Canon
2008-04-20 21:32 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe Systems Shared
2008-04-20 20:17 --------- d-----w C:\Programme\Ghostscript
2008-04-20 10:27 --------- d-----w C:\Programme\DivX
2008-04-20 10:23 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-04-20 10:23 --------- d-----w C:\Programme\Pinnacle
2008-04-20 10:20 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Pinnacle
2008-04-20 10:19 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2008-04-20 10:11 36,864 ----a-w C:\WINDOWS\system32\maplec.dll
2008-04-20 10:11 147,456 ----a-w C:\WINDOWS\system32\WMIMPLEX.dll
2008-04-20 10:11 --------- d-----w C:\Programme\Maple 11
2008-04-20 10:10 --------- d--h--w C:\Programme\Zero G Registry
2008-04-20 09:41 --------- d-----w C:\Programme\MATLAB
2008-04-20 08:14 --------- d-----w C:\Programme\MSXML 4.0
2008-04-19 22:27 --------- d--h--w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonBJ
2008-04-19 22:22 --------- d-----w C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\Ahead
2008-04-19 22:21 --------- d-----w C:\Programme\Nero
2008-04-19 22:21 --------- d-----w C:\Programme\Gemeinsame Dateien\Ahead
2008-04-19 22:21 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero
2008-04-19 22:21 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ahead
2008-04-19 21:56 --------- d-----w C:\Programme\Foxit Software
2008-04-19 21:46 40 ----a-w C:\einwahl.bat
2008-04-19 20:21 --------- d-----w C:\Programme\ICQ6
2008-04-19 20:21 --------- d-----w C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\ICQ
2008-04-19 20:18 --------- d-----w C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\InstallShield
2008-04-19 20:00 --------- d-----w C:\Dokumente und Einstellungen\Mr. Pink\Anwendungsdaten\Talkback
2008-04-19 19:49 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-19 19:15 --------- d-----w C:\Programme\microsoft frontpage
2008-04-19 19:13 --------- d-----w C:\Programme\Online-Dienste
2008-04-19 19:12 --------- d-----w C:\Programme\Gemeinsame Dateien\Dienste
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_18.14.06.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-15 17:27:28 110,592 ----a-w C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
+ 2008-06-15 17:43:23 24,576 ----a-w C:\WINDOWS\assembly\GAC\ConMan\7.0.5000.0__b03f5f7f11d50a3a\ConMan.dll
+ 2008-06-15 17:43:23 86,016 ----a-w C:\WINDOWS\assembly\GAC\ConManDataStore\7.0.5000.0__b03f5f7f11d50a3a\ConManDataStore.dll
+ 2008-06-15 17:43:23 53,248 ----a-w C:\WINDOWS\assembly\GAC\ConManServer\7.0.5000.0__b03f5f7f11d50a3a\ConManServer.dll
+ 2008-06-15 16:58:38 5,120 ----a-w C:\WINDOWS\assembly\GAC\CRVsPackageLib\9.1.5000.0__692fbea5521e1304\CRVsPackageLib.dll
+ 2008-06-15 17:23:57 8,192 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.CrystalReports.Engine.resources\9.1.5000.0_de_692fbea5521e1304\CrystalDecisions.CrystalReports.Engine.resources.DLL
+ 2008-06-15 17:23:53 471,040 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.CrystalReports.Engine\9.1.5000.0__692fbea5521e1304\CrystalDecisions.CrystalReports.Engine.dll
+ 2008-06-15 17:23:57 4,608 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.ReportSource.resources\9.1.5000.0_de_692fbea5521e1304\CrystalDecisions.ReportSource.resources.dll
+ 2008-06-15 17:23:52 36,864 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.ReportSource\9.1.5000.0__692fbea5521e1304\CrystalDecisions.ReportSource.dll
+ 2008-06-15 17:23:57 7,168 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.Shared.resources\9.1.5000.0_de_692fbea5521e1304\CrystalDecisions.Shared.resources.dll
+ 2008-06-15 17:23:52 319,488 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.Shared\9.1.5000.0__692fbea5521e1304\CrystalDecisions.Shared.dll
+ 2008-06-15 17:23:57 9,216 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.Web.resources\9.1.5000.0_de_692fbea5521e1304\CrystalDecisions.Web.resources.dll
+ 2008-06-15 17:23:53 147,456 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.Web\9.1.5000.0__692fbea5521e1304\CrystalDecisions.Web.dll
+ 2008-06-15 17:23:57 36,864 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.Windows.Forms.resources\9.1.5000.0_de_692fbea5521e1304\CrystalDecisions.Windows.Forms.resources.dll
+ 2008-06-15 17:23:54 237,568 ----a-w C:\WINDOWS\assembly\GAC\CrystalDecisions.Windows.Forms\9.1.5000.0__692fbea5521e1304\CrystalDecisions.Windows.Forms.dll
+ 2008-06-15 17:23:54 45,056 ----a-w C:\WINDOWS\assembly\GAC\CrystalEnterpriseLib\9.1.5000.0__692fbea5521e1304\CrystalEnterpriseLib.dll
+ 2008-06-15 17:23:54 57,344 ----a-w C:\WINDOWS\assembly\GAC\CrystalInfoStoreLib\9.1.5000.0__692fbea5521e1304\CrystalInfoStoreLib.dll
+ 2008-06-15 17:23:54 19,968 ----a-w C:\WINDOWS\assembly\GAC\CrystalKeyCodeLib\9.1.5000.0__692fbea5521e1304\CrystalKeyCodeLib.dll
+ 2008-06-15 17:23:54 9,216 ----a-w C:\WINDOWS\assembly\GAC\CrystalPluginMgrLib\9.1.5000.0__692fbea5521e1304\CrystalPluginMgrLib.dll
+ 2008-06-15 17:23:54 57,344 ----a-w C:\WINDOWS\assembly\GAC\CrystalReportPluginLib\9.1.5000.0__692fbea5521e1304\CrystalReportPluginLib.dll
+ 2008-06-15 17:43:23 8,704 ----a-w C:\WINDOWS\assembly\GAC\emucm\1.0.0.0__b03f5f7f11d50a3a\EmuCM.dll
+ 2008-06-15 17:25:38 245,760 ----a-w C:\WINDOWS\assembly\GAC\EnvDTE\7.0.3300.0__b03f5f7f11d50a3a\envdte.dll
+ 2008-06-15 17:25:15 4,608 ----a-w C:\WINDOWS\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll
+ 2008-06-15 17:43:24 14,848 ----a-w C:\WINDOWS\assembly\GAC\extractsdk\7.0.5000.0__b03f5f7f11d50a3a\extractsdk.dll
+ 2008-06-15 17:29:28 90,112 ----a-w C:\WINDOWS\assembly\GAC\MCppCodeDomProvider\7.0.5000.0__b03f5f7f11d50a3a\MCppCodeDomProvider.dll
+ 2008-06-15 17:43:52 28,672 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.CF.WindowsCE.Forms\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.CF.WindowsCE.Forms.DLL
+ 2008-06-15 16:51:36 45,056 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript.resources\7.0.5000.0_de_b03f5f7f11d50a3a\Microsoft.Jscript.Resources.dll
+ 2008-06-15 17:27:33 8,007,680 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll
+ 2008-06-15 17:27:33 13,312 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll
+ 2008-06-15 17:18:37 9,728 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Compatibility.Data.resources\7.0.5000.0_de_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll
+ 2008-06-15 17:27:34 110,592 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Compatibility.Data\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-06-15 17:18:37 10,240 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Compatibility.resources\7.0.5000.0_de_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.resources.dll
+ 2008-06-15 17:27:34 237,568 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Compatibility\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-06-15 16:51:37 36,864 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.resources\7.0.5000.0_de_b03f5f7f11d50a3a\Microsoft.VisualBasic.Resources.dll
+ 2008-06-15 17:11:30 106,496 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualStudio.VCCodeModel\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.VCCodeModel.dll
+ 2008-06-15 17:25:15 8,704 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualStudio.VCProject\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.VCProject.dll
+ 2008-06-15 17:25:15 110,592 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualStudio.VCProjectEngine\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.VCProjectEngine.dll
+ 2008-06-15 17:25:01 11,264 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualStudio.VSHelp\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.VSHelp.dll
+ 2008-06-15 16:51:40 745,472 ----a-w C:\WINDOWS\assembly\GAC\mscorcfg.resources\1.0.5000.0_de_b03f5f7f11d50a3a\mscorcfg.Resources.dll
+ 2008-06-15 16:51:40 233,472 ----a-w C:\WINDOWS\assembly\GAC\mscorlib.resources\1.0.5000.0_de_b77a5c561934e089\Mscorlib.Resources.dll
+ 2008-06-15 17:27:28 4,096 ----a-w C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
+ 2008-06-15 17:27:37 40,960 ----a-w C:\WINDOWS\assembly\GAC\msddslmp\7.0.3300.0__b03f5f7f11d50a3a\msddslmp.dll
+ 2008-06-15 17:27:37 143,360 ----a-w C:\WINDOWS\assembly\GAC\msddsp\7.0.3300.0__b03f5f7f11d50a3a\msddsp.dll
+ 2008-06-15 17:25:38 196,608 ----a-w C:\WINDOWS\assembly\GAC\Office\7.0.3300.0__b03f5f7f11d50a3a\Office.dll
+ 2008-06-15 16:51:40 10,240 ----a-w C:\WINDOWS\assembly\GAC\RegCode.resources\1.0.5000.0_de_b03f5f7f11d50a3a\RegCode.Resources.dll
+ 2008-06-15 17:22:28 8,704 ----a-w C:\WINDOWS\assembly\GAC\SoapSuds.resources\1.0.5000.0_de_b03f5f7f11d50a3a\SoapSuds.Resources.dll
+ 2008-06-15 17:22:28 6,656 ----a-w C:\WINDOWS\assembly\GAC\SoapSudsCode.resources\1.0.5000.0_de_b03f5f7f11d50a3a\SoapSudsCode.Resources.dll
+ 2008-06-15 17:13:17 12,288 ----a-w C:\WINDOWS\assembly\GAC\SoapSudsCode\1.0.5000.0__b03f5f7f11d50a3a\SoapSudsCode.dll
+ 2008-06-15 17:12:50 16,384 ----a-w C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
+ 2008-06-15 17:44:59 57,344 ----a-w C:\WINDOWS\assembly\GAC\system.cf.design.resources\7.0.5000.0_de_b03f5f7f11d50a3a\System.CF.Design.resources.DLL
+ 2008-06-15 17:44:57 1,200,128 ----a-w C:\WINDOWS\assembly\GAC\System.CF.Design\7.0.5000.0__b03f5f7f11d50a3a\System.CF.Design.DLL
+ 2008-06-15 17:43:29 13,312 ----a-w C:\WINDOWS\assembly\GAC\system.cf.drawing.resources\7.0.5000.0_de_b03f5f7f11d50a3a\system.cf.drawing.resources.dll
+ 2008-06-15 17:43:27 454,656 ----a-w C:\WINDOWS\assembly\GAC\System.CF.Drawing\7.0.5000.0__b03f5f7f11d50a3a\System.CF.Drawing.DLL
+ 2008-06-15 17:45:12 6,656 ----a-w C:\WINDOWS\assembly\GAC\system.cf.package.resources\7.0.5000.0_de_b03f5f7f11d50a3a\System.CF.Package.resources.DLL
+ 2008-06-15 17:43:22 106,496 ----a-w C:\WINDOWS\assembly\GAC\System.CF.Package\7.0.5000.0__b03f5f7f11d50a3a\System.CF.Package.DLL
+ 2008-06-15 17:45:27 19,968 ----a-w C:\WINDOWS\assembly\GAC\system.cf.windows.forms.datagrid.resources\7.0.5000.0_de_b03f5f7f11d50a3a\System.CF.Windows.Forms.DataGrid.resources.DLL
+ 2008-06-15 17:45:26 90,112 ----a-w C:\WINDOWS\assembly\GAC\System.CF.Windows.Forms.DataGrid\7.0.5000.0__b03f5f7f11d50a3a\System.CF.Windows.Forms.DataGrid.DLL
+ 2008-06-15 17:43:30 180,224 ----a-w C:\WINDOWS\assembly\GAC\system.cf.windows.forms.resources\7.0.5000.0_de_b03f5f7f11d50a3a\System.CF.Windows.Forms.resources.DLL
+ 2008-06-15 17:43:29 1,667,072 ----a-w C:\WINDOWS\assembly\GAC\System.CF.Windows.Forms\7.0.5000.0__b03f5f7f11d50a3a\System.CF.Windows.Forms.DLL
+ 2008-06-15 16:51:39 16,384 ----a-w C:\WINDOWS\assembly\GAC\System.Configuration.Install.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Configuration.Install.Resources.dll
+ 2008-06-15 16:51:38 122,880 ----a-w C:\WINDOWS\assembly\GAC\System.Data.resources\1.0.5000.0_de_b77a5c561934e089\System.Data.Resources.dll
+ 2008-06-15 16:51:38 135,168 ----a-w C:\WINDOWS\assembly\GAC\System.Design.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Design.Resources.dll
+ 2008-06-15 16:51:38 11,264 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.DirectoryServices.Resources.dll
+ 2008-06-15 16:51:39 6,144 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing.Design.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Drawing.design.Resources.dll
+ 2008-06-15 16:51:39 13,824 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Drawing.Resources.dll
+ 2008-06-15 16:51:38 32,768 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.EnterpriseServices.Resources.dll
+ 2008-06-15 16:51:39 24,576 ----a-w C:\WINDOWS\assembly\GAC\system.management.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Management.Resources.dll
+ 2008-06-15 16:51:39 61,440 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Messaging.Resources.dll
+ 2008-06-15 16:51:39 81,920 ----a-w C:\WINDOWS\assembly\GAC\System.resources\1.0.5000.0_de_b77a5c561934e089\System.Resources.dll
+ 2008-06-15 16:51:39 28,672 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting.resources\1.0.5000.0_de_b77a5c561934e089\System.runtime.remoting.Resources.dll
+ 2008-06-15 16:51:39 12,288 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.Resources.dll
+ 2008-06-15 16:51:38 7,680 ----a-w C:\WINDOWS\assembly\GAC\System.Security.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Security.Resources.dll
+ 2008-06-15 16:51:38 40,960 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.ServiceProcess.Resources.dll
+ 2008-06-15 16:51:40 81,920 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll
+ 2008-06-15 16:51:38 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.Web.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Web.Resources.dll
+ 2008-06-15 16:51:38 61,440 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services.resources\1.0.5000.0_de_b03f5f7f11d50a3a\System.Web.Services.Resources.dll
+ 2008-06-15 16:51:38 180,224 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms.resources\1.0.5000.0_de_b77a5c561934e089\System.Windows.Forms.Resources.dll
+ 2008-06-15 16:51:38 114,688 ----a-w C:\WINDOWS\assembly\GAC\System.XML.resources\1.0.5000.0_de_b77a5c561934e089\System.xml.Resources.dll
+ 2008-06-15 17:12:44 12,288 ----a-w C:\WINDOWS\assembly\GAC\TlbExpCode\1.0.5000.0__b03f5f7f11d50a3a\TlbExpCode.dll
+ 2008-06-15 17:12:44 28,672 ----a-w C:\WINDOWS\assembly\GAC\TlbImpCode\1.0.5000.0__b03f5f7f11d50a3a\TlbImpCode.dll
+ 2008-06-15 16:51:51 8,704 ----a-w C:\WINDOWS\assembly\GAC\vjscor\1.0.5000.0__b03f5f7f11d50a3a\vjscor.dll
+ 2008-06-15 16:51:51 57,344 ----a-w C:\WINDOWS\assembly\GAC\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a\VJSharpCodeProvider.dll
+ 2008-06-15 16:51:52 3,739,648 ----a-w C:\WINDOWS\assembly\GAC\vjslib\1.0.5000.0__b03f5f7f11d50a3a\vjslib.dll
+ 2008-06-15 16:51:53 32,768 ----a-w C:\WINDOWS\assembly\GAC\vjslibcw\1.0.5000.0__b03f5f7f11d50a3a\vjslibcw.dll
+ 2008-06-15 16:51:53 3,399,680 ----a-w C:\WINDOWS\assembly\GAC\vjswfc\1.0.5000.0__b03f5f7f11d50a3a\vjswfc.dll
+ 2008-06-15 16:51:54 8,704 ----a-w C:\WINDOWS\assembly\GAC\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a\VJSWfcBrowserStubLib.dll
+ 2008-06-15 16:51:54 189,952 ----a-w C:\WINDOWS\assembly\GAC\vjswfccw\1.0.5000.0__b03f5f7f11d50a3a\vjswfccw.dll
+ 2008-06-15 16:51:54 1,105,920 ----a-w C:\WINDOWS\assembly\GAC\vjswfchtml\1.0.5000.0__b03f5f7f11d50a3a\vjswfchtml.dll
+ 2008-06-15 17:12:25 53,248 ----a-w C:\WINDOWS\assembly\GAC\VSLangProj\7.0.3300.0__b03f5f7f11d50a3a\VSLangProj.dll
+ 2008-06-15 17:47:37 118,784 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_73fdbdac\CustomMarshalers.dll
+ 2008-06-15 17:47:59 1,245,184 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VisualStudio\1.0.5000.0__b03f5f7f11d50a3a_0ce1c4f8\Microsoft.VisualStudio.dll
+ 2008-06-15 17:47:24 53,248 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner.Mobile\7.0.5000.0__b03f5f7f11d50a3a_f65aed85\Microsoft.VSDesigner.Mobile.dll
+ 2008-06-15 17:47:32 2,994,176 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner\7.0.5000.0__b03f5f7f11d50a3a_d682759f\Microsoft.VSDesigner.dll
+ 2008-06-15 17:47:40 8,908,800 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c78492af\mscorlib.dll
+ 2008-06-15 17:47:45 3,395,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_89f4ea23\System.Design.dll
+ 2008-06-15 17:47:47 192,512 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_d06ef577\System.Drawing.Design.dll
+ 2008-06-15 17:47:47 2,244,608 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_5625161a\System.Drawing.dll
+ 2008-06-15 17:47:52 7,884,800 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_c8be9879\System.Windows.Forms.dll
+ 2008-06-15 17:47:55 5,513,216 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_2018e8a4\System.Xml.dll
+ 2008-06-15 17:47:43 4,788,224 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_2e9b2e7a\System.dll
+ 2008-06-15 16:52:19 20,480 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_603e4814\vjscor.dll
+ 2008-06-15 16:52:19 69,632 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_27117193\VJSharpCodeProvider.dll
+ 2008-06-15 16:52:18 4,464,640 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_b77b8d3e\vjslib.dll
+ 2008-06-15 16:52:08 32,768 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslibcw\1.0.5000.0__b03f5f7f11d50a3a_037577a8\vjslibcw.dll
+ 2008-06-15 16:52:07 10,240 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_e8270f65\VJSWfcBrowserStubLib.dll
- 2008-06-15 16:01:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 06:55:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 17:48:01 6,144 ----a-r C:\WINDOWS\Installer\{71600407-4990-4027-AC61-2A1511879A76}\IconTmpl.BC3EE373_B952_4841_B3FD_E4AD14F4D3A8.exe
+ 2008-06-15 17:48:01 34,304 ----a-r C:\WINDOWS\Installer\{71600407-4990-4027-AC61-2A1511879A76}\misc.exe.D0DF3458_A845_11D3_8D0A_0050046416B9.exe
+ 2008-06-15 17:48:01 34,304 ----a-r C:\WINDOWS\Installer\{71600407-4990-4027-AC61-2A1511879A76}\misc.exe_1031.D0DF3458_A845_11D3_8D0A_0050046416B9.exe
+ 2003-02-24 18:56:08 18,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\alinkui.dll
+ 2003-02-24 18:55:56 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\cscompui.dll
+ 2003-04-02 16:24:18 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\dwintl.dll
+ 2003-02-24 18:55:52 155,648 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\vbc7ui.dll
+ 2003-04-02 16:24:22 135,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\vjscui.dll
+ 2003-04-02 16:24:24 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\vjslibui.dll
+ 2003-02-24 18:54:30 180,224 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1031\Vsavb7rtUI.dll
+ 2002-02-12 09:55:52 54,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\dwintl.dll
+ 2003-03-18 21:38:52 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\vjscui.dll
+ 2003-03-18 21:36:12 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\vjslibui.dll
+ 2003-03-19 06:52:20 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\al.exe
+ 2003-02-24 18:54:36 45,056 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\aspnet_rc.dll
+ 2003-02-24 19:11:16 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\caspol.resources.dll
+ 2003-02-24 19:11:18 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\ConfigWizards.Resources.dll
+ 2003-02-24 19:11:20 4,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\InstallUtil.resources.dll
+ 2003-02-24 19:11:22 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\JSC.Resources.dll
+ 2003-02-24 19:11:22 45,056 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\Microsoft.JScript.Resources.dll
+ 2003-02-24 19:11:46 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\Microsoft.VisualBasic.resources.dll
+ 2003-02-24 19:11:50 745,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\mscorcfg.Resources.dll
+ 2003-02-24 19:06:34 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\mscorlib.resources.dll
+ 2003-02-24 18:54:38 172,032 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\mscorrc.dll
+ 2003-02-24 19:08:50 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\Regasm.resources.dll
+ 2003-02-24 19:07:06 10,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\RegCode.Resources.dll
+ 2003-02-24 18:54:58 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\ShFusRes.dll
+ 2003-02-24 19:11:54 16,384 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Configuration.Install.Resources.dll
+ 2003-02-24 19:07:10 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Data.Resources.dll
+ 2003-02-24 19:07:12 135,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Design.Resources.dll
+ 2003-02-24 19:07:14 11,264 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.DirectoryServices.Resources.dll
+ 2003-02-24 19:12:02 6,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Drawing.Design.Resources.dll
+ 2003-02-24 19:07:20 13,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Drawing.Resources.dll
+ 2003-02-24 19:07:20 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.EnterpriseServices.Resources.dll
+ 2003-02-24 19:09:14 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Management.Resources.dll
+ 2003-02-24 19:07:38 61,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Messaging.Resources.dll
+ 2003-02-24 19:07:40 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\system.resources.dll
+ 2003-02-24 19:07:40 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Runtime.Remoting.Resources.dll
+ 2003-02-24 19:07:42 12,288 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Runtime.Serialization.Formatters.Soap.Resources.dll
+ 2003-02-24 19:07:44 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Security.Resources.dll
+ 2003-02-24 19:07:46 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.ServiceProcess.Resources.dll
+ 2003-02-24 19:15:24 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Web.Mobile.resources.dll
+ 2003-02-24 19:07:48 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Web.Resources.dll
+ 2003-02-24 19:07:50 61,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Web.Services.Resources.dll
+ 2003-02-24 19:07:48 180,224 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.Windows.Forms.Resources.dll
+ 2003-02-24 19:07:50 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\DE\System.xml.Resources.dll
+ 2002-05-31 00:15:48 186,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\dw15.exe
+ 2003-03-19 09:52:50 245,760 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\envdte.dll
+ 2003-03-19 09:53:21 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2003-03-19 09:53:24 237,568 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Compatibility.dll
+ 2003-03-19 03:03:51 544,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\msvcr71d.dll
+ 2003-02-24 18:55:14 24,064 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MUI\0407\mscorsecr.dll
+ 2003-03-19 09:50:24 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\office.dll
+ 2003-03-18 21:43:50 19,968 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjc.exe
+ 2003-03-18 21:43:46 1,613,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjsc.dll
+ 2003-03-18 23:52:02 8,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjscor.dll
+ 2003-03-18 23:50:02 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VJSharpCodeProvider.DLL
+ 2003-03-18 23:52:06 3,739,648 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjslib.dll
+ 2003-03-18 23:52:08 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjslibcw.dll
+ 2003-03-18 21:30:08 266,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjsnativ.dll
+ 2003-03-18 23:52:10 3,399,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjswfc.dll
+ 2003-03-18 23:52:12 8,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VJSWfcBrowserStubLib.dll
+ 2003-03-18 23:52:14 189,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjswfccw.dll
+ 2003-03-18 23:50:14 1,105,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vjswfchtml.dll
+ 2003-03-18 21:43:52 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\VJSharp\VJSharpSxS10.dll
+ 2003-03-18 21:38:44 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\VJSharp\VJSWfcHost.dll
+ 2002-05-21 01:31:36 10,374 ----a-w C:\WINDOWS\system32\drivers\VPCAppSv.sys
+ 2002-05-16 17:30:01 28,812 ----a-w C:\WINDOWS\system32\drivers\VPCPower.sys
+ 2000-11-21 03:35:43 837,904 ----a-w C:\WINDOWS\system32\hha.dll
+ 2003-03-19 04:44:35 40,960 ----a-w C:\WINDOWS\system32\MFC71CHS.DLL
+ 2003-03-19 04:44:35 45,056 ----a-w C:\WINDOWS\system32\MFC71CHT.DLL
+ 2003-03-19 04:44:33 65,536 ----a-w C:\WINDOWS\system32\MFC71DEU.DLL
+ 2003-03-19 04:44:36 57,344 ----a-w C:\WINDOWS\system32\MFC71ENU.DLL
+ 2003-03-19 04:44:34 61,440 ----a-w C:\WINDOWS\system32\MFC71ESP.DLL
+ 2003-03-19 04:44:32 61,440 ----a-w C:\WINDOWS\system32\MFC71FRA.DLL
+ 2003-03-19 04:44:34 61,440 ----a-w C:\WINDOWS\system32\MFC71ITA.DLL
+ 2003-03-19 04:44:33 49,152 ----a-w C:\WINDOWS\system32\MFC71JPN.DLL
+ 2003-03-19 04:44:36 49,152 ----a-w C:\WINDOWS\system32\MFC71KOR.DLL
+ 2003-03-19 04:31:57 2,174,464 ----a-w C:\WINDOWS\system32\mfc71ud.dll
+ 2000-11-21 03:43:37 111,104 ----a-w C:\WINDOWS\system32\msch2DE.dll
+ 2000-11-21 03:43:37 22,016 ----a-w C:\WINDOWS\system32\msmskDE.dll
- 2000-05-23 19:45:58 118,784 ----a-w C:\WINDOWS\system32\MSSTDFMT.DLL
+ 2001-04-05 17:43:19 118,784 ----a-w C:\WINDOWS\system32\msstdfmt.dll
- 1998-08-09 08:07:34 94,208 ----a-w C:\WINDOWS\system32\MSSTKPRP.DLL
+ 2001-04-05 17:43:19 94,208 --s-a-r C:\WINDOWS\system32\msstkprp.dll
+ 2003-02-24 18:55:10 4,608 ----a-w C:\WINDOWS\system32\mui\0407\mscoreer.dll
+ 2000-11-21 03:43:37 6,656 --s-a-w C:\WINDOWS\system32\stdftde.dll
+ 2002-06-13 21:15:10 163,980 ----a-w C:\WINDOWS\system32\VPCNetS2.dll
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73355502-FFF6-4662-9812-1C74154B83E7}]
C:\WINDOWS\system32\pmnlmjjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"PMCS"="C:\Programme\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" [2006-06-08 09:42 65536]
"BitTorrent DNA"="C:\Programme\DNA\btdna.exe" [2008-05-18 17:50 289088]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBKeyScan"="C:\Programme\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-05-24 17:38 1226288]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 17:06 406016]
"Pinnacle WebUpdater"="C:\Programme\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [2006-06-08 09:40 385024]
"PMCRemote"="C:\Programme\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2006-06-08 09:40 90112]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27 312320]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-05-21 23:44 185896]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Dokumente und Einstellungen\Mr. Pink\Startmen\Programme\Autostart\
Adobe Gamma.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Verknpfung mit einwahl.lnk - C:\einwahl.bat [2008-04-19 23:44:55 40]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\Maple 11\\jre\\bin\\java.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\Programme\\DNA\\btdna.exe"=
"C:\\Programme\\BitTorrent\\bittorrent.exe"=
"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=

R3 3xHybrid;Pinnacle PCTV 310i Stereo DVB-T;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-09-02 15:43]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 09:40:48
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-06-16 9:51:07
ComboFix-quarantined-files.txt 2008-06-16 07:50:43
ComboFix2.txt 2008-06-15 16:14:44

7 Verzeichnis(se), 34,158,194,688 Bytes frei
9 Verzeichnis(se), 34,154,336,256 Bytes frei

361 --- E O F --- 2008-06-11 22:20:55





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59:14, on 16.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Programme\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
C:\Programme\DNA\btdna.exe
C:\Programme\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {73355502-FFF6-4662-9812-1C74154B83E7} - C:\WINDOWS\system32\pmnlmjjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Programme\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [PMCRemote] C:\Programme\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [PMCS] "C:\Programme\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programme\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Verknüpfung mit einwahl.lnk = C:\einwahl.bat
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208638006468
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CCC340E-D7E2-40C4-BCF2-5B3A96A77505}: NameServer = 62.109.123.196 213.191.74.18
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 6507 bytes
pskelley
2008-06-16, 15:42
Thanks for returning your information, it is strange combofix located no malware to remove?

Is any program besides Spybot S&D finding Virtumonde? Please make sure Spybot S&D is totally up to date and fully immunized then run it again.
Click "Help" then About. Version should be 1.5.2.20 and latest detection updates: 2008-06-11
You should be immunized against 72019 items.

C:\einwahl.bat <<< what is this? If you don't know, delete it.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(missing file...you may need to download Spybot again?)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: (no name) - {73355502-FFF6-4662-9812-1C74154B83E7} - C:\WINDOWS\system32\pmnlmjjh.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and provide me with some feedback.

I also suggest you update to Internet Explorer 7 if only for the additional security it provides. I may clear up other issues also?
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Thanks
Huygens
2008-06-16, 20:49
Sorry, I tried out out combofix before consulting this Forum. Maybe thats the reason why it is not possible to find virtumonde anymore. I hope its removed from the systeme and not hidden inside. einwahl.bat is a batchfile written by myself.
I have used ATF cleaner. Spybot can't find virtumonde anymore. I hope its removed. I don't have anymore the logfile of my first attempt with
combofix :-(
Thank you very much!
pskelley
2008-06-16, 21:35
Thanks for the feedback, this is the next bridge we have to cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks
Huygens
2008-06-17, 02:06
Thank you for your reply.
I installed RC from the WIn XP CD and don't have such a log file.
Where did you lern so much about these tools, malware, etc? Tutorials, books? From my studies I know a lot about processors and programming, but these malware knowledge is quite special.
pskelley
2008-06-17, 02:34
I started with an infected computer about ten years ago when I went looking for help at Dell Forum. I ran into a guy who because my mentor. There are many good online opportunities to learn malware removel, but it is not easy, in fact it is hard and getting harder as the hackers get better at what they do. If you have an interest, let me know and I will provide links.

Since combofix does not update and we are finished with it:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

I would like to run one more good scan, if you don't believe it is necessary, just let me know and I will close your topic.

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks...Phil
Huygens
2008-06-17, 13:05
Thank You! This scan found two infections. I woul like to know some good links!
Here the logfile in German :/

Malwarebytes' Anti-Malware 1.17
Datenbank Version: 863

12:03:36 2008-06-17
mbam-log-6-17-2008 (12-03-36).txt

Scan Art: Komplett Scan (C:\|)
Objekte gescannt: 268749
Scan Dauer: 47 minute(s), 13 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine Malware Objekte gefunden)

Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)

Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
pskelley
2008-06-17, 14:18
Thanks for returning your information, if all is running as it should be, you are good to go:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Huygens
2008-06-17, 19:02
Thank you very very much!