View Full Version : Google Search Redirect
The_Sandyman
2009-12-26, 12:58
2nd try w/o attachments
Hi,
since a few days I have the same Google redirect issue as many other users. By Clicking on the Google search results, I got redirected to different sites but not the one I want to go to. After a few clicks a virus alert page starts in the browser. Additionally I experianced a pishing attack, after logging into my online banking account (the login page was bookmarked). After logging in, I was redirected to a site, asking me for 10 unused iTANs. I run an AVIRA and Spybot check without findings.
Fortunately I got a separate laptop for posting my problem and so on. I disconnected the PC from the internet. I run HJT and GMER as explained in the thread before. It seams to be hard to get rid of this malware, therefor I decided to ask a specialist here. Thanks in advance to the volunteers!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:45:12, on 25.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANTIVI~1\avcenter.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SerExt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/de/deu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/de/deu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SerExt] SerExt.exe /plug
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] C:\Programme\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] C:\Programme\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 3.3.lnk = C:\Programme\TraXEx\TraXEx.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-Spuren löschen - {6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - C:\Programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
O9 - Extra button: Löschautomat - {8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - C:\Programme\TraXEx\Integration\TraXEx Löschautomat.lnk
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095545767187
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe (file missing)
O23 - Service: xControlCOM - Siemens - C:\Programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe
--
End of file - 8092 bytes
Hi The_Sandyman
Please post next gmer log :)
The_Sandyman
2009-12-30, 10:52
Here is the Log.:) I used GMER 1.0.12 from the alternate download site as recommanded in other (recent!) blogs. the direct link to GMER is to download version 1.0.15 which did not run on my infected computer.
As the file is too big for one post, I will split it into two.
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-12-30 09:50:41
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.12 ----
SSDT a347bus.sys ZwClose
SSDT F7D95AAE ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT F7D95AA4 ZwCreateThread
SSDT F7D95AB3 ZwDeleteKey
SSDT F7D95ABD ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT F7D95AC2 ZwLoadKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT F7D95A90 ZwOpenProcess
SSDT F7D95A95 ZwOpenThread
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT F7D95ACC ZwReplaceKey
SSDT F7D95AC7 ZwRestoreKey
SSDT a347bus.sys ZwSetSystemPowerState
SSDT F7D95AB8 ZwSetValueKey
SSDT F7D95A9F ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
.text USBPORT.SYS!DllUnload F6A9E8AC 5 Bytes JMP 8620A1C8
---- User code sections - GMER 1.0.12 ----
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 0178299A
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 0178294A
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 0178290E
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 017828F2
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] WS2_32.dll!send 71A14C27 5 Bytes JMP 0178277E
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 01782870
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] WS2_32.dll!recv 71A1676F 5 Bytes JMP 017827B6
.text C:\Programme\Avira\AntiVir Desktop\avguard.exe[480] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 017827EE
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 023928F2
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] WS2_32.dll!send 71A14C27 5 Bytes JMP 0239277E
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 02392870
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] WS2_32.dll!recv 71A1676F 5 Bytes JMP 023927B6
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 023927EE
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 0239299A
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 0239294A
.text C:\Programme\FRITZ!DSL\IGDCTRL.EXE[496] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 0239290E
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 00EC299A
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 00EC294A
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 00EC290E
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 00EC28F2
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] WS2_32.dll!send 71A14C27 5 Bytes JMP 00EC277E
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 00EC2870
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] WS2_32.dll!recv 71A1676F 5 Bytes JMP 00EC27B6
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1240] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 00EC27EE
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 0188299A
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 0188294A
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 0188290E
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 018828F2
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] WS2_32.dll!send 71A14C27 5 Bytes JMP 0188277E
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 01882870
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] WS2_32.dll!recv 71A1676F 5 Bytes JMP 018827B6
.text C:\Programme\Avira\AntiVir Desktop\sched.exe[1864] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 018827EE
.text C:\WINDOWS\explorer.exe[2416] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 0163299A
.text C:\WINDOWS\explorer.exe[2416] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 0163294A
.text C:\WINDOWS\explorer.exe[2416] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 0163290E
.text C:\WINDOWS\explorer.exe[2416] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 016328F2
.text C:\WINDOWS\explorer.exe[2416] WS2_32.dll!send 71A14C27 5 Bytes JMP 0163277E
.text C:\WINDOWS\explorer.exe[2416] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 01632870
.text C:\WINDOWS\explorer.exe[2416] WS2_32.dll!recv 71A1676F 5 Bytes JMP 016327B6
.text C:\WINDOWS\explorer.exe[2416] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 016327EE
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 00B4299A
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 00B4294A
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 00B4290E
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 00B428F2
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] WS2_32.dll!send 71A14C27 5 Bytes JMP 00B4277E
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 00B42870
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] WS2_32.dll!recv 71A1676F 5 Bytes JMP 00B427B6
.text C:\WINDOWS\SYSTEM32\alg.exe[2816] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 00B427EE
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] ADVAPI32.dll!CryptDestroyKey 77DB9EBC 7 Bytes JMP 00EB299A
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 00EB294A
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] ADVAPI32.dll!CryptEncrypt 77DBE360 7 Bytes JMP 00EB290E
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 00EB28F2
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] WS2_32.dll!send 71A14C27 5 Bytes JMP 00EB277E
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 00EB2870
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] WS2_32.dll!recv 71A1676F 5 Bytes JMP 00EB27B6
.text C:\WINDOWS\SYSTEM32\rundll32.exe[3376] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 00EB27EE
.text C:\Programme\WinRAR\WinRAR.exe[3548] ADVAPI32.DLL!CryptDestroyKey 77DB9EBC 7 Bytes JMP 020B299A
.text C:\Programme\WinRAR\WinRAR.exe[3548] ADVAPI32.DLL!CryptDecrypt 77DBA129 7 Bytes JMP 020B294A
.text C:\Programme\WinRAR\WinRAR.exe[3548] ADVAPI32.DLL!CryptEncrypt 77DBE360 7 Bytes JMP 020B290E
.text C:\Programme\WinRAR\WinRAR.exe[3548] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 020B28F2
.text C:\Programme\WinRAR\WinRAR.exe[3548] WS2_32.dll!send 71A14C27 5 Bytes JMP 020B277E
.text C:\Programme\WinRAR\WinRAR.exe[3548] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 020B2870
.text C:\Programme\WinRAR\WinRAR.exe[3548] WS2_32.dll!recv 71A1676F 5 Bytes JMP 020B27B6
.text C:\Programme\WinRAR\WinRAR.exe[3548] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 020B27EE
The_Sandyman
2009-12-30, 10:53
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8733F1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8733F1E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 856CCAF8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 861D11E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 861D11E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 861F1790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 861F1790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 861F1790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 861F1790
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_CREATE 862091E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_CLOSE 862091E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 862091E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 862091E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_POWER 862091E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 862091E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_PNP 862091E8
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1AC3008
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CLOSE E1AC3008
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_DEVICE_CONTROL E1AC3008
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 873CB1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86204538
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86204538
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_CREATE 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_CLOSE 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_READ 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_WRITE 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_DEVICE_CONTROL 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77908B4] sfsync02.sys
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_POWER 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_SYSTEM_CONTROL 85716790
Device \Driver\USBSTOR \Device\000000b0 IRP_MJ_PNP 85716790
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8608B630
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 86204538
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86204538
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE_NAMED_PIPE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CLOSE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_READ 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_WRITE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_FLUSH_BUFFERS 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DIRECTORY_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_FILE_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DEVICE_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 856E4110
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SHUTDOWN 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_LOCK_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CLEANUP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE_MAILSLOT 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_POWER 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DEVICE_CHANGE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_PNP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CREATE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CREATE_NAMED_PIPE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CLOSE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_READ 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_WRITE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_FLUSH_BUFFERS 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_DIRECTORY_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_FILE_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_DEVICE_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 856E4110
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SHUTDOWN 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_LOCK_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CLEANUP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CREATE_MAILSLOT 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_POWER 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_DEVICE_CHANGE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_PNP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE_NAMED_PIPE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CLOSE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_READ 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_WRITE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_FLUSH_BUFFERS 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DIRECTORY_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_FILE_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DEVICE_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 856E4110
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SHUTDOWN 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_LOCK_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CLEANUP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE_MAILSLOT 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_POWER 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DEVICE_CHANGE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_PNP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE_NAMED_PIPE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CLOSE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_READ 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_WRITE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_FLUSH_BUFFERS 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DIRECTORY_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_FILE_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DEVICE_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_INTERNAL_DEVICE_CONTROL 856E4110
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SHUTDOWN 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_LOCK_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CLEANUP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE_MAILSLOT 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_POWER 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DEVICE_CHANGE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_PNP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE_NAMED_PIPE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CLOSE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_READ 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_WRITE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_EA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_FLUSH_BUFFERS 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_VOLUME_INFORMATION 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DIRECTORY_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_FILE_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DEVICE_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_INTERNAL_DEVICE_CONTROL 856E4110
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SHUTDOWN 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_LOCK_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CLEANUP 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE_MAILSLOT 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_SECURITY 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_POWER 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SYSTEM_CONTROL 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DEVICE_CHANGE 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_QUOTA 861F9A98
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_PNP 861F9A98
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_CREATE 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_CLOSE 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_READ 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_WRITE 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_DEVICE_CONTROL 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77908B4] sfsync02.sys
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_POWER 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_SYSTEM_CONTROL 85716790
Device \Driver\USBSTOR \Device\000000b1 IRP_MJ_PNP 85716790
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E199BF10
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CLOSE E199BF10
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_DEVICE_CONTROL E199BF10
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 85CEC1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 85CEC1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 85CEC1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 85CEC1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 85CEC1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 85CEC1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 85CEC1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 85CEC1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 85CEC1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 85CEC1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 85CEC1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 85CEC1E8
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 854EE560
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 861F1790
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 861F1790
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 861F1790
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 861F1790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8608D7F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 85876790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 85876790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CREATE 861F1790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CLOSE 861F1790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_POWER 861F1790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 861F1790
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_PNP 861F1790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8608D7F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 85876790
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 85876790
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_CREATE 862091E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_CLOSE 862091E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_DEVICE_CONTROL 862091E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 862091E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_POWER 862091E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_SYSTEM_CONTROL 862091E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_PNP 862091E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB6A99A2-6C1E-42F7-9D52-B176171688B3} IRP_MJ_CREATE 85CEC1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB6A99A2-6C1E-42F7-9D52-B176171688B3} IRP_MJ_CLOSE 85CEC1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB6A99A2-6C1E-42F7-9D52-B176171688B3} IRP_MJ_DEVICE_CONTROL 85CEC1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB6A99A2-6C1E-42F7-9D52-B176171688B3} IRP_MJ_INTERNAL_DEVICE_CONTROL 85CEC1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB6A99A2-6C1E-42F7-9D52-B176171688B3} IRP_MJ_CLEANUP 85CEC1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB6A99A2-6C1E-42F7-9D52-B176171688B3} IRP_MJ_PNP 85CEC1E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86091108
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 873CB1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 873CB1E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 85DC80C8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 873411E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 873411E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 873411E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 873411E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 873411E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 873411E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 873411E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 856CCAF8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 861D11E8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 861D11E8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 86080FB0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 86080FB0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 86080FB0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 86080FB0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 86080FB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 85718C10
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 857181E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 857181E8
---- Modules - GMER 1.0.12 ----
Module ____________ F7550000
---- Files - GMER 1.0.12 ----
ADS C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:C946DB94
ADS C:\Dokumente und Einstellungen\Axel\Favoriten\Geld\Postbank direkt.url:favicon
ADS C:\Dokumente und Einstellungen\HelpAssistant.DH3WXK0J\Favoriten\Geld\Postbank direkt.url:favicon
ADS C:\Dokumente und Einstellungen\Peter.DH3WXK0J:zylomtest
ADS C:\Dokumente und Einstellungen\Peter.DH3WXK0J:zylomtr{000HQ7FF-AD7A-3FG4-MO09-24UF17SCEVT1}
ADS C:\RECYCLER\S-1-5-21-3753018816-3508293876-2501954535-500\Dc98.INF:SummaryInformation
ADS C:\RECYCLER\S-1-5-21-3753018816-3508293876-2501954535-500\Dc98.INF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
---- EOF - GMER 1.0.12 ----
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.
The_Sandyman
2009-12-30, 17:39
Hi Shaba, thanks for quick reply. Here the log
ComboFix 09-12-29.05 - Axel 30.12.2009 15:56:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1023.691 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Axel\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00FC-0D24-347CA8A3377C}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\dokumente und einstellungen\Axel\Anwendungsdaten\.#
C:\LOG.TXT
c:\programme\\setup.exe
c:\recycler\S-1-5-21-3753018816-3508293876-2501954535-1009
c:\windows\pi.exe
c:\windows\system32\Data
c:\windows\system32\Thumbs.db
c:\windows\unins000.dat
c:\windows\unins000.exe
.
((((((((((((((((((((((( Dateien erstellt von 2009-11-28 bis 2009-12-30 ))))))))))))))))))))))))))))))
.
2009-12-25 16:43 . 2009-12-25 16:43 -------- d-----w- c:\programme\Trend Micro
2009-12-24 13:46 . 2009-12-24 13:47 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2009-12-24 11:33 . 2009-12-24 11:33 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\WINDOWS
2009-12-24 11:33 . 2009-12-24 11:33 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\UserData
2009-12-24 11:33 . 2009-12-24 11:33 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\presets
2009-12-24 11:26 . 2009-12-24 11:26 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\InstallAnywhere
2009-12-24 11:26 . 2009-12-24 11:26 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\Incomplete
2009-12-24 11:26 . 2009-12-24 11:26 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\ElsterFormular
2009-12-24 11:21 . 2009-12-24 11:21 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\Bluetooth Software
2009-12-24 07:32 . 2009-12-24 07:32 -------- d--h--r- c:\dokumente und einstellungen\HelpAssistant\Anwendungsdaten
2009-12-13 16:13 . 2009-12-24 13:58 -------- d-----w- c:\programme\Steam
2009-12-12 09:28 . 2009-12-12 09:28 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Ubisoft
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 00:24 . 2004-07-23 17:02 -------- d-----w- c:\programme\Spybot - Search & Destroy
2009-12-24 14:39 . 2008-10-11 13:40 -------- d-----w- c:\programme\7-Zip
2009-12-24 14:17 . 2005-02-22 13:27 -------- d-----w- c:\programme\EA SPORTS
2009-12-24 13:51 . 2002-12-02 11:08 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-12-21 16:51 . 2008-11-16 16:46 1629 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xmlB3.tmp
2009-12-21 16:51 . 2008-11-16 16:46 13827 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xmlB2.tmp
2009-12-21 16:51 . 2008-11-16 16:46 7420 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xmlB1.tmp
2009-12-21 16:16 . 2005-01-24 15:54 -------- d-----w- c:\programme\UBISOFT
2009-12-21 16:14 . 2007-06-01 14:16 -------- d-----w- c:\dokumente und einstellungen\Peter.DH3WXK0J\Anwendungsdaten\ICQ
2009-12-13 08:56 . 2002-12-21 12:04 63928 -c--a-w- c:\dokumente und einstellungen\Axel\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-12-12 09:27 . 2009-12-12 09:27 22328 ----a-w- c:\dokumente und einstellungen\Axel\Anwendungsdaten\PnkBstrK.sys
2009-12-12 09:27 . 2008-11-21 20:13 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-12 09:27 . 2008-11-21 20:13 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-12 09:27 . 2008-11-21 20:13 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-11 16:39 . 2009-04-18 08:31 -------- d-----w- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Move Networks
2009-12-11 15:14 . 2002-12-02 10:58 543930 ----a-w- c:\windows\system32\PERFH007.DAT
2009-12-11 15:14 . 2002-12-02 10:58 104398 ----a-w- c:\windows\system32\PERFC007.DAT
2009-12-08 13:07 . 2009-11-20 22:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 20:46 . 2009-10-02 13:47 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TrackMania
2009-12-04 20:16 . 2004-09-16 16:14 62752 ----a-w- c:\dokumente und einstellungen\Peter.DH3WXK0J\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-11-29 16:53 . 2009-11-29 12:10 -------- d-----w- c:\programme\Schrankplaner2
2009-11-27 13:26 . 2009-10-17 07:36 3152 ----a-w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-11-20 23:34 . 2009-11-20 23:34 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\NVIDIA Corporation
2009-11-20 23:34 . 2009-11-20 23:34 -------- d-----w- c:\programme\NVIDIA Corporation
2009-11-20 23:18 . 2009-11-20 23:18 -------- d-----w- c:\programme\Avira
2009-11-20 23:18 . 2009-11-20 23:18 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-11-20 22:01 . 2008-11-23 23:01 -------- d-----w- c:\programme\SystemRequirementsLab
2009-11-20 21:58 . 2009-11-20 21:58 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2009-11-16 20:31 . 2009-11-16 20:31 -------- d-----w- c:\programme\Sony
2009-11-16 20:22 . 2005-09-05 19:32 -------- d-----w- c:\programme\Google
2009-11-15 22:19 . 2006-01-14 11:02 -------- d-----w- c:\dokumente und einstellungen\Peter.DH3WXK0J\Anwendungsdaten\LimeWire
2009-11-15 17:11 . 2006-01-23 21:09 -------- d-----w- c:\programme\TraXEx
2009-11-09 20:22 . 2005-11-24 20:50 -------- d-----w- c:\programme\PDFCreator
2009-11-08 11:33 . 2002-12-14 16:23 -------- d-----w- c:\programme\Microsoft Games
2009-10-22 15:58 . 2009-09-28 18:25 25 ----a-w- c:\windows\popcinfot.dat
2009-10-21 05:38 . 2004-09-15 19:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2004-09-15 19:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2004-09-15 19:56 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:32 . 2003-10-29 22:15 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-10-29 22:15 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38 . 2003-10-29 22:15 150528 ----a-w- c:\windows\system32\rastls.dll
2008-12-21 11:49 . 2008-12-21 11:49 1829 ---ha-r- c:\programme\MT6.DSC
2008-01-31 13:29 . 2008-01-31 13:29 1930768 ----a-w- c:\programme\MathType.exe
2008-01-31 12:43 . 2008-01-31 12:43 1099195 ----a-w- c:\programme\MT6DEU.chm
2008-01-07 13:09 . 2008-01-07 13:09 45731 ---h--w- c:\programme\Setup.inf
2007-10-30 06:45 . 2007-10-30 06:45 1133935 ----a-w- c:\programme\MT6enu.chm
2002-12-15 15:31 . 2002-12-15 15:28 1861545 -c--a-w- c:\programme\Uninst.isu
2002-09-06 18:38 . 2002-12-15 15:28 3525034 ----a-w- c:\programme\Sims.exe
1999-10-29 23:33 . 2002-12-15 15:28 835628 -c--a-w- c:\programme\gimex.dll
1999-02-09 09:46 . 2002-12-15 15:28 137728 -c--a-w- c:\programme\ijl10.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
2006-05-03 09:06 . 2008-07-17 22:13 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2008-07-17 22:13 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
2008-03-16 12:30 . 2008-07-17 22:13 216064 --sh--r- c:\windows\SYSTEM32\nbDX.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"SerExt"="SerExt.exe" [2002-10-22 221184]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagent"="c:\programme\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 135264]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TraXEx 3.3.lnk - c:\programme\TraXEx\TraXEx.exe [2009-11-15 3881984]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\TrackMania\\TrackMania.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=
"c:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"=
"c:\\Programme\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Programme\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Programme\\Gadu-Gadu\\gg.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\RpcAgentSrv.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Programme\\TmNationsForever\\TmForever.exe"=
"c:\\Programme\\Steam\\Steam.exe"=
"c:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3323:TCP"= 3323:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3246:TCP"= 3246:TCP:Services
"8691:TCP"= 8691:TCP:Services
"9321:TCP"= 9321:TCP:Services
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 a347bus;a347bus;c:\windows\SYSTEM32\DRIVERS\a347bus.sys [24.05.2005 10:51 160640]
R0 a347scsi;a347scsi;c:\windows\SYSTEM32\DRIVERS\a347scsi.sys [24.05.2005 10:51 5248]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [21.11.2009 00:18 108289]
R2 AWISp50;AWISp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\AWISp50.sys [13.07.2007 17:30 17664]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 DectEnum;DectEnum;c:\windows\SYSTEM32\DRIVERS\DectEnum.sys [14.12.2002 18:44 9714]
R3 Gigser;Dect Serial Driver;c:\windows\SYSTEM32\DRIVERS\Gigser.sys [14.12.2002 18:44 58718]
R3 HRCMPA;ISDN Wan driver (Ver. 1.10.0021);c:\windows\SYSTEM32\DRIVERS\hrcmpa.sys [14.12.2002 18:44 253648]
R3 IUAPIWDM;ISDN USB Interface (Ver. 1.10.0021);c:\windows\SYSTEM32\DRIVERS\IUAPIWDM.sys [14.12.2002 18:44 49344]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\SYSTEM32\DRIVERS\libusb0.sys [10.01.2009 23:08 33792]
R3 siellif;siellif;c:\windows\SYSTEM32\DRIVERS\siellif.sys [14.12.2002 18:44 115856]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S1 atitray;atitray;\??\c:\programme\Ray Adams\ATI Tray Tools\atitray.sys --> c:\programme\Ray Adams\ATI Tray Tools\atitray.sys [?]
S2 MNQFRMLL;MNQFRMLL;\??\c:\windows\system32\mnqfrmll.jzv --> c:\windows\system32\mnqfrmll.jzv [?]
S3 Gigusb;Dect USB Driver;c:\windows\SYSTEM32\DRIVERS\Gigusb.sys [14.12.2002 18:44 59070]
S3 Isapfg;Isapfg;c:\windows\SYSTEM32\DRIVERS\mrxdav.sys [18.08.2001 06:00 180608]
S3 PSTRIP;PSTRIP;\??\c:\windows\system32\DRIVERS\PSTRIP.SYS --> c:\windows\system32\DRIVERS\PSTRIP.SYS [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe [16.11.2008 17:46 98488]
S3 xControlCOM;xControlCOM;c:\programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe [22.10.2002 10:42 339968]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [15.11.2007 16:29 685816]
.
Inhalt des "geplante Tasks" Ordners
2009-12-30 c:\windows\Tasks\AntiVir PersonalEdition Classic starten.job
- c:\progra~1\ANTIVI~1\avcenter.exe [2006-02-12 06:05]
2009-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - c:\programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
IE: {{8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - c:\programme\TraXEx\Integration\TraXEx Löschautomat.lnk
Handler: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - c:\programme\Haufe\HaufeReader\HRInstmon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\dokumente und einstellungen\Axel\Anwendungsdaten\Mozilla\Firefox\Profiles\dwbdk1u4.default\
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\dokumente und einstellungen\Axel\Anwendungsdaten\Mozilla\Firefox\Profiles\dwbdk1u4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npalnn.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
HKLM-Run-nwiz - c:\programme\NVIDIA Corporation\nView\nwiz.exe
AddRemove-Age of Empires 2.0 - c:\programme\Microsoft Games\Age of Empires II\UNINSTAL.EXE
AddRemove-DSMT6 - c:\programme\Setup.exe
AddRemove-IMG Tool - c:\dokumente und einstellungen\Axel\Desktop\IMG Tool\Uninstall.exe
AddRemove-mIRC - c:\program files\mIRC\mirc.exe
AddRemove-Mousotron Pro_is1 - c:\dokumente und einstellungen\Peter.DH3WXK0J\Desktop\maus\unins000.exe
AddRemove-NVIDIA nView Desktop Manager - c:\programme\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe
AddRemove-TV3DDeinstKey - c:\tv3d\DeIsL1.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 16:12
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85D8CFA8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7853f28
\Driver\ACPI -> ACPI.sys @ 0xf76fdcb8
\Driver\atapi -> atapi.sys @ 0xf769d852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x85639530
PacketIndicateHandler -> NDIS.sys @ 0xf7546a21
SendHandler -> NDIS.sys @ 0xf752487b
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MNQFRMLL]
"ImagePath"="\??\c:\windows\system32\mnqfrmll.jzv"
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\FRITZ!DSL\IGDCTRL.EXE
c:\programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\libusbd-nt.exe
c:\programme\CDBurnerXP\NMSAccessU.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\SerExt.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-12-30 16:29:33 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-12-30 15:29
Vor Suchlauf: 23 Verzeichnis(se), 77.358.194.688 Bytes frei
Nach Suchlauf: 24 Verzeichnis(se), 77.782.806.528 Bytes frei
WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=,1,2,3
- - End Of File - - F1A5BD6990F4BD508C7D94293661B668
Please post also a fresh HijackThis log :)
The_Sandyman
2009-12-31, 17:27
done:)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25:14, on 31.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\PROGRA~1\ANTIVI~1\avcenter.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SerExt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Creative\SBLive\Diagnostics\diagent.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SerExt] SerExt.exe /plug
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] C:\Programme\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 3.3.lnk = C:\Programme\TraXEx\TraXEx.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-Spuren löschen - {6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - C:\Programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
O9 - Extra button: Löschautomat - {8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - C:\Programme\TraXEx\Integration\TraXEx Löschautomat.lnk
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095545767187
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe (file missing)
O23 - Service: xControlCOM - Siemens - C:\Programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe
--
End of file - 7857 bytes
The_Sandyman
2010-01-01, 18:35
Hi,
Internet Explorer was originally installed and used on the PC- Since 3 years I do use only Firefox. Possible that there are still IE rests on the PC. Since the two HJT logs I did no de-istallation of any software.
Yes didn't mean that.
Let's check this:
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
The_Sandyman
2010-01-02, 23:05
Hi, here the result:
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.4 - Deutsch
Adobe Shockwave Player
Ahead Nero - Burning Rom
Avira AntiVir Personal - Free Antivirus
AVM FRITZ!DSL
CDBurnerXP
Chinese Traditional Fonts Support For Adobe Reader 8
CloneCD
Compatibility Pack für 2007 Office System
Dell Solution Center
Digital Camera Driver
DivX Player
DivX Web Player
DVDSentry
EA SPORTS online 2006
Far Cry 2
FIFA 09
Free Audio CD Burner version 1.2
Free Mp3 Wma Converter V 1.8.0
Free YouTube to MP3 Converter version 3.2
FRITZ!Box
GeoGebra
HaufeReader
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix für Windows Media Player 11 (KB939683)
Hotfix für Windows XP (KB952287)
Hotfix für Windows XP (KB961118)
Hotfix für Windows XP (KB970653-v3)
Hotfix für Windows XP (KB976098-v2)
hp deskjet 930c series (nur entfernen)
Icy Tower v1.3.1
Intel Application Accelerator
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
IPIX ActiveX Viewer
IPIX Netscape Plugin Viewer
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Lame ACM MP3 Codec
LibUSB-Win32-0.1.10.1
Little Fighter 2 v1.9
LucasArts Star Wars: Episode I Racer
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Motocross Madness
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
PDFCreator 0.8.0
Personal License Update Wizard for Windows Media Player
Pixum EasyBook
PL-2303 USB-to-Serial
Plus! MP3 Audio Converter LE
PowerDVD
PunkBuster Services
QuickTime
Rockstar Games Social Club
RollerCoaster Tycoon 2
SAMSUNG Mobile USB Modem 1.0 Software
Samsung Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
SamsungMediaStudio
Schrankplaner
Shockwave
Sicherheitsupdate für Step by Step Interactive Training (KB923723)
Sicherheitsupdate für Windows Media Player (KB952069)
Sicherheitsupdate für Windows Media Player (KB954155)
Sicherheitsupdate für Windows Media Player (KB968816)
Sicherheitsupdate für Windows Media Player (KB973540)
Sicherheitsupdate für Windows Media Player 10 (KB911565)
Sicherheitsupdate für Windows Media Player 10 (KB917734)
Sicherheitsupdate für Windows Media Player 11 (KB936782)
Sicherheitsupdate für Windows Media Player 11 (KB954154)
Sicherheitsupdate für Windows XP (KB923561)
Sicherheitsupdate für Windows XP (KB938464)
Sicherheitsupdate für Windows XP (KB941569)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950760)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951698)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952004)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB953839)
Sicherheitsupdate für Windows XP (KB954211)
Sicherheitsupdate für Windows XP (KB954459)
Sicherheitsupdate für Windows XP (KB954600)
Sicherheitsupdate für Windows XP (KB955069)
Sicherheitsupdate für Windows XP (KB956391)
Sicherheitsupdate für Windows XP (KB956572)
Sicherheitsupdate für Windows XP (KB956744)
Sicherheitsupdate für Windows XP (KB956802)
Sicherheitsupdate für Windows XP (KB956803)
Sicherheitsupdate für Windows XP (KB956841)
Sicherheitsupdate für Windows XP (KB956844)
Sicherheitsupdate für Windows XP (KB957095)
Sicherheitsupdate für Windows XP (KB957097)
Sicherheitsupdate für Windows XP (KB958644)
Sicherheitsupdate für Windows XP (KB958687)
Sicherheitsupdate für Windows XP (KB958690)
Sicherheitsupdate für Windows XP (KB958869)
Sicherheitsupdate für Windows XP (KB959426)
Sicherheitsupdate für Windows XP (KB960225)
Sicherheitsupdate für Windows XP (KB960715)
Sicherheitsupdate für Windows XP (KB960803)
Sicherheitsupdate für Windows XP (KB960859)
Sicherheitsupdate für Windows XP (KB961371)
Sicherheitsupdate für Windows XP (KB961373)
Sicherheitsupdate für Windows XP (KB961501)
Sicherheitsupdate für Windows XP (KB968537)
Sicherheitsupdate für Windows XP (KB969059)
Sicherheitsupdate für Windows XP (KB969898)
Sicherheitsupdate für Windows XP (KB969947)
Sicherheitsupdate für Windows XP (KB970238)
Sicherheitsupdate für Windows XP (KB970430)
Sicherheitsupdate für Windows XP (KB971486)
Sicherheitsupdate für Windows XP (KB971557)
Sicherheitsupdate für Windows XP (KB971633)
Sicherheitsupdate für Windows XP (KB971657)
Sicherheitsupdate für Windows XP (KB971961)
Sicherheitsupdate für Windows XP (KB973346)
Sicherheitsupdate für Windows XP (KB973354)
Sicherheitsupdate für Windows XP (KB973507)
Sicherheitsupdate für Windows XP (KB973525)
Sicherheitsupdate für Windows XP (KB973869)
Sicherheitsupdate für Windows XP (KB973904)
Sicherheitsupdate für Windows XP (KB974112)
Sicherheitsupdate für Windows XP (KB974318)
Sicherheitsupdate für Windows XP (KB974392)
Sicherheitsupdate für Windows XP (KB974571)
Sicherheitsupdate für Windows XP (KB975025)
Sicherheitsupdate für Windows XP (KB975467)
SiSoftware Sandra Lite 2009.SP1
SL-6555-SBK
Snoopy 1.0
Sound Blaster Live!
Spybot - Search & Destroy
sspro
Steam
Stunt GP (c) Team 17
SUPER © Version 2008.bld.32 (July 8, 2008)
SuperTux 0.1.0
Suzuki Alstare Extreme Racing
System Requirements Lab
TmNationsForever
Tony Hawk's Pro Skater 2
TrackMania
TrackMania Nations ESWC 1.7.9
TraXEx 3.3
T-Sinus 721 PC
T-Sinus data 1
Turbo Lister 2
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update für Windows XP (KB951072-v2)
Update für Windows XP (KB951978)
Update für Windows XP (KB955839)
Update für Windows XP (KB967715)
Update für Windows XP (KB968389)
Update für Windows XP (KB971737)
Update für Windows XP (KB973687)
Update für Windows XP (KB973815)
USB MEMORY BAR
VC80CRTRedist - 8.0.50727.762
Wichtiges Update für Windows Media Player 11 (KB959772)
WIDCOMM Bluetooth Software
Windows Genuine Advantage v1.3.0254.0
Windows Live installer
Windows Media Bonus Pack for Windows XP
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Service Pack 3
WinRAR Archivierer
Do you know which version of IE you had installed?
The_Sandyman
2010-01-03, 16:00
Ie 6.0.2900.2180
Thanks for information.
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\mnqfrmll.jzv
Driver::
MNQFRMLL
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
The_Sandyman
2010-01-04, 21:03
:thanks:
Hi, Combofix run w/o blue screens including 2 reboots. Here the log.
ComboFix 10-01-03.05 - Axel 04.01.2010 18:44:27.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1023.675 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Axel\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Axel\Desktop\CFSCRIPT.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00FC-0D24-347CA8A3377C}
FILE ::
"c:\windows\system32\mnqfrmll.jzv"
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MNQFRMLL
-------\Service_MNQFRMLL
((((((((((((((((((((((( Dateien erstellt von 2009-12-04 bis 2010-01-04 ))))))))))))))))))))))))))))))
.
2009-12-25 16:43 . 2009-12-25 16:43 -------- d-----w- c:\programme\Trend Micro
2009-12-24 13:46 . 2009-12-24 13:47 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2009-12-24 11:33 . 2009-12-24 11:33 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\WINDOWS
2009-12-24 11:33 . 2009-12-24 11:33 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\UserData
2009-12-24 11:33 . 2009-12-24 11:33 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\presets
2009-12-24 11:26 . 2009-12-24 11:26 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\InstallAnywhere
2009-12-24 11:26 . 2009-12-24 11:26 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\Incomplete
2009-12-24 11:26 . 2009-12-24 11:26 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\ElsterFormular
2009-12-24 11:21 . 2009-12-24 11:21 -------- d-----w- c:\dokumente und einstellungen\HelpAssistant.DH3WXK0J\Bluetooth Software
2009-12-24 07:32 . 2009-12-24 07:32 -------- d--h--r- c:\dokumente und einstellungen\HelpAssistant\Anwendungsdaten
2009-12-13 16:13 . 2009-12-24 13:58 -------- d-----w- c:\programme\Steam
2009-12-12 09:28 . 2009-12-12 09:28 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Ubisoft
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 00:24 . 2004-07-23 17:02 -------- d-----w- c:\programme\Spybot - Search & Destroy
2009-12-24 14:39 . 2008-10-11 13:40 -------- d-----w- c:\programme\7-Zip
2009-12-24 14:17 . 2005-02-22 13:27 -------- d-----w- c:\programme\EA SPORTS
2009-12-24 13:51 . 2002-12-02 11:08 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-12-21 16:51 . 2008-11-16 16:46 1629 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xmlB3.tmp
2009-12-21 16:51 . 2008-11-16 16:46 13827 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xmlB2.tmp
2009-12-21 16:51 . 2008-11-16 16:46 7420 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xmlB1.tmp
2009-12-21 16:16 . 2005-01-24 15:54 -------- d-----w- c:\programme\UBISOFT
2009-12-21 16:14 . 2007-06-01 14:16 -------- d-----w- c:\dokumente und einstellungen\Peter.DH3WXK0J\Anwendungsdaten\ICQ
2009-12-13 08:56 . 2002-12-21 12:04 63928 -c--a-w- c:\dokumente und einstellungen\Axel\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-12-12 10:58 . 2009-09-20 05:39 1404104 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\hps\1291\setup_Pixum_EasyBook.exe
2009-12-12 09:27 . 2009-12-12 09:27 22328 ----a-w- c:\dokumente und einstellungen\Axel\Anwendungsdaten\PnkBstrK.sys
2009-12-12 09:27 . 2009-12-12 09:27 22328 ----a-w- c:\dokumente und einstellungen\Axel\Anwendungsdaten\PnkBstrK.sys
2009-12-12 09:27 . 2008-11-21 20:13 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-12 09:27 . 2008-11-21 20:13 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-12 09:27 . 2008-11-21 20:13 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-11 16:39 . 2009-04-18 08:31 -------- d-----w- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Move Networks
2009-12-11 15:14 . 2002-12-02 10:58 543930 ----a-w- c:\windows\system32\PERFH007.DAT
2009-12-11 15:14 . 2002-12-02 10:58 104398 ----a-w- c:\windows\system32\PERFC007.DAT
2009-12-08 13:07 . 2009-11-20 22:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 20:46 . 2009-10-02 13:47 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TrackMania
2009-12-04 20:16 . 2004-09-16 16:14 62752 ----a-w- c:\dokumente und einstellungen\Peter.DH3WXK0J\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-11-29 16:53 . 2009-11-29 12:10 -------- d-----w- c:\programme\Schrankplaner2
2009-11-29 12:10 . 2009-11-29 12:10 45056 ----a-r- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Microsoft\Installer\{C92CE7AF-B104-4710-8F5C-9F833976D308}\NewShortcut3_C85DFDB9BD37415C9C1DE050884FE875.exe
2009-11-29 12:10 . 2009-11-29 12:10 40960 ----a-r- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Microsoft\Installer\{C92CE7AF-B104-4710-8F5C-9F833976D308}\NewShortcut7_C85DFDB9BD37415C9C1DE050884FE875.exe
2009-11-29 12:10 . 2009-11-29 12:10 40960 ----a-r- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Microsoft\Installer\{C92CE7AF-B104-4710-8F5C-9F833976D308}\NewShortcut2_A3476DFA68EC47F8A9CCB05CE757B672.exe
2009-11-29 12:10 . 2009-11-29 12:10 40960 ----a-r- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Microsoft\Installer\{C92CE7AF-B104-4710-8F5C-9F833976D308}\NewShortcut1_A3476DFA68EC47F8A9CCB05CE757B672.exe
2009-11-29 12:10 . 2009-11-29 12:10 40960 ----a-r- c:\dokumente und einstellungen\Axel\Anwendungsdaten\Microsoft\Installer\{C92CE7AF-B104-4710-8F5C-9F833976D308}\ARPPRODUCTICON.exe
2009-11-27 13:26 . 2009-10-17 07:36 3152 ----a-w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-11-20 23:34 . 2009-11-20 23:34 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\NVIDIA Corporation
2009-11-20 23:34 . 2009-11-20 23:34 -------- d-----w- c:\programme\NVIDIA Corporation
2009-11-20 23:18 . 2009-11-20 23:18 -------- d-----w- c:\programme\Avira
2009-11-20 23:18 . 2009-11-20 23:18 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-11-20 22:01 . 2008-11-23 23:01 -------- d-----w- c:\programme\SystemRequirementsLab
2009-11-20 21:58 . 2009-11-20 21:58 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2009-11-16 20:31 . 2009-11-16 20:31 -------- d-----w- c:\programme\Sony
2009-11-16 20:22 . 2005-09-05 19:32 -------- d-----w- c:\programme\Google
2009-11-15 22:19 . 2006-01-14 11:02 -------- d-----w- c:\dokumente und einstellungen\Peter.DH3WXK0J\Anwendungsdaten\LimeWire
2009-11-15 17:11 . 2006-01-23 21:09 -------- d-----w- c:\programme\TraXEx
2009-11-09 20:22 . 2005-11-24 20:50 -------- d-----w- c:\programme\PDFCreator
2009-11-08 11:33 . 2002-12-14 16:23 -------- d-----w- c:\programme\Microsoft Games
2009-10-22 15:58 . 2009-09-28 18:25 25 ----a-w- c:\windows\popcinfot.dat
2009-10-21 05:38 . 2004-09-15 19:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2004-09-15 19:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2004-09-15 19:56 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:32 . 2003-10-29 22:15 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-10-29 22:15 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38 . 2003-10-29 22:15 150528 ----a-w- c:\windows\system32\rastls.dll
2008-12-21 11:49 . 2008-12-21 11:49 1829 ---ha-r- c:\programme\MT6.DSC
2008-01-31 13:29 . 2008-01-31 13:29 1930768 ----a-w- c:\programme\MathType.exe
2008-01-31 12:43 . 2008-01-31 12:43 1099195 ----a-w- c:\programme\MT6DEU.chm
2008-01-07 13:09 . 2008-01-07 13:09 45731 ---h--w- c:\programme\Setup.inf
2007-10-30 06:45 . 2007-10-30 06:45 1133935 ----a-w- c:\programme\MT6enu.chm
2002-12-15 15:31 . 2002-12-15 15:28 1861545 -c--a-w- c:\programme\Uninst.isu
2002-09-06 18:38 . 2002-12-15 15:28 3525034 ----a-w- c:\programme\Sims.exe
1999-10-29 23:33 . 2002-12-15 15:28 835628 -c--a-w- c:\programme\gimex.dll
1999-02-09 09:46 . 2002-12-15 15:28 137728 -c--a-w- c:\programme\ijl10.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
2006-05-03 09:06 . 2008-07-17 22:13 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2008-07-17 22:13 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
2008-03-16 12:30 . 2008-07-17 22:13 216064 --sh--r- c:\windows\SYSTEM32\nbDX.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"SerExt"="SerExt.exe" [2002-10-22 221184]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagent"="c:\programme\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 135264]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TraXEx 3.3.lnk - c:\programme\TraXEx\TraXEx.exe [2009-11-15 3881984]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\TrackMania\\TrackMania.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=
"c:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"=
"c:\\Programme\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Programme\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Programme\\Gadu-Gadu\\gg.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\RpcAgentSrv.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Programme\\TmNationsForever\\TmForever.exe"=
"c:\\Programme\\Steam\\Steam.exe"=
"c:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3323:TCP"= 3323:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3246:TCP"= 3246:TCP:Services
"8691:TCP"= 8691:TCP:Services
"9321:TCP"= 9321:TCP:Services
"9303:TCP"= 9303:TCP:Services
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 a347bus;a347bus;c:\windows\SYSTEM32\DRIVERS\a347bus.sys [24.05.2005 10:51 160640]
R0 a347scsi;a347scsi;c:\windows\SYSTEM32\DRIVERS\a347scsi.sys [24.05.2005 10:51 5248]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [21.11.2009 00:18 108289]
R2 AWISp50;AWISp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\AWISp50.sys [13.07.2007 17:30 17664]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 DectEnum;DectEnum;c:\windows\SYSTEM32\DRIVERS\DectEnum.sys [14.12.2002 18:44 9714]
R3 HRCMPA;ISDN Wan driver (Ver. 1.10.0021);c:\windows\SYSTEM32\DRIVERS\hrcmpa.sys [14.12.2002 18:44 253648]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\SYSTEM32\DRIVERS\libusb0.sys [10.01.2009 23:08 33792]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S1 atitray;atitray;\??\c:\programme\Ray Adams\ATI Tray Tools\atitray.sys --> c:\programme\Ray Adams\ATI Tray Tools\atitray.sys [?]
S3 Gigser;Dect Serial Driver;c:\windows\SYSTEM32\DRIVERS\Gigser.sys [14.12.2002 18:44 58718]
S3 Gigusb;Dect USB Driver;c:\windows\SYSTEM32\DRIVERS\Gigusb.sys [14.12.2002 18:44 59070]
S3 Isapfg;Isapfg;c:\windows\SYSTEM32\DRIVERS\mrxdav.sys [18.08.2001 06:00 180608]
S3 IUAPIWDM;ISDN USB Interface (Ver. 1.10.0021);c:\windows\SYSTEM32\DRIVERS\IUAPIWDM.sys [14.12.2002 18:44 49344]
S3 PSTRIP;PSTRIP;\??\c:\windows\system32\DRIVERS\PSTRIP.SYS --> c:\windows\system32\DRIVERS\PSTRIP.SYS [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe [16.11.2008 17:46 98488]
S3 siellif;siellif;c:\windows\SYSTEM32\DRIVERS\siellif.sys [14.12.2002 18:44 115856]
S3 xControlCOM;xControlCOM;c:\programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe [22.10.2002 10:42 339968]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [15.11.2007 16:29 685816]
.
Inhalt des "geplante Tasks" Ordners
2010-01-04 c:\windows\Tasks\AntiVir PersonalEdition Classic starten.job
- c:\progra~1\ANTIVI~1\avcenter.exe [2006-02-12 06:05]
2009-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - c:\programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
IE: {{8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - c:\programme\TraXEx\Integration\TraXEx Löschautomat.lnk
Handler: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - c:\programme\Haufe\HaufeReader\HRInstmon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\dokumente und einstellungen\Axel\Anwendungsdaten\Mozilla\Firefox\Profiles\dwbdk1u4.default\
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\dokumente und einstellungen\Axel\Anwendungsdaten\Mozilla\Firefox\Profiles\dwbdk1u4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npalnn.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-04 19:04
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x856C22E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7861f28
\Driver\ACPI -> ACPI.sys @ 0xf770bcb8
\Driver\atapi -> atapi.sys @ 0xf76ab852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x8583c530
PacketIndicateHandler -> NDIS.sys @ 0xf7554a21
SendHandler -> NDIS.sys @ 0xf753287b
user & kernel MBR OK
**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\FRITZ!DSL\IGDCTRL.EXE
c:\programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\libusbd-nt.exe
c:\programme\CDBurnerXP\NMSAccessU.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\SerExt.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-01-04 19:20:37 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-01-04 18:20
ComboFix2.txt 2009-12-30 15:29
Vor Suchlauf: 23 Verzeichnis(se), 77.539.516.416 Bytes frei
Nach Suchlauf: 24 Verzeichnis(se), 77.486.186.496 Bytes frei
Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=,1,2,3
- - End Of File - - A8C9B68E9267894317964F1CF2EF80F0
The_Sandyman
2010-01-04, 21:27
...and here the HJT log after combofix run.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:53:13, on 04.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\PROGRA~1\ANTIVI~1\avcenter.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SerExt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Creative\SBLive\Diagnostics\diagent.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\TraXEx\TraXEx.exe
C:\WINDOWS\explorer.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SerExt] SerExt.exe /plug
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] C:\Programme\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 3.3.lnk = C:\Programme\TraXEx\TraXEx.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-Spuren löschen - {6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - C:\Programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
O9 - Extra button: Löschautomat - {8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - C:\Programme\TraXEx\Integration\TraXEx Löschautomat.lnk
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095545767187
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe (file missing)
O23 - Service: xControlCOM - Siemens - C:\Programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe
--
End of file - 7772 bytes
I did some google searches and it seems to be okay. however my second test with the online banking brought me to exactly the same pishing page where I am asked to enter 10 iTANs as before we started with all the malware scans:sad:
I add a PDF to illustrate the phenomen
The_Sandyman
2010-01-04, 21:30
here the pdf
Download to the desktop: Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe)
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
The_Sandyman
2010-01-05, 20:11
Hi Shaba,
I run Dr Web, the PC was rebooted and nothing happened. I started in Secure Mode and Dr Web opened. During the first Scan a file was detected called Supersetup32.exe. I removed it, however this is not in the logfile of Dr Web:
Av-test.txt C:\Dokumente und Einstellungen\HelpAssistant.DH3WXK0J\Lokale Einstellungen\Temp EICAR Test File (NOT a Virus!)
nc.exe C:\Dokumente und Einstellungen\Peter.DH3WXK0J\Desktop\Other\CryptLoad_1.0.3\router\FRITZ!Box Tool.Netcat Verschoben.
"Verschoben" means moved.
After Reboot, this is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58:54, on 05.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\PROGRA~1\ANTIVI~1\avcenter.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SerExt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SerExt] SerExt.exe /plug
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagent] C:\Programme\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 3.3.lnk = C:\Programme\TraXEx\TraXEx.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-Spuren löschen - {6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - C:\Programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
O9 - Extra button: Löschautomat - {8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - C:\Programme\TraXEx\Integration\TraXEx Löschautomat.lnk
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095545767187
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe (file missing)
O23 - Service: xControlCOM - Siemens - C:\Programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe
--
End of file - 7857 bytes
I did my online banking test and the pishing side did not apear. What to do next? Observe and report that everything is save now? Thanks for support during xMas days. Donnation to Spybot will follow!:thanks:
Good :)
Let's run then one scan:
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
The_Sandyman
2010-01-05, 23:14
Hi Shaba, Kaspesrky Online Scanner is since a few days offline, the following message shows the website:
"Coming soon:
A new, improved version of the
Kaspersky Online Scanner
The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe."
Whatever coming soon means?!
The_Sandyman
2010-01-05, 23:23
...and I did a cjeck for files which are twice on C drive. We are a family and do have several User accounts on our PC. Additionally I detected HelpAssistant and in the foulder are lots of double entries from other users saved in Documents and Settings. No idea where the foulder comes from C:\Documents and Settings\HelpAssistant.DH3WXK0J ? When I googled I found lots of enties from Malware forums. I am a bit worried now. Any idea?
Please see here (http://support.microsoft.com/kb/323647)
Online scanner should be now available, please try again :)
The_Sandyman
2010-01-07, 12:02
First I run another DrWeb Scan
ComboFix.exe\32788R22FWJFW\List-C.bat C:\Dokumente und Einstellungen\Axel\Desktop\ComboFix.exe Wahrscheinlich BATCH.Virus
ComboFix.exe C:\Dokumente und Einstellungen\Axel\Desktop Archiv enthält infizierte Objekte
A0605474.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1374 Wahrscheinlich BATCH.Virus
A0609012.exe\32788R22FWJFW\List-C.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1376\A0609012.exe Wahrscheinlich BATCH.Virus
A0609012.exe C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1376 Archiv enthält infizierte Objekte
A0609048.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1376 Wahrscheinlich BATCH.Virus
A0609861.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1376 Wahrscheinlich BATCH.Virus
A0616435.exe C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1377 Tool.Netcat
A0618597.exe\32788R22FWJFW\List-C.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1384\A0618597.exe Wahrscheinlich BATCH.Virus
A0618597.exe C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1384 Archiv enthält infizierte Objekte
A0618633.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1384 Wahrscheinlich BATCH.Virus
A0618801.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1384 Wahrscheinlich BATCH.Virus
A0618930.exe\32788R22FWJFW\List-C.bat C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1384\A0618930.exe Wahrscheinlich BATCH.Virus
A0618930.exe C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1384 Archiv enthält infizierte Objekte
ComboFix.exe\32788R22FWJFW\List-C.bat F:\Malware\ComboFix.exe Wahrscheinlich BATCH.Virus
ComboFix.exe F:\Malware Archiv enthält infizierte Objekte
I deleted the quarantine foulders from Combofix and DrWeb followed by a reboot and a Kaspersky Online Scan:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, January 7, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, January 06, 2010 22:00:21
Records in database: 3330522
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 116477
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:24:05
File name / Threat / Threats count
C:\System Volume Information\_restore{27F3F182-4FE7-45F7-85CB-63BE7C2ED734}\RP1386\A0619151.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat.a 1
Selected area has been scanned.
Reboot and HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:20:34, on 07.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\PROGRA~1\ANTIVI~1\avcenter.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SerExt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SerExt] SerExt.exe /plug
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 3.3.lnk = C:\Programme\TraXEx\TraXEx.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-Spuren löschen - {6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - C:\Programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
O9 - Extra button: Löschautomat - {8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - C:\Programme\TraXEx\Integration\TraXEx Löschautomat.lnk
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095545767187
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe (file missing)
O23 - Service: xControlCOM - Siemens - C:\Programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe
--
End of file - 7764 bytes
Looks good :)
Still some issues?
The_Sandyman
2010-01-11, 10:50
No, works well :thanks:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
The_Sandyman
2010-01-16, 15:44
Hi Shaba,
ok I insalled PC Tools FW. Thanks for Supporting me. I added a new HJT Log::bigthumb:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:19, on 16.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\PROGRA~1\ANTIVI~1\avcenter.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\Programme\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SerExt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\PC Tools Firewall Plus\FirewallGUI.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SerExt] SerExt.exe /plug
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [00PCTFW] "C:\Programme\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 3.3.lnk = C:\Programme\TraXEx\TraXEx.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-Spuren löschen - {6C7C0C9A-B51D-4ADB-A74D-C4E33744F866} - C:\Programme\TraXEx\Integration\TraXEx Internet Explorer.lnk
O9 - Extra button: Löschautomat - {8DA7743F-9274-4BE8-899E-C0FF6ED61B00} - C:\Programme\TraXEx\Integration\TraXEx Löschautomat.lnk
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095545767187
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Programme\PC Tools Firewall Plus\FWService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Programme\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe (file missing)
O23 - Service: xControlCOM - Siemens - C:\Programme\T-Sinus 721\T-Sinus 721 PC\xControlCOM.exe
--
End of file - 8111 bytes
Looks good :)
Still something?
The_Sandyman
2010-01-17, 13:33
No, we can close the file! Thanks again
Good :)
I hope that you stay clean also in the future.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.