got a problem with, at least Smitftaud-C

multicanarias · Jun 1, 2008

Hi hello... got a problem with, at least Smitftaud-C i can not resolve...
Please help me with that...

..also when I send a e-mail with an attachment, me and the reciever got a problem. (when I double-click the file to be attached.. it leeds me directly to a other webside, opening a new tab.)
(When the reciever tries to open it, happens the same plus, he can not login again to his e-mail providers side)

I can not open my Admin User-account on Windows-XP...
I tried Smitfraud-Fix in save mode aswell as Spybot....
AVG-free find some virus, but....

a) HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:23:52, on 01.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Windows NT\Zubehör\wordpad.exe
C:\Programme\Orbitdownloader\orbitdm.exe
C:\Programme\Orbitdownloader\orbitnet.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {1C218BC1-B339-40DF-8346-792D2DBAFFB5} - C:\WINDOWS\system32\byXNeDWN.dll (file missing)
O2 - BHO: (no name) - {1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE} - C:\WINDOWS\system32\jkkKcDWq.dll (file missing)
O2 - BHO: (no name) - {281D456D-8F03-4602-81A0-995A6CDAE209} - C:\WINDOWS\System32\xxyxWPhG.dll (file missing)
O2 - BHO: (no name) - {422C522E-FFF1-4614-8F99-A97C6CF39567} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A06BB9E-1F80-44C7-ABC9-46CDD051915C} - C:\WINDOWS\system32\xxyyaXpP.dll (file missing)
O2 - BHO: {ffece1cb-7e1e-299a-91f4-73cd952221c5} - {5c122259-dc37-4f19-a992-e1e7bc1eceff} - C:\WINDOWS\system32\laqeracl.dll (file missing)
O2 - BHO: (no name) - {642B7F53-35C0-4541-BD14-120566C31275} - C:\WINDOWS\System32\awttsSJD.dll (file missing)
O2 - BHO: (no name) - {CB968FCD-C8FB-480B-9DD0-17249FA2597D} - C:\WINDOWS\system32\mlJDwXqQ.dll (file missing)
O2 - BHO: (no name) - {D1F603AC-BF0D-44D2-A41C-2F43ACE4B924} - (no file)
O2 - BHO: (no name) - {E80F4529-6AB7-469E-BB27-4335F045A53F} - C:\WINDOWS\System32\fccccYss.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [5033a726] rundll32.exe "C:\WINDOWS\system32\imwkneld.dll",b
O4 - HKLM\..\Run: [BM530094ba] Rundll32.exe "C:\WINDOWS\system32\antueatc.dll",s
O4 - HKLM\..\Run: [autoload] C:\Dokumente und Einstellungen\Internet\cftmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [autoload] C:\Dokumente und Einstellungen\Internet\cftmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62DB494-23E4-414A-AF27-DBDCF4D4697D}: NameServer = 212.73.32.3 212.73.32.67
O20 - Winlogon Notify: byXNeDWN - byXNeDWN.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Taskplaner (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--
End of file - 6402 bytes

b)Kaspersky log report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 1:51:47 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 819344
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 87887
Number of viruses found: 13
Number of infected objects: 87
Number of suspicious objects: 54
Duration of the scan process: 01:24:19

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp12.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp12.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp15.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp15.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp18.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp18.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp20.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp20.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp23.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp23.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp25.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp25.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp27.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp27.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp29.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp29.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp34.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp34.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp37.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp37.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp39.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp39.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp43.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp43.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp48.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp48.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp5.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp5.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp50.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp50.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp53.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp53.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp55.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp55.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp58.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp58.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp60.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp60.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp66.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp66.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp69.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp69.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp72.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp72.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp74.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp74.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp79.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp79.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp81.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp81.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp9.zip/cftmon.exe Suspicious: Password-protected-EXE skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\SmitfraudCgp9.zip ZIP: suspicious - 1 skipped
C:\Dokumente und Einstellungen\henning\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\file.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\Dokumente und Einstellungen\Internet\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\merzqo9f.default\Cache\63329BDCd01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\merzqo9f.default\Cache\63329BDCd01 RAR: infected - 1 skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\3CEB.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\4B43.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\5B9E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temp\JETBF0A.tmp Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\cssupdate[2].exe Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\manda[4].htm Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\manda[5].htm Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZVENV2MX\terrazag11[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Internet\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Internet\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\vWTP.mdb Object is locked skipped
C:\Programme\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab CAB: infected - 3 skipped
C:\setup.exe/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\setup.exe/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\setup.exe/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\setup.exe/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\setup.exe/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\setup.exe/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\setup.exe/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\setup.exe/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\setup.exe/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\setup.exe Inno: infected - 12 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0104428.exe Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0105358.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113912.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113915.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119919.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120939.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121938.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ag.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\al.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ay.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\bo.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\bz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\cc.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\logo[1].jpg Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\ed.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ee.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\em.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\en.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ev.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ew.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ex.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ftp34.dll Object is locked skipped
C:\WINDOWS\system32\ga.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\gestlyvo.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\gq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hd.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hn.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ii.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jh.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\kv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ld.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\lg.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\lh.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mdlaiuwg.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\mu.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\nb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ni.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\nk.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\pp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\py.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\qf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\rq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\rr.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sg.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tm.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ua.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\uq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\uu.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\va.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\vv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ya.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\yw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Blade81 · Jun 1, 2008

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

multicanarias · Jun 1, 2008

Thank you very much for your promt answer.

Hi, hello.... Blade81

Thank you very much for your promt answer. I really appriciate your effort.

You noticed "I don't help with logs thru PM. If you have problems create a thread in the forum, please."
Sorry I am new here and not so deep into... ok.. just a stupid User me ;-)
I dont understand thru PM.

Please be paciant wis me...

Also opening my windows account I get 2 screens with RUDLL ERROR.
C:\WINDOWS\system32\imwkneld.dll
and
C:\WINDOWS\system32\antueatc.dll

Here the both logs you requiered:

a)

ComboFix 08-05-29.1 - Internet 2008-06-01 16:58:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.252 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Datenschutzrichtlinien.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Deinstallieren.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Geschäftsbedingungen.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\WebMediaPlayer.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Website.url
C:\Programme\webmediaplayer
C:\Programme\webmediaplayer\resources\languages_v2.xml
C:\Programme\webmediaplayer\resources\webmedias
C:\Programme\webmediaplayer\skins\classic.skn
C:\Programme\webmediaplayer\sqlite3.dll
C:\Programme\webmediaplayer\uninst.exe
C:\Programme\webmediaplayer\WebMediaPlayer.exe
C:\setup.exe
C:\WINDOWS\BM530094ba.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\shwol.dll
C:\WINDOWS\system32\bdfyvwmc.ini
C:\WINDOWS\system32\bvaudwym.ini
C:\WINDOWS\system32\DJSsttwa.ini
C:\WINDOWS\system32\DJSsttwa.ini2
C:\WINDOWS\system32\dlenkwmi.ini
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\fgogshfw.ini
C:\WINDOWS\system32\gestlyvo.dll
C:\WINDOWS\system32\GhPWxyxx.ini
C:\WINDOWS\system32\GhPWxyxx.ini2
C:\WINDOWS\system32\gwuialdm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdlaiuwg.dll
C:\WINDOWS\system32\MoppsBeg.ini
C:\WINDOWS\system32\MoppsBeg.ini2
C:\WINDOWS\system32\ovyltseg.ini
C:\WINDOWS\system32\PpXayyxx.ini
C:\WINDOWS\system32\PpXayyxx.ini2
C:\WINDOWS\system32\QqXwDJlm.ini
C:\WINDOWS\system32\QqXwDJlm.ini2
C:\WINDOWS\system32\qvwliegx.ini
C:\WINDOWS\system32\qWDcKkkj.ini
C:\WINDOWS\system32\qWDcKkkj.ini2
C:\WINDOWS\system32\rfqdfbkk.ini
C:\WINDOWS\system32\ssYccccf.ini
C:\WINDOWS\system32\ssYccccf.ini2
C:\WINDOWS\system32\wschsncm.ini
C:\WINDOWS\system32\ybKUBJlm.ini
C:\WINDOWS\system32\ybKUBJlm.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Schedule
-------\Service_Schedule

((((((((((((((((((((((( Dateien erstellt von 2008-05-01 bis 2008-06-01 ))))))))))))))))))))))))))))))
.

2008-06-01 03:01 . 2008-05-08 02:06 25,088 --a------ C:\Dokumente und Einstellungen\Internet\cftmon.exe
2008-06-01 03:01 . 2008-05-08 02:06 25,088 --a------ C:\Dokumente und Einstellungen\henning\cftmon.exe
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:15 . 2008-06-01 03:13 5,120 --a------ C:\Dokumente und Einstellungen\henning\ftp34.dll
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-30 12:45 . 2008-06-01 16:49 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-30 12:45 . 2008-06-01 16:49 5,120 --a------ C:\Dokumente und Einstellungen\Internet\ftp34.dll
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\MessengerPlus! 3
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\Adverts
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 17:07 . 2008-05-08 17:07 0 --a------ C:\WINDOWS\system32\gu.exe
2008-05-08 16:40 . 2008-05-08 16:40 55,296 --a------ C:\WINDOWS\system32\va.exe
2008-05-08 16:35 . 2008-05-08 16:35 55,296 --a------ C:\WINDOWS\system32\sf.exe
2008-05-08 16:01 . 2008-05-08 16:01 55,296 --a------ C:\WINDOWS\system32\uu.exe
2008-05-08 15:50 . 2008-05-08 15:50 55,296 --a------ C:\WINDOWS\system32\ii.exe
2008-05-08 15:30 . 2008-05-08 15:31 55,296 --a------ C:\WINDOWS\system32\ew.exe
2008-05-08 15:18 . 2008-05-08 15:18 55,296 --a------ C:\WINDOWS\system32\zv.exe
2008-05-08 05:00 . 2008-05-08 05:00 55,296 --a------ C:\WINDOWS\system32\vv.exe
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-06 21:25 . 2008-05-06 21:25 55,296 --a------ C:\WINDOWS\system32\al.exe
2008-05-06 21:17 . 2008-05-10 01:08 25,088 --a------ C:\Dokumente und Einstellungen\Internet\file.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
2008-05-05 02:11 . 2008-05-05 02:11 0 --a------ C:\WINDOWS\system32\pg.exe
2008-05-05 01:32 . 2008-05-05 01:32 55,296 --a------ C:\WINDOWS\system32\hn.exe
2008-05-04 16:28 . 2008-05-11 01:05 <DIR> d-------- C:\henningfotos
2008-05-04 16:12 . 2008-05-11 01:05 <DIR> d-------- C:\efi-camera-02
2008-05-04 14:49 . 2008-05-04 14:50 55,296 --a------ C:\WINDOWS\system32\ed.exe
2008-05-04 14:16 . 2008-05-04 14:16 55,296 --a------ C:\WINDOWS\system32\cc.exe
2008-05-04 14:10 . 2008-05-04 14:10 55,296 --a------ C:\WINDOWS\system32\ee.exe
2008-05-03 17:30 . 2008-05-03 17:30 55,296 --a------ C:\WINDOWS\system32\gq.exe
2008-05-03 15:49 . 2008-05-03 15:49 55,296 --a------ C:\WINDOWS\system32\nb.exe
2008-05-03 13:17 . 2008-05-03 14:56 0 --a------ C:\WINDOWS\system32\li.exe
2008-05-03 00:53 . 2008-05-08 17:00 55,296 --a------ C:\WINDOWS\system32\rq.exe
2008-05-01 23:27 . 2008-05-01 23:27 55,296 --a------ C:\WINDOWS\system32\lh.exe
2008-05-01 22:55 . 2008-05-01 22:55 55,296 --a------ C:\WINDOWS\system32\jf.exe
2008-05-01 22:34 . 2008-05-01 22:34 55,296 --a------ C:\WINDOWS\system32\sl.exe
2008-05-01 21:37 . 2008-05-01 21:37 55,296 --a------ C:\WINDOWS\system32\lg.exe
2008-05-01 21:06 . 2008-05-01 21:06 55,296 --a------ C:\WINDOWS\system32\bo.exe
2008-05-01 17:28 . 2008-05-01 17:28 0 --a------ C:\WINDOWS\system32\rg.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 08:07 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-04 10:19 --------- d-----w C:\Programme\Game_Maker7
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE}]
C:\WINDOWS\system32\jkkKcDWq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{281D456D-8F03-4602-81A0-995A6CDAE209}]
C:\WINDOWS\System32\xxyxWPhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A06BB9E-1F80-44C7-ABC9-46CDD051915C}]
C:\WINDOWS\system32\xxyyaXpP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c122259-dc37-4f19-a992-e1e7bc1eceff}]
C:\WINDOWS\system32\laqeracl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{642B7F53-35C0-4541-BD14-120566C31275}]
C:\WINDOWS\System32\awttsSJD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB968FCD-C8FB-480B-9DD0-17249FA2597D}]
C:\WINDOWS\system32\mlJDwXqQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E80F4529-6AB7-469E-BB27-4335F045A53F}]
C:\WINDOWS\System32\fccccYss.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-03-01 07:01 180736]
"VodafoneUSBPP.exe"="C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe" [2007-08-08 21:29 974848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5033a726"="C:\WINDOWS\system32\imwkneld.dll" [ ]
"BM530094ba"="C:\WINDOWS\system32\antueatc.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]
"Microsoft Oftice"="C:\WINDOWS\System32\msmsgs.exe" [ ]
"Microsoft Windows Driver"="C:\WINDOWS\rundll32.exe" [ ]
"Windows Networking Monitoring"="C:\WINDOWS\System32\mdm.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNeDWN]
byXNeDWN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=

R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18433e52-f6b4-11dc-a7fe-0048546e5a95}]
\Shell\AutoRun\command - H:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 17:04:12
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-01 17:08:00 - machine was rebooted [henning]
ComboFix-quarantined-files.txt 2008-06-01 16:07:55

14 Verzeichnis(se), 1,672,294,400 Bytes frei
18 Verzeichnis(se), 1,782,493,184 Bytes frei

228 --- E O F --- 2008-05-28 19:22:30

b)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21, on 2008-06-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE} - C:\WINDOWS\system32\jkkKcDWq.dll (file missing)
O2 - BHO: (no name) - {281D456D-8F03-4602-81A0-995A6CDAE209} - C:\WINDOWS\System32\xxyxWPhG.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A06BB9E-1F80-44C7-ABC9-46CDD051915C} - C:\WINDOWS\system32\xxyyaXpP.dll (file missing)
O2 - BHO: {ffece1cb-7e1e-299a-91f4-73cd952221c5} - {5c122259-dc37-4f19-a992-e1e7bc1eceff} - C:\WINDOWS\system32\laqeracl.dll (file missing)
O2 - BHO: (no name) - {642B7F53-35C0-4541-BD14-120566C31275} - C:\WINDOWS\System32\awttsSJD.dll (file missing)
O2 - BHO: (no name) - {CB968FCD-C8FB-480B-9DD0-17249FA2597D} - C:\WINDOWS\system32\mlJDwXqQ.dll (file missing)
O2 - BHO: (no name) - {E80F4529-6AB7-469E-BB27-4335F045A53F} - C:\WINDOWS\System32\fccccYss.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
O4 - HKLM\..\Run: [5033a726] rundll32.exe "C:\WINDOWS\system32\imwkneld.dll",b
O4 - HKLM\..\Run: [BM530094ba] Rundll32.exe "C:\WINDOWS\system32\antueatc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: byXNeDWN - byXNeDWN.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5326 bytes

Blade81 · Jun 1, 2008

You noticed "I don't help with logs thru PM. If you have problems create a thread in the forum, please."
Sorry I am new here and not so deep into... ok.. just a stupid User me ;-)
I dont understand thru PM.

Hi

PM means private messages

That is just meant to tell users not to post their logs to my private message account. You've done just right :bigthumb:

2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\MessengerPlus! 3
2008-05-19 00:14 . 2008-05-19 00:14 <DIR> d-------- C:\Programme\Adverts

Looks like MessengerPlus! 3 might be installed with sponsors. Please uninstall MessengerPlus! 3 for now. You may reinstall it without sponsors when system is clean in case you need it

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Dokumente und Einstellungen\Internet\cftmon.exe
C:\Dokumente und Einstellungen\henning\cftmon.exe
C:\Dokumente und Einstellungen\henning\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\Dokumente und Einstellungen\Internet\ftp34.dll
C:\WINDOWS\system32\gu.exe
C:\WINDOWS\system32\va.exe
C:\WINDOWS\system32\sf.exe
C:\WINDOWS\system32\uu.exe
C:\WINDOWS\system32\ii.exe
C:\WINDOWS\system32\ew.exe
C:\WINDOWS\system32\zv.exe
C:\WINDOWS\system32\vv.exe
C:\WINDOWS\system32\al.exe
C:\Dokumente und Einstellungen\Internet\file.exe
C:\WINDOWS\system32\pg.exe
C:\WINDOWS\system32\hn.exe
C:\WINDOWS\system32\ed.exe
C:\WINDOWS\system32\cc.exe
C:\WINDOWS\system32\ee.exe
C:\WINDOWS\system32\gq.exe
C:\WINDOWS\system32\nb.exe
C:\WINDOWS\system32\li.exe
C:\WINDOWS\system32\rq.exe
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\jf.exe
C:\WINDOWS\system32\sl.exe
C:\WINDOWS\system32\lg.exe
C:\WINDOWS\system32\bo.exe
C:\WINDOWS\system32\rg.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DD5E2E8-8BD5-45A8-B226-C237ED8B6AAE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{281D456D-8F03-4602-81A0-995A6CDAE209}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A06BB9E-1F80-44C7-ABC9-46CDD051915C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c122259-dc37-4f19-a992-e1e7bc1eceff}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{642B7F53-35C0-4541-BD14-120566C31275}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB968FCD-C8FB-480B-9DD0-17249FA2597D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E80F4529-6AB7-469E-BB27-4335F045A53F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5033a726"=-
"BM530094ba"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Oftice"=-
"Microsoft Windows Driver"=-
"Windows Networking Monitoring"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNeDWN]

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).

multicanarias · Jun 1, 2008

Hi Blade81....

followed your step by step instructions.

Here are the 3 reports.
Thank you very much indeed.

a) Combofix

ComboFix 08-05-29.1 - Internet 2008-06-01 18:49:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.269 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Internet\Desktop\CFScript.rtf
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Dokumente und Einstellungen\henning\cftmon.exe
C:\Dokumente und Einstellungen\henning\ftp34.dll
C:\Dokumente und Einstellungen\Internet\cftmon.exe
C:\Dokumente und Einstellungen\Internet\file.exe
C:\Dokumente und Einstellungen\Internet\ftp34.dll
C:\WINDOWS\system32\al.exe
C:\WINDOWS\system32\bo.exe
C:\WINDOWS\system32\cc.exe
C:\WINDOWS\system32\ed.exe
C:\WINDOWS\system32\ee.exe
C:\WINDOWS\system32\ew.exe
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\gq.exe
C:\WINDOWS\system32\gu.exe
C:\WINDOWS\system32\hn.exe
C:\WINDOWS\system32\ii.exe
C:\WINDOWS\system32\jf.exe
C:\WINDOWS\system32\lg.exe
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\li.exe
C:\WINDOWS\system32\nb.exe
C:\WINDOWS\system32\pg.exe
C:\WINDOWS\system32\rg.exe
C:\WINDOWS\system32\rq.exe
C:\WINDOWS\system32\sf.exe
C:\WINDOWS\system32\sl.exe
C:\WINDOWS\system32\uu.exe
C:\WINDOWS\system32\va.exe
C:\WINDOWS\system32\vv.exe
C:\WINDOWS\system32\zv.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Desktop\webmediaplayer.lnk
C:\Dokumente und Einstellungen\henning\cftmon.exe
C:\Dokumente und Einstellungen\henning\ftp34.dll
C:\Dokumente und Einstellungen\Internet\cftmon.exe
C:\Dokumente und Einstellungen\Internet\file.exe
C:\Dokumente und Einstellungen\Internet\ftp34.dll
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\habyro.dat
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\habyro_nav.dat
C:\Dokumente und Einstellungen\Internet\Lokale Einstellungen\Anwendungsdaten\habyro_navps.dat
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\cftmon.exe
C:\WINDOWS\system32\al.exe
C:\WINDOWS\system32\bo.exe
C:\WINDOWS\system32\cc.exe
C:\WINDOWS\system32\da.exe
C:\WINDOWS\system32\ec.exe
C:\WINDOWS\system32\ed.exe
C:\WINDOWS\system32\ee.exe
C:\WINDOWS\system32\ew.exe
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\gq.exe
C:\WINDOWS\system32\gu.exe
C:\WINDOWS\system32\hn.exe
C:\WINDOWS\system32\ii.exe
C:\WINDOWS\system32\jf.exe
C:\WINDOWS\system32\lg.exe
C:\WINDOWS\system32\lh.exe
C:\WINDOWS\system32\li.exe
C:\WINDOWS\system32\nb.exe
C:\WINDOWS\system32\pg.exe
C:\WINDOWS\system32\qd.exe
C:\WINDOWS\system32\rg.exe
C:\WINDOWS\system32\rq.exe
C:\WINDOWS\system32\rz.exe
C:\WINDOWS\system32\sf.exe
C:\WINDOWS\system32\sl.exe
C:\WINDOWS\system32\ue.exe
C:\WINDOWS\system32\uu.exe
C:\WINDOWS\system32\va.exe
C:\WINDOWS\system32\vb.exe
C:\WINDOWS\system32\vj.exe
C:\WINDOWS\system32\vv.exe
C:\WINDOWS\system32\xn.exe
C:\WINDOWS\system32\xu.exe
C:\WINDOWS\system32\zv.exe

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-01 bis 2008-06-01 ))))))))))))))))))))))))))))))
.

2008-06-01 17:27 . 2008-06-01 17:51 24,006 --a------ C:\spybot-out-02.rtf
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
2008-05-04 16:28 . 2008-05-11 01:05 <DIR> d-------- C:\henningfotos
2008-05-04 16:12 . 2008-05-11 01:05 <DIR> d-------- C:\efi-camera-02

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 08:07 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-27 01:49 55,296 ----a-w C:\WINDOWS\system32\yw.exe
2008-04-26 22:55 55,296 ----a-w C:\WINDOWS\system32\ga.exe
2008-04-26 21:49 62,168 ----a-w C:\WINDOWS\system32\tw.exe
2008-04-26 21:27 62,168 ----a-w C:\WINDOWS\system32\ag.exe
2008-04-26 21:18 62,168 ----a-w C:\WINDOWS\system32\jh.exe
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-22 20:51 62,168 ----a-w C:\WINDOWS\system32\zj.exe
2008-04-18 22:58 55,296 ----a-w C:\WINDOWS\system32\rr.exe
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-10 13:27 55,296 ----a-w C:\WINDOWS\system32\kv.exe
2008-04-08 13:35 55,296 ----a-w C:\WINDOWS\system32\tm.exe
2008-04-07 21:48 55,296 ----a-w C:\WINDOWS\system32\ya.exe
2008-04-07 21:20 55,296 ----a-w C:\WINDOWS\system32\ua.exe
2008-04-07 00:04 55,296 ----a-w C:\WINDOWS\system32\mz.exe
2008-04-06 22:52 55,296 ----a-w C:\WINDOWS\system32\hw.exe
2008-04-06 00:32 55,296 ----a-w C:\WINDOWS\system32\bz.exe
2008-04-04 20:59 40,960 ----a-w C:\WINDOWS\system32\em.exe
2008-04-04 10:19 --------- d-----w C:\Programme\Game_Maker7
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-04-04 09:27 43,444 ----a-w C:\WINDOWS\system32\hj.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 18:16 55,296 ----a-w C:\WINDOWS\system32\ay.exe
2008-03-30 17:27 55,296 ----a-w C:\WINDOWS\system32\py.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-25 20:47 55,296 ----a-w C:\WINDOWS\system32\jb.exe
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-22 09:51 55,296 ----a-w C:\WINDOWS\system32\en.exe
2008-03-22 09:46 55,296 ----a-w C:\WINDOWS\system32\ld.exe
2008-03-22 09:16 55,296 ----a-w C:\WINDOWS\system32\hd.exe
2008-03-21 11:14 55,296 ----a-w C:\WINDOWS\system32\sg.exe
2008-03-21 10:51 55,296 ----a-w C:\WINDOWS\system32\cb.exe
2008-03-21 10:05 55,296 ----a-w C:\WINDOWS\system32\ni.exe
2008-03-21 10:01 55,296 ----a-w C:\WINDOWS\system32\mu.exe
2008-03-20 20:04 55,296 ----a-w C:\WINDOWS\system32\ex.exe
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 21:25 55,296 ----a-w C:\WINDOWS\system32\pp.exe
2008-03-19 21:06 55,296 ----a-w C:\WINDOWS\system32\uq.exe
2008-03-19 20:55 55,296 ----a-w C:\WINDOWS\system32\zp.exe
2008-03-17 20:20 55,296 ----a-w C:\WINDOWS\system32\tl.exe
2008-03-16 11:19 55,296 ----a-w C:\WINDOWS\system32\ev.exe
2008-03-16 02:37 55,296 ----a-w C:\WINDOWS\system32\zf.exe
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2008-03-15 16:36 55,296 ----a-w C:\WINDOWS\system32\nk.exe
2008-03-11 20:32 55,296 ----a-w C:\WINDOWS\system32\qf.exe
2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.39,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 16:02:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 16:41:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=

R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 18:50:59
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-06-01 18:52:53
ComboFix-quarantined-files.txt 2008-06-01 17:52:48
ComboFix2.txt 2008-06-01 16:08:01

14 Verzeichnis(se), 1,779,216,384 Bytes frei
18 Verzeichnis(se), 1,767,165,952 Bytes frei

242 --- E O F --- 2008-05-28 19:22:30

b) Kapersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 10:20:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 820756
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 74938
Number of viruses found: 12
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 01:30:47

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\temp\JET9A3E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\vWTP.mdb Object is locked skipped
C:\Programme\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab CAB: infected - 3 skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\henning\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\file.exe.vir Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\QooBox\Quarantine\C\setup.exe.vir Inno: infected - 12 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\al.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bo.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cc.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ed.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ee.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ew.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gestlyvo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hn.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ii.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lg.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lh.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mdlaiuwg.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sl.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uu.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\va.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0104428.exe Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP395\A0105358.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113912.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113915.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119919.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120939.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121938.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122948.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122949.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122951.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122956.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122967.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122968.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122970.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122981.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122982.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122984.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe Inno: infected - 12 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122997.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122998.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123167.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123169.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123170.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123171.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123172.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123173.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123174.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123175.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123176.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123177.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123178.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123180.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123181.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123182.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123183.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123184.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123186.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123189.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123190.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123191.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123192.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123193.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123194.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123195.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ag.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ay.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\bz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\logo[1].jpg Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\em.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\en.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ev.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ex.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ga.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hd.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\hw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jb.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\jh.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\kv.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ld.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mu.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\mz.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ni.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\nk.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\pp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\py.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\qf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\rr.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\sg.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tm.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\tw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\ua.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\uq.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ya.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\yw.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zf.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zj.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\system32\zp.exe Infected: Backdoor.Win32.Small.pk skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

c) HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23, on 2008-06-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4151 bytes

Blade81 · Jun 2, 2008

Hi

Start hjt, do a system scan, check:
O3 - Toolbar: (no name) - {D6F180CB-E683-41a3-8CD2-C53DBAA0530D} - (no file)

Close browsers and other windows. Click fix checked.

Download
SDFix
and save it to your desktop. (If you can't download with this computer try to get it downloaded on some other one.)

Please then reboot your computer in Safe Mode by doing the
following :

Restart your computer
After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press
Enter
.
Choose your usual account.

In Safe Mode, double click the SDFix.exe file. Click Install in appearing window,
Open the extracted folder and double click RunThis.bat to
start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool
will be running and removing files.
When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum.

Then we continue. Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\yw.exe
C:\WINDOWS\system32\ga.exe
C:\WINDOWS\system32\tw.exe
C:\WINDOWS\system32\ag.exe
C:\WINDOWS\system32\jh.exe
C:\WINDOWS\system32\zj.exe
C:\WINDOWS\system32\rr.exe
C:\WINDOWS\system32\kv.exe
C:\WINDOWS\system32\tm.exe
C:\WINDOWS\system32\ya.exe
C:\WINDOWS\system32\ua.exe
C:\WINDOWS\system32\mz.exe
C:\WINDOWS\system32\hw.exe
C:\WINDOWS\system32\bz.exe
C:\WINDOWS\system32\em.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\ay.exe
C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\jb.exe
C:\WINDOWS\system32\en.exe
C:\WINDOWS\system32\ld.exe
C:\WINDOWS\system32\hd.exe
C:\WINDOWS\system32\sg.exe
C:\WINDOWS\system32\cb.exe
C:\WINDOWS\system32\ni.exe
C:\WINDOWS\system32\mu.exe
C:\WINDOWS\system32\ex.exe
C:\WINDOWS\system32\pp.exe
C:\WINDOWS\system32\uq.exe
C:\WINDOWS\system32\zp.exe
C:\WINDOWS\system32\tl.exe
C:\WINDOWS\system32\ev.exe
C:\WINDOWS\system32\zf.exe
C:\WINDOWS\system32\nk.exe
C:\WINDOWS\system32\qf.exe

Folder::
C:\Programme\NavExcel

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log & SDFix report).

multicanarias · Jun 3, 2008

thanks for your effort...

Hi Blade81....

thank you very much...

Kiitoksia oikein paljon.....

I got a lot of important work to do on my computer now...

I am worried now... :-/

following your instuctions.. would it be better doing my work what can not wait first?

Blade81 · Jun 3, 2008

I got a lot of important work to do on my computer now...

Hi

Infected and important don't fit too well into same sentence. If possible try to do working on clean system until this case is clear.

multicanarias · Jun 3, 2008

Thanks for backing me.... here page1 of reports

Hi Blade81...

thanks for your answer towards my worries.....

here the logs and reports:
a) SDFix report
b) ComboFix resultant log
c) Kaspersky report

a) SDFix report

SDFix: Version 1.187
Run by henning on 2008-06-03 at 18:40

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\tl.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 18:48:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Programme\\Mozilla Firefox\\firefox.exe"="C:\\Programme\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"="C:\\Programme\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:AVG Control Center"
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"="C:\\Programme\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet"
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"="C:\\Programme\\Orbitdownloader\\orbitnet.exe:*

isabled:Orbit"
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"="C:\\Programme\\Orbitdownloader\\orbitdm.exe:*

isabled:Orbit"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*

isabled

xpsp2res.dll,-22019"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*

isabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 10 Feb 2007 6,219,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Tue 3 May 2005 65,024 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\~WRL0001.tmp"
Tue 3 May 2005 22,016 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\~WRL0759.tmp"
Sun 27 Apr 2008 24,064 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL0005.tmp"
Sun 27 Apr 2008 24,064 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL0157.tmp"
Sun 27 Apr 2008 24,064 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL2243.tmp"
Sun 27 Apr 2008 31,232 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL3479.tmp"
Sun 27 Apr 2008 24,576 ...H. --- "C:\Dokumente und Einstellungen\Internet\Eigene Dateien\doris-out\~WRL3999.tmp"
Mon 21 Jun 2004 135,168 A..HR --- "C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll"
Mon 21 Jun 2004 143,360 A..HR --- "C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe"
Sat 10 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7db416e8f76cad78f81bba90a96d7bb0\download\BITAA.tmp"
Wed 14 Aug 2002 65,088 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Wed 14 Aug 2002 12,732 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Wed 14 Aug 2002 26,424 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Wed 14 Aug 2002 28,062 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Wed 14 Aug 2002 10,710 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Wed 14 Aug 2002 10,083 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Wed 14 Aug 2002 10,257 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Wed 14 Aug 2002 29,499 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Wed 14 Aug 2002 12,660 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Wed 14 Aug 2002 11,031 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Wed 14 Aug 2002 17,952 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Wed 14 Aug 2002 9,424 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Wed 14 Aug 2002 13,673 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Wed 14 Aug 2002 14,438 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Wed 14 Aug 2002 7,243 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Wed 14 Aug 2002 24,767 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Wed 14 Aug 2002 7,463 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Wed 14 Aug 2002 10,286 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Wed 14 Aug 2002 25,460 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Wed 14 Aug 2002 28,866 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Wed 14 Aug 2002 14,438 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Wed 14 Aug 2002 8,544 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Wed 14 Aug 2002 33,149 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Wed 14 Aug 2002 47,826 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI1394.SYS"
Wed 14 Aug 2002 35,340 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Wed 14 Aug 2002 14,378 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Wed 14 Aug 2002 37,984 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Wed 14 Aug 2002 44,828 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Wed 14 Aug 2002 29,628 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPICD.SYS"
Wed 14 Aug 2002 49,750 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIEHCI.SYS"
Wed 14 Aug 2002 49,242 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Wed 14 Aug 2002 50,606 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Wed 14 Aug 2002 161,792 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Wed 14 Aug 2002 174,080 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\bootsrv16.sys"
Wed 14 Aug 2002 21,971 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BTCDROM.SYS"
Wed 14 Aug 2002 30,955 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BTDOSM.SYS"
Wed 14 Aug 2002 202,517 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\CMDS.EXE"
Wed 14 Aug 2002 374,038 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\CMDS16.EXE"
Wed 14 Aug 2002 22,158 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\COUNTRY.SYS"
Wed 14 Aug 2002 1,608 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DEVICE.COM"
Wed 14 Aug 2002 15,345 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DISPLAY.SYS"
Wed 14 Aug 2002 7,840 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DLSHELP.SYS"
Wed 14 Aug 2002 56,821 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\E.EXE"
Wed 14 Aug 2002 64,425 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\FLASHPT.SYS"
Wed 14 Aug 2002 32,396 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\GUEST.EXE"
Wed 14 Aug 2002 14,160 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\HIMEM.SYS"
Wed 14 Aug 2002 10,898 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\KEYB.COM"
Wed 14 Aug 2002 53,556 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Wed 14 Aug 2002 15,777 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MODE.COM"
Wed 14 Aug 2002 37,681 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MOUSE.COM"
Wed 14 Aug 2002 354,304 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\msbootsrv16.sys"
Wed 14 Aug 2002 21,180 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MSCDEX.EXE"
Wed 14 Aug 2002 354,263 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\Net.exe"
Wed 14 Aug 2002 8,513 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\NETBIND.COM"
Wed 14 Aug 2002 41,302 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Wed 14 Aug 2002 129,240 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\OHCI.EXE"
Wed 14 Aug 2002 28,439 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\Paralink.com"
Wed 14 Aug 2002 13,770 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\PROTMAN.EXE"
Wed 14 Aug 2002 130,980 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\UHCI.EXE"
Wed 14 Aug 2002 11,854 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Wed 14 Aug 2002 52,715 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Wed 14 Aug 2002 62,391 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Wed 14 Aug 2002 11,491 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Wed 14 Aug 2002 17,791 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Wed 14 Aug 2002 17,043 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Wed 14 Aug 2002 11,786 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Wed 14 Aug 2002 18,300 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Wed 14 Aug 2002 48,224 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Wed 14 Aug 2002 13,360 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Wed 14 Aug 2002 9,190 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Wed 14 Aug 2002 12,567 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Wed 14 Aug 2002 44,640 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Wed 14 Aug 2002 56,896 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Wed 14 Aug 2002 44,640 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Wed 14 Aug 2002 9,692 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Wed 14 Aug 2002 9,537 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Wed 14 Aug 2002 32,484 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Wed 14 Aug 2002 52,225 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Wed 14 Aug 2002 48,491 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Wed 14 Aug 2002 50,405 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Wed 14 Aug 2002 33,860 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Wed 14 Aug 2002 50,175 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Wed 14 Aug 2002 50,795 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Wed 14 Aug 2002 48,223 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Wed 14 Aug 2002 48,641 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Wed 14 Aug 2002 49,015 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Wed 14 Aug 2002 53,786 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\command.com"
Wed 14 Aug 2002 44,240 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM"
Wed 14 Aug 2002 42,550 A..H. --- "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM"

Finished!

b) ComboFix resultant log

ComboFix 08-05-29.1 - Internet 2008-06-03 18:57:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.302 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Internet\Desktop\CFScript.rtf
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ag.exe
C:\WINDOWS\system32\ay.exe
C:\WINDOWS\system32\bz.exe
C:\WINDOWS\system32\cb.exe
C:\WINDOWS\system32\em.exe
C:\WINDOWS\system32\en.exe
C:\WINDOWS\system32\ev.exe
C:\WINDOWS\system32\ex.exe
C:\WINDOWS\system32\ga.exe
C:\WINDOWS\system32\hd.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\hw.exe
C:\WINDOWS\system32\jb.exe
C:\WINDOWS\system32\jh.exe
C:\WINDOWS\system32\kv.exe
C:\WINDOWS\system32\ld.exe
C:\WINDOWS\system32\mu.exe
C:\WINDOWS\system32\mz.exe
C:\WINDOWS\system32\ni.exe
C:\WINDOWS\system32\nk.exe
C:\WINDOWS\system32\pp.exe
C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\qf.exe
C:\WINDOWS\system32\rr.exe
C:\WINDOWS\system32\sg.exe
C:\WINDOWS\system32\tl.exe
C:\WINDOWS\system32\tm.exe
C:\WINDOWS\system32\tw.exe
C:\WINDOWS\system32\ua.exe
C:\WINDOWS\system32\uq.exe
C:\WINDOWS\system32\ya.exe
C:\WINDOWS\system32\yw.exe
C:\WINDOWS\system32\zf.exe
C:\WINDOWS\system32\zj.exe
C:\WINDOWS\system32\zp.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programme\NavExcel
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.htm
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe
C:\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe
C:\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab
C:\WINDOWS\system32\ag.exe
C:\WINDOWS\system32\ay.exe
C:\WINDOWS\system32\bz.exe
C:\WINDOWS\system32\cb.exe
C:\WINDOWS\system32\em.exe
C:\WINDOWS\system32\en.exe
C:\WINDOWS\system32\ev.exe
C:\WINDOWS\system32\ex.exe
C:\WINDOWS\system32\ga.exe
C:\WINDOWS\system32\hd.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\hw.exe
C:\WINDOWS\system32\jb.exe
C:\WINDOWS\system32\jh.exe
C:\WINDOWS\system32\kv.exe
C:\WINDOWS\system32\ld.exe
C:\WINDOWS\system32\mu.exe
C:\WINDOWS\system32\mz.exe
C:\WINDOWS\system32\ni.exe
C:\WINDOWS\system32\nk.exe
C:\WINDOWS\system32\pp.exe
C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\qf.exe
C:\WINDOWS\system32\rr.exe
C:\WINDOWS\system32\sg.exe
C:\WINDOWS\system32\tm.exe
C:\WINDOWS\system32\tw.exe
C:\WINDOWS\system32\ua.exe
C:\WINDOWS\system32\uq.exe
C:\WINDOWS\system32\ya.exe
C:\WINDOWS\system32\yw.exe
C:\WINDOWS\system32\zf.exe
C:\WINDOWS\system32\zj.exe
C:\WINDOWS\system32\zp.exe

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-03 bis 2008-06-03 ))))))))))))))))))))))))))))))
.

2008-06-03 18:52 . 2008-06-03 18:53 19,855 --a------ C:\spybot-out-03.rtf
2008-06-03 18:37 . 2008-06-03 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 18:32 . 2008-06-03 18:50 <DIR> d-------- C:\SDFix
2008-06-03 18:07 . 2008-06-03 18:07 360 --a------ C:\notiy spybot.rtf
2008-06-02 17:46 . 2008-06-03 10:25 <DIR> d-------- C:\GRIT-PDF
2008-06-02 15:35 . 2008-06-02 15:35 2,315,008 --a------ C:\GRIT-ANG-BAU-01.pdf
2008-06-01 17:27 . 2008-06-01 17:51 24,006 --a------ C:\spybot-out-02.rtf
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-30 12:45 . 2008-06-01 16:48 5,120 --a------ C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Startmenü
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini
2008-05-04 16:28 . 2008-05-11 01:05 <DIR> d-------- C:\henningfotos
2008-05-04 16:12 . 2008-05-11 01:05 <DIR> d-------- C:\efi-camera-02

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 08:07 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-04 10:19 --------- d-----w C:\Programme\Game_Maker7
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.39,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 16:02:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-03 17:46:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-03 17:37:30 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:30 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-03 17:37:22 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:22 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 17:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-10-08 13:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 13:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=

R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 18:59:24
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-06-03 19:01:21
ComboFix-quarantined-files.txt 2008-06-03 18:01:15
ComboFix2.txt 2008-06-01 17:52:54
ComboFix3.txt 2008-06-01 16:08:01

16 Verzeichnis(se), 1,764,728,832 Bytes frei
20 Verzeichnis(se), 1,760,526,336 Bytes frei

223 --- E O F --- 2008-05-28 19:22:30

c) Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 8:51:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 825918
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 75260
Number of viruses found: 12
Number of infected objects: 159
Number of suspicious objects: 0
Duration of the scan process: 01:31:57

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\avg7\Log\emc.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\temp\JETC455.tmp Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060320080604\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\henning\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT\NTUSER.DAT.LOG Object is locked skipped
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\vWTP.mdb Object is locked skipped
C:\Programme\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\henning\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\file.exe.vir Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\QooBox\Quarantine\C\Dokumente und Einstellungen\Internet\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\NHelper.dll.vir Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe.vir Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\Programme\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab.vir CAB: infected - 3 skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\QooBox\Quarantine\C\setup.exe.vir/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\QooBox\Quarantine\C\setup.exe.vir Inno: infected - 12 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ag.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\al.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ay.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bo.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bz.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cc.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ed.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ee.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\em.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\en.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ev.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ew.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ex.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ftp34.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ga.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gestlyvo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hd.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hj.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hn.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hw.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ii.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jh.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ld.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lg.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lh.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mdlaiuwg.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mu.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mz.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nb.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ni.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nk.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pp.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\py.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rr.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sg.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sl.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tm.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tw.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ua.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uq.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uu.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\va.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ya.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yw.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zf.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zj.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zp.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zv.exe.vir Infected: Backdoor.Win32.Small.pk skipped
C:\SDFix\backups\backups.zip/backups/tl.exe Infected: Backdoor.Win32.Small.pk skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113912.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0113915.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114913.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0114920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0115918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0116920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0117918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0118920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0119919.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120917.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120918.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP402\A0120920.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP404\A0120939.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0121938.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122935.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122936.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122948.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122949.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122951.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122956.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122967.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122968.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122970.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122981.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122982.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP405\A0122984.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0010 Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0012 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe/data0014 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122993.exe Inno: infected - 12 skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122997.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP406\A0122998.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123167.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123169.exe Infected: Trojan-Downloader.Win32.Small.viy skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123170.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123171.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123172.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123173.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123174.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123175.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123176.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123177.dll Object is locked skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123178.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123180.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123181.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123182.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123183.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123184.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123186.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123189.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123190.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123191.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123192.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123193.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123194.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP408\A0123195.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP410\A0123510.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP410\A0123514.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123598.dll Infected: not-a-virus:AdWare.Win32.NavExcel.f skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123599.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123600.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123601.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123602.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123603.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123604.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123605.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123606.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123607.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123608.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123609.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123610.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123611.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123612.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123613.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123614.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123615.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123616.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123617.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123618.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123619.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123620.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123621.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123622.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123623.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123624.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123625.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123626.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123627.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123628.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123629.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123630.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123631.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123632.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123633.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\A0123634.exe Infected: Backdoor.Win32.Small.pk skipped
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP412\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\logo[1].jpg Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

multicanarias · Jun 3, 2008

Thanks for backing me.... page2 of reports

d) new htj log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54, on 2008-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62DB494-23E4-414A-AF27-DBDCF4D4697D}: NameServer = 212.73.32.3 212.73.32.67
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4237 bytes

Blade81 · Jun 3, 2008

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll

Folder::
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log (without forgetting above meantioned ComboFix resultant log) in your next reply.

multicanarias · Jun 4, 2008

Hi Blade81....

thanks for the quick answer......

this getting almoust adictive here....

(big smile)...

as soon as done I will go to send the logs etc...

Could you please discribe what I actually got...

... are this trojans and / more...?

Thank you very much imdeed...

Blade81 · Jun 4, 2008

Hi

Ok. I'll be waiting

Could you please discribe what I actually got...

... are this trojans and / more...?

Found infections are mainly trojans.

multicanarias · Jun 5, 2008

Hi Blade81...

excuse please the delay of the log files etc.....

Doing my work on a other equipment. As soon as possible I will follow your instructions and send the files.

Thanks....

Blade81 · Jun 5, 2008

No problem. Take your time

multicanarias · Jun 5, 2008

Hi Blade81....

finally I had some time to run your last step by step asvice.
Thanks a lot.....

a) Combo Fix log
b) Malwarebytes log
c) htj log

I also got some questions:
What do you think about installing SP3 now... or shall I wait untill it improves?

A program like Poker TH what connects it self to the browser... can I find out if this program is save?

When I am downloading free or shareware I use www.icrfast.com, paying each time with 3 sms, 4,50€ to
get 100% garantie no virus and spyware. Is this save?

Is there anywhere something like a trustfull "black list" of websites?

Ones having a clean system (...I hope ;-).. how do I keep it clean?

Finally I heard about this free online schools for anti-virus and malware.. what is your opinion?

..I hope I dont been asking to much in one go -)

a) Combo Fix log

ComboFix 08-05-29.1 - Internet 2008-06-05 20:29:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.256 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Internet\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Internet\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT\ftp34.dll
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GLWVWRN1\desktop.ini

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-05 bis 2008-06-05 ))))))))))))))))))))))))))))))
.

2008-06-05 09:06 . 2008-06-05 11:10 1,726 --a------ C:\mitsu-01.rtf
2008-06-05 07:31 . 2008-06-05 07:31 1,150,677 --a------ C:\tuer-adeje.pdf
2008-06-05 07:28 . 2008-06-05 07:28 430,079 --a------ C:\tuer-adeje001.jpg
2008-06-03 20:57 . 2008-06-03 20:57 <DIR> d-------- C:\Dokumente und Einstellungen\henning\Anwendungsdaten\Talkback
2008-06-03 18:52 . 2008-06-03 20:56 75,877 --a------ C:\spybot-out-03.rtf
2008-06-03 18:37 . 2008-06-03 18:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 18:32 . 2008-06-03 18:50 <DIR> d-------- C:\SDFix
2008-06-03 18:07 . 2008-06-03 18:07 360 --a------ C:\notiy spybot.rtf
2008-06-02 17:46 . 2008-06-03 10:25 <DIR> d-------- C:\GRIT-PDF
2008-06-02 15:35 . 2008-06-02 15:35 2,315,008 --a------ C:\GRIT-ANG-BAU-01.pdf
2008-06-01 17:27 . 2008-06-01 17:51 24,006 --a------ C:\spybot-out-02.rtf
2008-06-01 17:08 . 2008-06-01 17:08 <DIR> d-------- C:\Dokumente und Einstellungen\NetworkService.NT-AUTORITÄT
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\NetworkService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 17:08 . 2008-06-01 17:08 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService.NT-AUTORITÄT
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 17:08 . <DIR> C:\Dokumente und Einstellungen\LocalService.NT-AUTORIT-T\Lokale Einstellungen
2008-06-01 02:45 . 2008-06-01 02:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:41 . 2008-05-31 23:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-05-31 18:41 . 2008-05-31 18:46 <DIR> d-------- C:\SmitfraudFix
2008-05-31 18:03 . 2008-05-31 18:42 738 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 17:57 . 2008-05-31 17:55 1,392,671 --a------ C:\SmitfraudFix.exe
2008-05-22 03:29 . 2008-05-22 03:31 <DIR> d-------- C:\Dokumente und Einstellungen\Internet\.bitrock
2008-05-16 13:20 . 2008-03-01 13:53 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-16 13:20 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-16 13:20 . 2007-03-08 06:09 1,040,384 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-16 13:20 . 2008-03-01 13:53 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-16 13:20 . 2008-03-01 13:53 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-16 13:20 . 2008-03-01 13:53 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-16 13:20 . 2008-03-01 13:53 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-16 13:20 . 2008-03-01 13:53 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-16 13:20 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 23:33 . 2008-05-17 03:02 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-05-11 15:46 . 2008-06-01 07:35 4,197,218 --a------ C:\WINDOWS\pfirewall.log.old
2008-05-11 00:34 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-05-11 00:34 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-05-11 00:34 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-05-11 00:08 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-08 21:24 . 2008-05-08 21:24 <DIR> d-------- C:\WINDOWS\peernet
2008-05-08 21:20 . 2008-05-08 21:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 21:13 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-08 21:09 . 2008-05-08 21:25 <DIR> d-------- C:\WINDOWS\EHome
2008-05-08 04:20 . 2008-05-08 04:20 1,144 --a------ C:\WINDOWS\mozver.dat
2008-05-08 02:09 . 2004-08-04 00:58 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-05-08 02:09 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-05-08 02:09 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-05-07 20:13 . 2008-05-07 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-07 20:07 . 2008-05-07 20:07 5,839,384 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-05-06 21:44 . 2008-05-10 02:54 9,722,720 --a------ C:\spybotsd152.exe
2008-05-05 16:59 . 2008-05-16 07:51 1,022 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 12:30 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\Orbit
2008-06-01 02:22 --------- d-----w C:\Programme\Trend Micro
2008-05-30 15:34 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\AVG7
2008-05-22 02:31 --------- d-----w C:\Programme\PokerTH
2008-05-10 02:32 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-10 01:57 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-05-09 23:52 --------- d-----w C:\Programme\AdvancedDVDPlayer
2008-04-23 12:40 --------- d-----w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\EPSON
2008-04-18 21:33 --------- d-----w C:\Programme\Orbitdownloader
2008-04-04 10:18 8,183,675 ----a-w C:\gmaker.exe
2008-03-30 20:26 15,134,344 ----a-w C:\PeggleSetup-de.exe
2008-03-30 08:27 11,944,796 ----a-w C:\PokerTH-0.6.1-win-installer.exe
2008-03-23 03:33 4,793,203 ----a-w C:\MH_foots_of_Bush.EXE
2008-03-16 02:09 6,010,515 ----a-w C:\cc_mh2v11.exe
2008-03-16 00:14 5,901,965 ----a-w C:\Setup_Moorhuhn-X-XS_V11.exe
2005-04-29 21:12 30,952 ----a-w C:\Dokumente und Einstellungen\Internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-04 07:36 8,192 --sha-w C:\Programme\Gemeinsame Dateien\Thumbs.db
2005-01-12 03:54 85,856 ----a-w C:\Dokumente und Einstellungen\henning\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.39,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 16:02:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 19:32:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-03 17:37:30 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:30 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-01 18:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-03 17:37:22 6,172,672 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-03 17:37:22 32,768 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-10-11 13:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 17:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-10-08 13:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 13:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-03-10 00:09 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programme\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitnet.exe"=
"C:\\Programme\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

R1 GhPciScan;GhostPciScanner;C:\Programme\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18433e52-f6b4-11dc-a7fe-0048546e5a95}]
\Shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{962ecf60-f3ac-11dc-a7dd-0048546e5a95}]
\Shell\AutoRun\command - H:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 20:34:05
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-05 20:38:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 19:38:16
ComboFix2.txt 2008-06-03 18:01:22
ComboFix3.txt 2008-06-01 17:52:54
ComboFix4.txt 2008-06-01 16:08:01

16 Verzeichnis(se), 1,690,222,592 Bytes frei
20 Verzeichnis(se), 1,702,227,968 Bytes frei

163 --- E O F --- 2008-05-28 19:22:30

b) Malwarebytes log

Malwarebytes' Anti-Malware 1.14
Database version: 829

22:09:30 2008-06-05
mbam-log-6-5-2008 (22-09-30).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 110762
Time elapsed: 35 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP399\A0110239.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{08DA0748-429A-4A69-ACBF-5436377B3122}\RP400\A0111287.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c) htj log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13, on 2008-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Dokumente und Einstellungen\henning\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207596288405
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CA8175A-AF36-4711-967B-1E09A1551ECF}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4073 bytes

multicanarias · Jun 5, 2008

Hi Blade81...

me again...

every time when (since the last session) I place a note here, I recieve emidiatly in my e-mail strange mail from unknown senders with a photo attach with 430 KB.

Example:

from "Tia ISRAEL" no subject

from "Tristin MURLEY"

..sounds dodgy no...?

Blade81 · Jun 6, 2008

What do you think about installing SP3 now... or shall I wait untill it improves?

Some people have had problems with it. I might suggest to wait for a bit.

A program like Poker TH what connects it self to the browser... can I find out if this program is save?

Haven't used those poker programs myself so can't unfortunately say for sure.

When I am downloading free or shareware I use www.icrfast.com, paying each time with 3 sms, 4,50€ to
get 100% garantie no virus and spyware. Is this save?

Haven't heard about this site before and can't say anything about it.

Is there anywhere something like a trustfull "black list" of websites?

Ones having a clean system (...I hope ;-).. how do I keep it clean?

You can install MVPS Hosts file that's a kind of black list. I'll give instructions when we'll get this clean.

Finally I heard about this free online schools for anti-virus and malware.. what is your opinion?

If you have passion to learn new then why not.

About those emails you got.. Are you still getting them? Let's see if GMER can find something.

Download GMER and save it your desktop:

Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

multicanarias · Jun 6, 2008

Hi Blade81..

thanks for your time and all the replies...

Here the gmer log file...

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-06 08:22:22
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.14 ----

? Combo-Fix.sys Das System kann die angegebene Datei nicht finden. !
? C:\ComboFix\catchme.sys Das System kann den angegebenen Pfad nicht finden. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.14 ----

.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetSysColor 7E368E78 5 Bytes JMP 10021170 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetSysColorBrush 7E368EAB 5 Bytes JMP 100211E0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!SetScrollInfo 7E369056 7 Bytes JMP 10021060 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetScrollInfo 7E370DA2 7 Bytes JMP 10020FB0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!ShowScrollBar 7E37F2B3 5 Bytes JMP 10021130 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetScrollPos 7E37F6C4 5 Bytes JMP 10020FF0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!SetScrollPos 7E37F710 5 Bytes JMP 100210A0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!GetScrollRange 7E37F747 5 Bytes JMP 10021020 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!SetScrollRange 7E37F95B 5 Bytes JMP 100210E0 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[3256] USER32.dll!EnableScrollBar 7E3B7DDD 7 Bytes JMP 10020F70 C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\prodrv06 \Device\ProDrv06 E174E008
Device \Driver\prohlp02 \Device\ProHlp02 E1018088
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.14 ----

Blade81 · Jun 6, 2008

Looks just ok

Could it had been pure coincidence that you got those spam messages to your email address after posting here? Have you got those now?

got a problem with, at least Smitftaud-C

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus