Sign in to follow this  
mamabiti

Win32.Trojan.MatrisHasYou

Recommended Posts

Hi,

 

the last scan with Ad-Aware showed me an infection with Win32.Trojan.MatrisHasYou and the tip to ask for help in this forum.

 

I'll post the HijackThis logfile in the next post because the post length is limited:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Donnerstag, 25. Januar 2007 20:38:19

Using definitions file:SE1R147 25.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):13 total references

Other(TAC index:5):1 total references

Tracking Cookie(TAC index:3):5 total references

Win32.Trojan.MatrisHasYou(TAC index:10):3 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Ignore spanned files when scanning cab archives

Set : Scan registry for all users instead of current user only

Set : Automatically check all objects in results lists

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Block pop-ups aggressively

Set : Automatically select problematic objects in results lists

Set : Include info about ignored objects in log file, if detected in scan

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include used command line parameters in log file

Set : Include reference summary in log file

Set : Include module list in log file

Set : Include alternate data stream details in log file

Set : Show splash screen

Set : Backup current definitions file before updating

Set : Create and save WebUpdate log file

Set : Play sound at scan completion if scan locates critical objects

 

 

25.01.2007 20:38:19 - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\adobe\adobe acrobat\5.0\avgeneral\crecentfiles

Description : list of recently used files in adobe acrobat

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list

Description : list of recent files opened using wordpad

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\ulead systems\ulead photoimpact\8.0\recent file list

Description : list of recently used files in ulead photoimpact

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 416

ThreadCreationTime : 25.01.2007 19:36:10

BasePriority : Normal

 

Scanning Module:\SystemRoot\System32\smss.exe...

Scanning Module:C:\WINDOWS\system32\ntdll.dll...

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 472

ThreadCreationTime : 25.01.2007 19:36:12

BasePriority : Normal

 

Scanning Module:\??\C:\WINDOWS\system32\csrss.exe...

Scanning Module:C:\WINDOWS\system32\CSRSRV.dll...

Scanning Module:C:\WINDOWS\system32\basesrv.dll...

Scanning Module:C:\WINDOWS\system32\winsrv.dll...

Scanning Module:C:\WINDOWS\system32\USER32.dll...

Scanning Module:C:\WINDOWS\system32\KERNEL32.dll...

Scanning Module:C:\WINDOWS\system32\GDI32.dll...

Scanning Module:C:\WINDOWS\system32\LPK.DLL...

Scanning Module:C:\WINDOWS\system32\USP10.dll...

Scanning Module:C:\WINDOWS\system32\msvcrt.dll...

Scanning Module:C:\WINDOWS\system32\ADVAPI32.dll...

Scanning Module:C:\WINDOWS\system32\RPCRT4.dll...

Scanning Module:C:\WINDOWS\system32\sxs.dll...

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 504

ThreadCreationTime : 25.01.2007 19:36:13

BasePriority : High

 

Scanning Module:\??\C:\WINDOWS\system32\winlogon.exe...

Scanning Module:C:\WINDOWS\system32\AUTHZ.dll...

Scanning Module:C:\WINDOWS\system32\CRYPT32.dll...

Scanning Module:C:\WINDOWS\system32\MSASN1.dll...

Scanning Module:C:\WINDOWS\system32\NDdeApi.dll...

Scanning Module:C:\WINDOWS\system32\PROFMAP.dll...

Scanning Module:C:\WINDOWS\system32\NETAPI32.dll...

Scanning Module:C:\WINDOWS\system32\USERENV.dll...

Scanning Module:C:\WINDOWS\system32\PSAPI.DLL...

Scanning Module:C:\WINDOWS\system32\REGAPI.dll...

Scanning Module:C:\WINDOWS\system32\Secur32.dll...

Scanning Module:C:\WINDOWS\system32\SETUPAPI.dll...

Scanning Module:C:\WINDOWS\system32\VERSION.dll...

Scanning Module:C:\WINDOWS\system32\WINSTA.dll...

Scanning Module:C:\WINDOWS\system32\WINTRUST.dll...

Scanning Module:C:\WINDOWS\system32\IMAGEHLP.dll...

Scanning Module:C:\WINDOWS\system32\WS2_32.dll...

Scanning Module:C:\WINDOWS\system32\WS2HELP.dll...

Scanning Module:C:\WINDOWS\system32\IMM32.DLL...

Scanning Module:C:\WINDOWS\system32\MSGINA.dll...

Scanning Module:C:\WINDOWS\system32\SHELL32.dll...

Scanning Module:C:\WINDOWS\system32\SHLWAPI.dll...

Scanning Module:C:\WINDOWS\system32\COMCTL32.dll...

Scanning Module:C:\WINDOWS\system32\ODBC32.dll...

Scanning Module:C:\WINDOWS\system32\comdlg32.dll...

Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll...

Scanning Module:C:\WINDOWS\system32\odbcint.dll...

Scanning Module:C:\WINDOWS\system32\SHSVCS.dll...

Scanning Module:C:\WINDOWS\system32\sfc.dll...

Scanning Module:C:\WINDOWS\system32\sfc_os.dll...

Scanning Module:C:\WINDOWS\system32\ole32.dll...

Scanning Module:C:\WINDOWS\system32\Apphelp.dll...

Scanning Module:C:\WINDOWS\system32\msctfime.ime...

Scanning Module:C:\WINDOWS\system32\WINSCARD.DLL...

Scanning Module:C:\WINDOWS\system32\WTSAPI32.dll...

Scanning Module:C:\WINDOWS\system32\uxtheme.dll...

Scanning Module:C:\WINDOWS\system32\WINMM.dll...

Scanning Module:C:\WINDOWS\system32\Ati2evxx.dll...

Scanning Module:C:\WINDOWS\system32\rsaenh.dll...

Scanning Module:C:\WINDOWS\system32\cscdll.dll...

Scanning Module:C:\WINDOWS\system32\WlNotify.dll...

Scanning Module:C:\WINDOWS\system32\WINSPOOL.DRV...

Scanning Module:C:\WINDOWS\system32\MPR.dll...

Scanning Module:C:\WINDOWS\system32\SAMLIB.dll...

Scanning Module:C:\WINDOWS\system32\msv1_0.dll...

Scanning Module:C:\WINDOWS\system32\iphlpapi.dll...

Scanning Module:C:\WINDOWS\system32\wldap32.dll...

Scanning Module:C:\WINDOWS\system32\cscui.dll...

Scanning Module:C:\WINDOWS\system32\MPRAPI.dll...

Scanning Module:C:\WINDOWS\system32\ACTIVEDS.dll...

Scanning Module:C:\WINDOWS\system32\adsldpc.dll...

Scanning Module:C:\WINDOWS\system32\ATL.DLL...

Scanning Module:C:\WINDOWS\system32\OLEAUT32.dll...

Scanning Module:C:\WINDOWS\system32\rtutils.dll...

Scanning Module:C:\WINDOWS\system32\xpsp2res.dll...

Scanning Module:C:\WINDOWS\system32\wdmaud.drv...

Scanning Module:C:\WINDOWS\system32\msacm32.drv...

Scanning Module:C:\WINDOWS\system32\MSACM32.dll...

Scanning Module:C:\WINDOWS\system32\midimap.dll...

Scanning Module:C:\WINDOWS\system32\COMRes.dll...

Scanning Module:C:\WINDOWS\system32\CLBCATQ.DLL...

Scanning Module:C:\WINDOWS\system32\NTMARTA.DLL...

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 548

ThreadCreationTime : 25.01.2007 19:36:14

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Betriebssystem Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Anwendung für Dienste und Controller

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.

OriginalFilename : services.exe

Scanning Module:C:\WINDOWS\system32\services.exe...

Scanning Module:C:\WINDOWS\system32\SCESRV.dll...

Scanning Module:C:\WINDOWS\system32\umpnpmgr.dll...

Scanning Module:C:\WINDOWS\system32\NCObjAPI.DLL...

Scanning Module:C:\WINDOWS\system32\MSVCP60.dll...

Scanning Module:C:\WINDOWS\system32\ShimEng.dll...

Scanning Module:C:\WINDOWS\AppPatch\AcGenral.DLL...

Scanning Module:C:\WINDOWS\system32\eventlog.dll...

Scanning Module:C:\WINDOWS\system32\URLMON.DLL...

Scanning Module:C:\WINDOWS\system32\dnsapi.dll...

Scanning Module:C:\WINDOWS\System32\mswsock.dll...

Scanning Module:C:\WINDOWS\System32\winrnr.dll...

Scanning Module:C:\WINDOWS\system32\rasadhlp.dll...

Scanning Module:C:\WINDOWS\system32\WININET.dll...

Scanning Module:C:\Programme\Steganos Internet Anonym 5\sselsp.dll...

Scanning Module:C:\WINDOWS\system32\hnetcfg.dll...

Scanning Module:C:\WINDOWS\System32\wshtcpip.dll...

 

#:5 [savedump.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 560

ThreadCreationTime : 25.01.2007 19:36:14

BasePriority : Idle

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Betriebssystem Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Programm zur Sicherung eines Abbilds

InternalName : savedump

LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.

OriginalFilename : savedump.exe

Scanning Module:C:\WINDOWS\system32\savedump.exe...

Scanning Module:C:\WINDOWS\system32\dbgeng.dll...

Scanning Module:C:\WINDOWS\system32\DBGHELP.dll...

 

#:6 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 568

ThreadCreationTime : 25.01.2007 19:36:14

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

Scanning Module:C:\WINDOWS\system32\lsass.exe...

Scanning Module:C:\WINDOWS\system32\LSASRV.dll...

Scanning Module:C:\WINDOWS\system32\SAMSRV.dll...

Scanning Module:C:\WINDOWS\system32\cryptdll.dll...

Scanning Module:C:\WINDOWS\system32\NTDSAPI.dll...

Scanning Module:C:\WINDOWS\system32\msprivs.dll...

Scanning Module:C:\WINDOWS\system32\kerberos.dll...

Scanning Module:C:\WINDOWS\system32\netlogon.dll...

Scanning Module:C:\WINDOWS\system32\w32time.dll...

Scanning Module:C:\WINDOWS\system32\schannel.dll...

Scanning Module:C:\WINDOWS\system32\wdigest.dll...

Scanning Module:C:\WINDOWS\system32\scecli.dll...

Scanning Module:C:\WINDOWS\system32\ipsecsvc.dll...

Scanning Module:C:\WINDOWS\system32\oakley.DLL...

Scanning Module:C:\WINDOWS\system32\WINIPSEC.DLL...

Scanning Module:C:\WINDOWS\system32\pstorsvc.dll...

Scanning Module:C:\WINDOWS\system32\psbase.dll...

Scanning Module:C:\WINDOWS\system32\dssenh.dll...

 

#:7 [ati2evxx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 716

ThreadCreationTime : 25.01.2007 19:36:15

BasePriority : Normal

 

Scanning Module:C:\WINDOWS\system32\Ati2evxx.exe...

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 732

ThreadCreationTime : 25.01.2007 19:36:15

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:C:\WINDOWS\system32\svchost.exe...

Scanning Module:c:\windows\system32\rpcss.dll...

Scanning Module:c:\windows\system32\termsrv.dll...

Scanning Module:c:\windows\system32\ICAAPI.dll...

Scanning Module:c:\windows\system32\mstlsapi.dll...

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 820

ThreadCreationTime : 25.01.2007 19:36:15

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 868

ThreadCreationTime : 25.01.2007 19:36:15

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\dhcpcsvc.dll...

Scanning Module:c:\windows\system32\wzcsvc.dll...

Scanning Module:c:\windows\system32\WMI.dll...

Scanning Module:c:\windows\system32\ESENT.dll...

Scanning Module:C:\WINDOWS\System32\rastls.dll...

Scanning Module:C:\WINDOWS\system32\CRYPTUI.dll...

Scanning Module:C:\WINDOWS\System32\RASAPI32.dll...

Scanning Module:C:\WINDOWS\System32\rasman.dll...

Scanning Module:C:\WINDOWS\System32\TAPI32.dll...

Scanning Module:C:\WINDOWS\System32\raschap.dll...

Scanning Module:c:\windows\system32\schedsvc.dll...

Scanning Module:C:\WINDOWS\System32\MSIDLE.DLL...

Scanning Module:c:\windows\system32\audiosrv.dll...

Scanning Module:c:\windows\system32\wkssvc.dll...

Scanning Module:c:\windows\system32\cryptsvc.dll...

Scanning Module:c:\windows\system32\certcli.dll...

Scanning Module:c:\windows\system32\dmserver.dll...

Scanning Module:c:\windows\system32\es.dll...

Scanning Module:c:\windows\pchealth\helpctr\binaries\pchsvc.dll...

Scanning Module:c:\windows\system32\hidserv.dll...

Scanning Module:c:\windows\system32\HID.DLL...

Scanning Module:c:\windows\system32\srvsvc.dll...

Scanning Module:c:\windows\system32\seclogon.dll...

Scanning Module:c:\windows\system32\sens.dll...

Scanning Module:c:\windows\system32\srsvc.dll...

Scanning Module:c:\windows\system32\POWRPROF.dll...

Scanning Module:c:\windows\system32\trkwks.dll...

Scanning Module:c:\windows\system32\wbem\wmisvc.dll...

Scanning Module:C:\WINDOWS\system32\VSSAPI.DLL...

Scanning Module:c:\windows\system32\wscsvc.dll...

Scanning Module:c:\windows\system32\msi.dll...

Scanning Module:c:\windows\system32\netshell.dll...

Scanning Module:c:\windows\system32\credui.dll...

Scanning Module:c:\windows\system32\wuauserv.dll...

Scanning Module:C:\WINDOWS\system32\wuaueng.dll...

Scanning Module:C:\WINDOWS\System32\ADVPACK.dll...

Scanning Module:C:\WINDOWS\System32\SHFOLDER.dll...

Scanning Module:C:\WINDOWS\System32\WINHTTP.dll...

Scanning Module:C:\WINDOWS\System32\Cabinet.dll...

Scanning Module:C:\WINDOWS\System32\mspatcha.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemcomn.dll...

Scanning Module:C:\WINDOWS\System32\Wbem\wbemcore.dll...

Scanning Module:C:\WINDOWS\System32\Wbem\esscli.dll...

Scanning Module:C:\WINDOWS\System32\Wbem\FastProx.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemsvc.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wmiutils.dll...

Scanning Module:C:\WINDOWS\System32\wbem\repdrvfs.dll...

Scanning Module:C:\WINDOWS\system32\comsvcs.dll...

Scanning Module:C:\WINDOWS\system32\MTXCLU.DLL...

Scanning Module:C:\WINDOWS\system32\WSOCK32.dll...

Scanning Module:C:\WINDOWS\system32\colbact.DLL...

Scanning Module:C:\WINDOWS\System32\CLUSAPI.DLL...

Scanning Module:C:\WINDOWS\System32\RESUTILS.DLL...

Scanning Module:C:\WINDOWS\System32\wbem\wmiprvsd.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemess.dll...

Scanning Module:c:\windows\system32\browser.dll...

Scanning Module:C:\WINDOWS\System32\wbem\ncprov.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemcons.dll...

Scanning Module:c:\windows\system32\netman.dll...

Scanning Module:c:\windows\system32\WZCSAPI.DLL...

Scanning Module:C:\WINDOWS\System32\upnp.dll...

Scanning Module:C:\WINDOWS\System32\SSDPAPI.dll...

Scanning Module:C:\WINDOWS\System32\netcfgx.dll...

Scanning Module:C:\WINDOWS\System32\rasmans.dll...

Scanning Module:c:\windows\system32\tapisrv.dll...

Scanning Module:C:\WINDOWS\System32\rastapi.dll...

Scanning Module:C:\WINDOWS\System32\unimdm.tsp...

Scanning Module:C:\WINDOWS\System32\uniplat.dll...

Scanning Module:C:\WINDOWS\System32\kmddsp.tsp...

Scanning Module:C:\WINDOWS\System32\ndptsp.tsp...

Scanning Module:C:\WINDOWS\System32\ipconf.tsp...

Scanning Module:C:\WINDOWS\System32\h323.tsp...

Scanning Module:C:\WINDOWS\System32\hidphone.tsp...

Scanning Module:C:\WINDOWS\System32\rasppp.dll...

Scanning Module:C:\WINDOWS\System32\ntlsapi.dll...

Scanning Module:C:\WINDOWS\System32\RASDLG.dll...

Scanning Module:C:\WINDOWS\system32\wups.dll...

 

#:11 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 940

ThreadCreationTime : 25.01.2007 19:36:15

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\dnsrslvr.dll...

 

#:12 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 984

ThreadCreationTime : 25.01.2007 19:36:16

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\lmhsvc.dll...

Scanning Module:c:\windows\system32\webclnt.dll...

Scanning Module:c:\windows\system32\regsvc.dll...

Scanning Module:c:\windows\system32\ssdpsrv.dll...

 

#:13 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1152

ThreadCreationTime : 25.01.2007 19:36:17

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

Scanning Module:C:\WINDOWS\system32\spoolsv.exe...

Scanning Module:C:\WINDOWS\system32\SPOOLSS.DLL...

Scanning Module:C:\WINDOWS\system32\localspl.dll...

Scanning Module:C:\WINDOWS\system32\cnbjmon.dll...

Scanning Module:C:\WINDOWS\system32\FritzColorPort.dll...

Scanning Module:C:\WINDOWS\system32\MFC70U.DLL...

Scanning Module:C:\WINDOWS\system32\MSVCR70.dll...

Scanning Module:C:\WINDOWS\system32\OLEACC.dll...

Scanning Module:C:\WINDOWS\system32\FritzPort.dll...

Scanning Module:C:\WINDOWS\system32\mdimon.dll...

Scanning Module:C:\WINDOWS\system32\pdfports.dll...

Scanning Module:d:\Acrobat 5.0\Distillr\adistres.dll...

Scanning Module:C:\WINDOWS\system32\pjlmon.dll...

Scanning Module:C:\WINDOWS\system32\tcpmon.dll...

Scanning Module:C:\WINDOWS\system32\usbmon.dll...

Scanning Module:C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll...

Scanning Module:C:\WINDOWS\system32\win32spl.dll...

Scanning Module:C:\WINDOWS\system32\NETRAP.dll...

Scanning Module:C:\WINDOWS\system32\inetpp.dll...

 

#:14 [guard.exe]

FilePath : d:\Programme\Grisoft\AVG Anti-Spyware 7.5\

ProcessID : 1244

ThreadCreationTime : 25.01.2007 19:36:17

BasePriority : Normal

FileVersion : 7, 5, 0, 47

ProductVersion : 7, 5, 0, 47

ProductName : AVG Anti-Spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : AVG Anti-Spyware guard

InternalName : AVG Anti-Spyware guard

LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.

OriginalFilename : guard.exe

Scanning Module:d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe...

Scanning Module:d:\Programme\Grisoft\AVG Anti-Spyware 7.5\engine.dll...

 

#:15 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1372

ThreadCreationTime : 25.01.2007 19:36:20

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\wiaservc.dll...

Scanning Module:c:\windows\system32\CFGMGR32.dll...

Scanning Module:c:\windows\system32\mscms.dll...

Scanning Module:C:\WINDOWS\System32\actxprxy.dll...

 

#:16 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1448

ThreadCreationTime : 25.01.2007 19:36:21

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

Scanning Module:C:\WINDOWS\system32\wdfmgr.exe...

 

#:17 [ati2evxx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1936

ThreadCreationTime : 25.01.2007 19:36:27

BasePriority : Normal

 

Scanning Module:C:\WINDOWS\system32\MSCTF.dll...

Scanning Module:D:\Programme\Hardcopy\HcDLL2_J_Win32.dll...

 

#:18 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 2000

ThreadCreationTime : 25.01.2007 19:36:27

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Betriebssystem Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.

OriginalFilename : EXPLORER.EXE

Scanning Module:C:\WINDOWS\Explorer.EXE...

Scanning Module:C:\WINDOWS\system32\BROWSEUI.dll...

Scanning Module:C:\WINDOWS\system32\SHDOCVW.dll...

Scanning Module:C:\WINDOWS\System32\themeui.dll...

Scanning Module:C:\WINDOWS\System32\MSIMG32.dll...

Scanning Module:C:\WINDOWS\System32\msutb.dll...

Scanning Module:C:\PROGRA~1\WINDOW~2\wmpband.dll...

Scanning Module:C:\WINDOWS\system32\LINKINFO.dll...

Scanning Module:C:\WINDOWS\system32\ntshrui.dll...

Scanning Module:C:\WINDOWS\System32\webcheck.dll...

Scanning Module:C:\WINDOWS\System32\stobject.dll...

Scanning Module:C:\WINDOWS\System32\BatMeter.dll...

Scanning Module:C:\WINDOWS\system32\upnpui.dll...

Scanning Module:D:\Programme\Trillian\events.dll...

Scanning Module:D:\Programme\Trillian\MSVCR71.dll...

Scanning Module:C:\WINDOWS\System32\drprov.dll...

Scanning Module:C:\WINDOWS\System32\ntlanman.dll...

Scanning Module:C:\WINDOWS\System32\NETUI0.dll...

Scanning Module:C:\WINDOWS\System32\NETUI1.dll...

Scanning Module:C:\WINDOWS\System32\davclnt.dll...

Scanning Module:C:\WINDOWS\system32\MSISIP.DLL...

Scanning Module:C:\WINDOWS\System32\wshext.dll...

Scanning Module:C:\WINDOWS\system32\MFC42.DLL...

Scanning Module:C:\WINDOWS\system32\MFC42LOC.DLL...

Scanning Module:C:\WINDOWS\System32\wshDE.DLL...

Scanning Module:D:\PROGRA~1\MICROS~1\OFFICE11\MCPS.DLL...

 

#:19 [wscntfy.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 292

ThreadCreationTime : 25.01.2007 19:36:29

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Security Center Notification App

InternalName : wscntfy.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wscntfy.exe

Scanning Module:C:\WINDOWS\system32\wscntfy.exe...

 

#:20 [soundman.exe]

FilePath : C:\WINDOWS\

ProcessID : 388

ThreadCreationTime : 25.01.2007 19:36:32

BasePriority : Normal

FileVersion : 5.1.0.29

ProductVersion : 5.1.0.29

ProductName : Realtek Sound Manager

CompanyName : Realtek Semiconductor Corp.

FileDescription : Realtek Sound Manager

InternalName : ALSMTray

LegalCopyright : Copyright © 2001-2004 Realtek Semiconductor Corp.

OriginalFilename : ALSMTray.exe

Comments : Realtek AC97 Audio Sound Manager

Scanning Module:C:\WINDOWS\SOUNDMAN.EXE...

 

#:21 [nvraidservice.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 400

ThreadCreationTime : 25.01.2007 19:36:33

BasePriority : Normal

FileVersion : 1.0.1

ProductVersion : 1.0.1

ProductName : NVIDIA® NVRAID

CompanyName : NVIDIA Corporation

FileDescription : Raid Service U.S. English Resources

InternalName : NvRaidServiceENU.dll

LegalCopyright : Copyright© NVIDIA Corporation 2000-2003.

LegalTrademarks : NVIDIA® is a registered trademark of NVIDIA Corporation.

OriginalFilename : NvRaidServiceENU.dll

Scanning Module:C:\WINDOWS\System32\nvraidservice.exe...

Scanning Module:C:\WINDOWS\System32\wbem\wbemprox.dll...

Scanning Module:C:\WINDOWS\System32\NvRaidSvENU.dll...

 

#:22 [wmiprvse.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 440

ThreadCreationTime : 25.01.2007 19:36:33

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : Wmiprvse.exe

Scanning Module:C:\WINDOWS\System32\wbem\wmiprvse.exe...

Scanning Module:C:\WINDOWS\System32\wbem\wmiprov.dll...

 

#:23 [atiptaxx.exe]

FilePath : C:\Programme\ATI Technologies\ATI Control Panel\

ProcessID : 484

ThreadCreationTime : 25.01.2007 19:36:33

BasePriority : Normal

FileVersion : 6.14.10.5046

ProductVersion : 6.14.10.5046

ProductName : ATI Desktop Component

CompanyName : ATI Technologies, Inc.

FileDescription : ATI Desktop Control Panel

InternalName : Atiptaxx.exe

LegalCopyright : Copyright © 1998-2002 ATI Technologies Inc.

OriginalFilename : Atiptaxx.exe

Scanning Module:C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe...

Scanning Module:C:\Programme\ATI Technologies\ATI Control Panel\atipdsxx.dll...

Scanning Module:C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.DEU...

Scanning Module:C:\Programme\ATI Technologies\ATI Control Panel\atipdxxx.dll...

Scanning Module:C:\WINDOWS\system32\DINPUT8.dll...

 

#:24 [jusched.exe]

FilePath : C:\Programme\Java\jre1.5.0_02\bin\

ProcessID : 524

ThreadCreationTime : 25.01.2007 19:36:34

BasePriority : Normal

 

Scanning Module:C:\Programme\Java\jre1.5.0_02\bin\jusched.exe...

 

#:25 [unsecapp.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 1400

ThreadCreationTime : 25.01.2007 19:36:35

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : unsecapp.dll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : unsecapp.dll

Scanning Module:C:\WINDOWS\System32\wbem\unsecapp.exe...

 

#:26 [adirss.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1988

ThreadCreationTime : 25.01.2007 19:36:41

BasePriority : Normal

 

Scanning Module:C:\WINDOWS\system32\adirss.exe...

 

#:27 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2056

ThreadCreationTime : 25.01.2007 19:36:42

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

Scanning Module:C:\WINDOWS\system32\ctfmon.exe...

 

#:28 [acrotray.exe]

FilePath : D:\Acrobat 5.0\Distillr\

ProcessID : 2172

ThreadCreationTime : 25.01.2007 19:36:51

BasePriority : Normal

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

LegalCopyright : Copyright © 2001

OriginalFilename : AcroTray.exe

Scanning Module:D:\Acrobat 5.0\Distillr\AcroTray.exe...

 

#:29 [hardcopy.exe]

FilePath : D:\Programme\Hardcopy\

ProcessID : 2216

ThreadCreationTime : 25.01.2007 19:36:56

BasePriority : Normal

FileVersion : 16.1.09

ProductVersion : 16.1.09

ProductName : Hardcopy für Windows

CompanyName : sw4you, Siegfried Weckmann

FileDescription : Hardcopy - Drucken Fenster/Bildschirminhalt

InternalName : HARDCOPY

LegalCopyright : Copyright © Siegfried Weckmann 1995-2003

OriginalFilename : HARDCOPY.EXE

Scanning Module:D:\Programme\Hardcopy\hardcopy.exe...

Scanning Module:D:\Programme\Hardcopy\HcDllS.dll...

Scanning Module:D:\Programme\Hardcopy\ltkrn14n.dll...

Scanning Module:D:\Programme\Hardcopy\ltfil14n.dll...

Scanning Module:D:\Programme\Hardcopy\ltdis14n.dll...

Scanning Module:D:\Programme\Hardcopy\hardcopy.dll...

 

#:30 [iwatch.exe]

FilePath : D:\FRITZ!\

ProcessID : 2228

ThreadCreationTime : 25.01.2007 19:36:57

BasePriority : Normal

FileVersion : 2.01.21

ProductVersion : 2.01.21

ProductName : ISDNWatch

CompanyName : AVM Berlin

FileDescription : ISDNWatch Monitor

InternalName : ISDNWatch

LegalCopyright : Copyright © AVM Berlin

OriginalFilename : IWatch.exe

Scanning Module:D:\FRITZ!\IWatch.exe...

Scanning Module:C:\WINDOWS\system32\MFC71.DLL...

Scanning Module:C:\WINDOWS\system32\MSVCR71.dll...

Scanning Module:D:\FRITZ!\C66dll.dll...

Scanning Module:C:\WINDOWS\system32\MFC71DEU.DLL...

Scanning Module:D:\FRITZ!\I2errdeu.dll...

 

#:31 [spontania4im.exe]

FilePath : C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\

ProcessID : 2244

ThreadCreationTime : 25.01.2007 19:36:59

BasePriority : Normal

 

Scanning Module:C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe...

 

#:32 [wzqkpick.exe]

FilePath : D:\WinZip\

ProcessID : 2256

ThreadCreationTime : 25.01.2007 19:36:59

BasePriority : Normal

FileVersion : 1.0 (32-bit)

ProductVersion : 9.0 (6224g)

ProductName : WinZip

CompanyName : WinZip Computing, Inc.

FileDescription : WinZip Executable

InternalName : WZQKPICK.EXE

LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved

LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc

OriginalFilename : WZQKPICK.EXE

Comments : StringFileInfo: German

Scanning Module:D:\WinZip\WZQKPICK.EXE...

Scanning Module:C:\WINDOWS\system32\Hhctrl.ocx...

Scanning Module:C:\WINDOWS\system32\mui\0007\Hhctrlui.dll...

 

#:33 [trillian.exe]

FilePath : D:\Programme\Trillian\

ProcessID : 2276

ThreadCreationTime : 25.01.2007 19:37:03

BasePriority : Normal

FileVersion : 3.1.0.121

ProductVersion : 3.1.0.121

ProductName : Trillian

CompanyName : Cerulean Studios

FileDescription : Trillian

InternalName : Trillian

LegalCopyright : © Cerulean Studios, LLC. All rights reserved.

OriginalFilename : Trillian.exe

Scanning Module:D:\Programme\Trillian\trillian.exe...

Scanning Module:D:\Programme\Trillian\zlib1.dll...

Scanning Module:D:\Programme\Trillian\languages\de\trillian.dll...

Scanning Module:D:\Programme\Trillian\expatxml.dll...

Scanning Module:D:\Programme\Trillian\LIBEXPAT.dll...

Scanning Module:D:\Programme\Trillian\crypto.dll...

Scanning Module:D:\Programme\Trillian\proxy.dll...

Scanning Module:D:\Programme\Trillian\list.dll...

Scanning Module:D:\Programme\Trillian\toolkit.dll...

Scanning Module:D:\Programme\Trillian\kdu_v43R.dll...

Scanning Module:D:\Programme\Trillian\libpng13.dll...

Scanning Module:D:\Programme\Trillian\libjpeg.dll...

Scanning Module:D:\Programme\Trillian\libungif.dll...

Scanning Module:D:\Programme\Trillian\buddy.dll...

Scanning Module:D:\Programme\Trillian\talk.dll...

Scanning Module:C:\WINDOWS\system32\MSVFW32.dll...

Scanning Module:C:\WINDOWS\system32\AVIFIL32.dll...

Scanning Module:C:\WINDOWS\system32\dsound.dll...

Scanning Module:C:\WINDOWS\system32\sensapi.dll...

Scanning Module:D:\Programme\Trillian\languages\de\events.dll...

Scanning Module:D:\Programme\Trillian\languages\de\proxy.dll...

Scanning Module:D:\Programme\Trillian\languages\de\toolkit.dll...

Scanning Module:D:\Programme\Trillian\languages\de\buddy.dll...

Scanning Module:D:\Programme\Trillian\languages\de\talk.dll...

Scanning Module:d:\Programme\Trillian\plugins\upnp.dll...

Scanning Module:d:\Programme\Trillian\plugins\http.dll...

Scanning Module:d:\Programme\Trillian\plugins\irc.dll...

Scanning Module:D:\Programme\Trillian\languages\de\irc.dll...

Scanning Module:d:\Programme\Trillian\plugins\aim.dll...

Scanning Module:D:\Programme\Trillian\languages\de\aim.dll...

Scanning Module:d:\Programme\Trillian\plugins\av.dll...

 

#:34 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2304

ThreadCreationTime : 25.01.2007 19:37:09

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Betriebssystem Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Automatische Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.

OriginalFilename : wuauclt.exe

Scanning Module:C:\WINDOWS\system32\wuauclt.exe...

Scanning Module:C:\WINDOWS\system32\wuaucpl.cpl...

 

#:35 [ad-aware.exe]

FilePath : D:\Programme\Lavasoft\Ad-Aware SE Plus\

ProcessID : 2784

ThreadCreationTime : 25.01.2007 19:38:03

BasePriority : Normal

FileVersion : 6.2.0.237

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

Scanning Module:D:\Programme\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe...

Scanning Module:C:\WINDOWS\system32\olepro32.dll...

Scanning Module:C:\WINDOWS\system32\RICHED32.DLL...

Scanning Module:C:\WINDOWS\system32\RICHED20.dll...

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 13

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 13

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 13

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 22.01.2017 19:38:24

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 18.02.2049 10:29:36

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/

Expires : 24.02.2007 17:51:14

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 24.01.2009 08:49:44

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Cookies\[email protected][1].txt

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 5

Objects found so far: 18

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Trojan.MatrisHasYou Object Recognized!

Type : File

Data : A0109683.dll

TAC Rating : 10

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{E3E2B049-95A3-4593-A323-0E7E3C04A0B7}\RP581\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 19

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 19

 

 

Deep scanning and examining files (E:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for E:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 19

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 19

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Trojan.MatrisHasYou Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment : Removing key.

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\windows\currentversion\policies\system

 

Win32.Trojan.MatrisHasYou Object Recognized!

Type : File

Data : taskdir.exe

TAC Rating : 10

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

Other Object Recognized!

Type : File

Data : TASKDIR.EXE-02B5617A.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 3

Objects found so far: 22

 

20:58:47 Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:20:28.438

Objects scanned:425576

Objects identified:10

Objects ignored:0

New critical objects:10

  • Like 1

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 21:03:17, on 25.01.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\nvraidservice.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\WINDOWS\system32\adirss.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Acrobat 5.0\Distillr\AcroTray.exe

D:\Programme\Hardcopy\hardcopy.exe

D:\FRITZ!\IWatch.exe

C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

D:\WinZip\WZQKPICK.EXE

D:\Programme\Trillian\trillian.exe

D:\Programme\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metager.de/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe

O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: FriFax32.exe.lnk = D:\FRITZ!\FriFax32.exe

O4 - Startup: Trillian.lnk = D:\Programme\Trillian\trillian.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Hardcopy.LNK = D:\Programme\Hardcopy\hardcopy.exe

O4 - Global Startup: ISDNWatch.lnk = D:\FRITZ!\IWatch.exe

O4 - Global Startup: Spontania Monitor.lnk = C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136215224218

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1391B7B-F497-4963-82F6-1E2FEEB28AA5}: NameServer = 192.168.120.252,192.168.120.253

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing)

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe

 

 

 

I really hope that you can help me.

Share this post


Link to post
Share on other sites

Hello tuk-tuk, my name is David, welcome to Lavasoft!

 

My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you are infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

 

I've research the entries, and found this information, in case you find it useful:

 

Troj/Spamsrv-E contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. Troj/Spamsrv-E spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

 

So, that's the first thing, I recommend you change your passwords.

Here are two useful links, in case you wish to read more on the infection you have:

http://www.sophos.com/security/analyses/trojspamsrve.html

http://www.bleepingcomputer.com/startups/aDir-16272.html

 

Ok, now onto the removal, please follow these instructions exactly as posted, it's important. Also it is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

 

Please set your system to show all files.

Click Start, open My Computer, select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

 

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.

Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.

When asked if you want to reboot now, say No.:

C:\WINDOWS\system32\adirss.exe

 

Please do the same for this file, say no when asked to reboot:

C:\WINDOWS\system32\clcbt.exe

 

Then finally do the same for this file:

C:\WINDOWS\system32\svchosts.exe

 

When asked to reboot, please choose Yes. Your system will reboot now.

 

Please click on start > run > and type: sc delete COM+ Messages

Hit enter and let the DOS windows open and close. This is normal.

 

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

 

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe

O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Now reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer

You will be brought to a menu where you can choose to boot into safe mode.

Make sure you choose the option without networking support.

 

Please find and delete this folder if it's present:

C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031} <--folder

 

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

 

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum in your next reply.

 

Download Bobbi Flekman's RegSearch from

http://www.bleepingcomputer.com/files/regsearch.php

 

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

 

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.

Copy / Paste the following line into the top Search Box:

 

clcbt

 

then on the second line down paste the following:

 

adirss

 

Now hit OK. After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe

 

Download and save Blacklight to your desktop.

Double-click blbeta.exe then accept the agreement.

Click on scan then click next,

You'll see a list of all items found.

Do not choose for rename yet! I want to see the log first; legitimate items can also be present.

There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Post the contents of the log in your next reply.

 

In your next reply I need 4 logs:

1) New Hijackthis log

2) Sdfix log

3) The Blacklight log

4) The regsearch log

 

You may need to split them up, sometimes there is a restriction on the quantity of writing you can post at a time.

After that, if everything goes to plan, I want to give the AVG program you have installed a run in safe mode.

If you have any questions, please don't hesitate to ask at any time.

Share this post


Link to post
Share on other sites

I needed a little bit time because I have installed a German version of XP. :)

 

Here are coming the logfiles you need:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 00:22:32, on 26.01.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\nvraidservice.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Acrobat 5.0\Distillr\AcroTray.exe

D:\Programme\Hardcopy\hardcopy.exe

D:\FRITZ!\IWatch.exe

C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

D:\WinZip\WZQKPICK.EXE

C:\RegSearch\regsearch.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programme\Internet Explorer\iexplore.exe

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\blbeta.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metager.de/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: FriFax32.exe.lnk = D:\FRITZ!\FriFax32.exe

O4 - Startup: Trillian.lnk = D:\Programme\Trillian\trillian.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Hardcopy.LNK = D:\Programme\Hardcopy\hardcopy.exe

O4 - Global Startup: ISDNWatch.lnk = D:\FRITZ!\IWatch.exe

O4 - Global Startup: Spontania Monitor.lnk = C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136215224218

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1391B7B-F497-4963-82F6-1E2FEEB28AA5}: NameServer = 192.168.120.252,192.168.120.253

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe

Share this post


Link to post
Share on other sites

SDFix: Version 1.62

 

25.01.2007 - 23:55:47,35

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

COM+ Messages

wincom32

 

Path:

"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273

\??\C:\WINDOWS\system32\wincom32.sys

 

COM+ Messages Deleted

wincom32 Deleted

 

Restoring Windows Registry Entries

Restoring Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Files will be copied to Backups folder and removed:

 

C:\DOKUME~1\BIRGIT~1.N-C\LOKALE~1\Temp\temp_166320046.bat - Deleted

C:\WINDOWS\system32\adir.dll - Deleted

C:\WINDOWS\system32\game.exe - Deleted

C:\WINDOWS\system32\game0.exe - Deleted

C:\WINDOWS\system32\game1.exe - Deleted

C:\WINDOWS\system32\game2.exe - Deleted

C:\WINDOWS\system32\game3.exe - Deleted

C:\WINDOWS\system32\game4.exe - Deleted

C:\WINDOWS\system32\game5.exe - Deleted

C:\WINDOWS\system32\peers.ini - Deleted

C:\WINDOWS\system32\taskdir.exe - Deleted

C:\WINDOWS\system32\unsvchosts.lzma - Deleted

C:\WINDOWS\system32\wincom32.ini - Deleted

C:\WINDOWS\system32\wincom32.sys - Deleted

C:\WINDOWS\system32\zlbw.dll - Deleted

 

 

 

Alternate Streams Check:

 

C:\WINDOWS\system32

No streams found.

 

Final Check:

 

Remaining Services:

------------------

 

Rootkit PE386 Found!

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Programme\\ICQLite\\ICQLite.exe"="C:\\Programme\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"

"D:\\nilstemp\\steam\\Steam.exe"="D:\\nilstemp\\steam\\Steam.exe:*:Enabled:Steam"

"D:\\nilstemp\\steam\\SteamApps\\lincoooln\\counter-strike\\hl.exe"="D:\\nilstemp\\steam\\SteamApps\\lincoooln\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"D:\\nilstemp\\steam\\SteamApps\\lincoooln\\day of defeat\\hl.exe"="D:\\nilstemp\\steam\\SteamApps\\lincoooln\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"

"D:\\Skype\\Phone\\Skype.exe"="D:\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Dokumente und Einstellungen\\Birgit.N-CHBQJIO7IMVKM\\Lokale Einstellungen\\Temp\\metasploit.exe"="C:\\Dokumente und Einstellungen\\Birgit.N-CHBQJIO7IMVKM\\Lokale Einstellungen\\Temp\\metasploit.exe:*:Enabled:enable"

"C:\\boot.inx"="C:\\boot.inx:*:Enabled:enable"

"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"

"C:\\WINDOWS\\system32\\adirss.exe"="C:\\WINDOWS\\system32\\adirss.exe:*:Enabled:enable"

"C:\\WINDOWS\\system32\\clcbt.exe"="C:\\WINDOWS\\system32\\clcbt.exe:*:Enabled:enable"

"C:\\WINDOWS\\system32\\game1.exe"="C:\\WINDOWS\\system32\\game1.exe:*:Enabled:enable"

"C:\\WINDOWS\\system32\\game4.exe"="C:\\WINDOWS\\system32\\game4.exe:*:Enabled:enable"

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

 

Checking For Files with Hidden Attributes :

 

C:\NTDETECT.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DEVICE.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\KEYB.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MODE.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MOUSE.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\NETBIND.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\Paralink.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\command.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\CMDS.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\CMDS16.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\E.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\GUEST.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\MSCDEX.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\Net.exe

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\OHCI.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\PROTMAN.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\UHCI.EXE

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe

C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe

C:\WINDOWS\system32\cdplayer.exe.manifest

C:\WINDOWS\system32\logonui.exe.manifest

C:\WINDOWS\system32\sdmvdlxe.exe

C:\IO.SYS

C:\MSDOS.SYS

C:\pagefile.sys

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI1394.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI2DOS.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI4DOS.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI8DOS.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPI8U2.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPICD.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIEHCI.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIOHCI.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\ASPIUHCI.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BOOTSRV.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\bootsrv16.sys

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BTCDROM.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\BTDOSM.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\COUNTRY.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DISPLAY.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\DLSHELP.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\FLASHPT.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\HIMEM.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\KEYBOARD.SYS

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\msbootsrv16.sys

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Ghost\Template\common\OAKCDROM.SYS

C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft\Word\~WRL0623.tmp

C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft\Word\~WRL0989.tmp

C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft\Word\~WRL3001.tmp

C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft\Word\~WRL3754.tmp

C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft\Word\~WRL3937.tmp

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Anwendungsdaten\Microsoft\Word\~WRL0259.tmp

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Anwendungsdaten\Microsoft\Word\~WRL0284.tmp

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Anwendungsdaten\Microsoft\Word\~WRL0807.tmp

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Anwendungsdaten\Microsoft\Word\~WRL0946.tmp

C:\Programme\Microsoft Office2003\Vorlagen\~WRL0003.tmp

 

Finished

Share this post


Link to post
Share on other sites

01/26/07 00:17:00 [info]: BlackLight Engine 1.0.55 initialized

01/26/07 00:17:00 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/26/07 00:17:00 [Note]: 7019 4

01/26/07 00:17:00 [Note]: 7005 0

01/26/07 00:17:12 [Note]: 7006 0

01/26/07 00:17:12 [Note]: 7011 1880

01/26/07 00:17:12 [Note]: 7026 0

01/26/07 00:17:12 [Note]: 7026 0

01/26/07 00:17:15 [Note]: FSRAW library version 1.7.1021

01/26/07 00:19:41 [Note]: 2000 1012

Share this post


Link to post
Share on other sites

Two other thins happend while this procedure:

 

1. After reboot from Safe Mode XP gave a message that the system starts after a "big mistake" :)

2. Registry Search is hanging and i can only close it with the Task-Manager.

 

Is this O.K. ?

Share this post


Link to post
Share on other sites

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.2.0

 

; Results at 26.01.2007 00:08:52 for strings:

; 'clcbt'

; 'adirss'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\adirss.exe"="C:\\WINDOWS\\system32\\adirss.exe:*:Enabled:enable"

"C:\\WINDOWS\\system32\\clcbt.exe"="C:\\WINDOWS\\system32\\clcbt.exe:*:Enabled:enable"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\adirss.exe"="C:\\WINDOWS\\system32\\adirss.exe:*:Enabled:enable"

"C:\\WINDOWS\\system32\\clcbt.exe"="C:\\WINDOWS\\system32\\clcbt.exe:*:Enabled:enable"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\adirss.exe"="C:\\WINDOWS\\system32\\adirss.exe:*:Enabled:enable"

"C:\\WINDOWS\\system32\\clcbt.exe"="C:\\WINDOWS\\system32\\clcbt.exe:*:Enabled:enable"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]

"c"="C:\\WINDOWS\\system32\\adirss.exe"

"d"="C:\\WINDOWS\\system32\\clcbt.exe"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"b"="C:\\WINDOWS\\system32\\adirss.exe"

"c"="C:\\WINDOWS\\system32\\clcbt.exe"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\\WINDOWS\\system32\\clcbt.exe"="clcbt"

"C:\\WINDOWS\\system32\\adirss.exe"="adirss"

 

; End Of The Log...

Share this post


Link to post
Share on other sites

Okay, good work! ^_^

 

Basically you've uncovered a lot more things that need to be done, and I have to break the news that you have quite a nasty rootkit infection. However, don't be put off by the word, most are fixable, it is just going to take a bit more work on both our parts. I can see from the reg log that you have windows firewall allows a few malware files to access the internet, although those files should now be deleted, I think it's best to remove these left over entries with a simple regedit. I've a got few things I want you to do, then we'll run the rootkit remover tool.

 

Oh, and the system errors that you received about the "mistake" is possibly something to do with the rootkit you have installed - Rootkits often can cause a system to become unstable.

 

1) Firstly, click start > run and copy and paste the following, then hit enter:

 

attrib -a -h -r -s "C:\WINDOWS\system32\sdmvdlxe.exe"

 

Do the same for the following, after doing the first command:

 

del /q "C:\WINDOWS\system32\sdmvdlxe.exe"

 

2) Please open notepad and and copy and paste next bold in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

"C:\\WINDOWS\\system32\\adirss.exe"=-

"C:\\WINDOWS\\system32\\clcbt.exe"=-

"C:\\boot.inx"=-

"C:\\WINDOWS\\system32\\game1.exe"=-

"C:\\WINDOWS\\system32\\game4.exe"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

It should look like this: reg8ip.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

 

3) Download the Rustock.b removal tool from the link below...and save it to your desktop:

http://www.uploads.ejvindh.net/rustbfix.exe

 

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.

The reboot will probably take quite a while, and perhaps 2 reboots will be needed.

But this will happen automatically.

After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).

 

4) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

 

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

 

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

5) Exit and reopen Hijackthis, and run a scan and save its log.

Post the C\avenger.txt & C\rustbfix\pelog.txt along with a new Hijackthis log.

 

David

Share this post


Link to post
Share on other sites

Hi David,

 

the attrib-command is running. But if I want to the del-command I get a Windows message like this:

 

Couldn't find "del". Be shure that the name is written correctly and try again. Klick on "Start" and then "Search" to search for the file.

 

What should I do now?

 

tuk-tuk

Share this post


Link to post
Share on other sites

Sorry tuk-tuk, that was an error on my part.

 

Please replace step 1, with the following:

 

Open notepad and copy and paste the following text in the quote box into the window:

@echo off

attrib -a -h -r -s "C:\WINDOWS\system32\sdmvdlxe.exe"

del "C:\WINDOWS\system32\sdmvdlxe.exe"

Save this as fix3.bat

Choose to save as all files.

This is how the batch must look afterwards: bat.gif

Doubleclick fix3.bat and let the program run.

A small black dos window will flash, this is normal.

Share this post


Link to post
Share on other sites

Hi David,

 

here are two logfiles. The logfile avanger.txt didn't open and is not to find on my PC.

 

 

************************* Rustock.b-fix -- By ejvindh *************************

28.01.2007 16:04:51,01

 

Rustock.b-driver on the system: NONE!

 

Rustock.b-ADS attached to the System32-folder:

:lzx32.sys 65568

Total size: 65568 bytes.

Attempting to remove ADS...

system32: deleted 65568 bytes in 1 streams.

 

Looking for Rustock.b-files in the System32-folder:

No Rustock.b-files found in system32

 

 

******************* Post-run Status of system *******************

 

Rustock.b-driver on the system: NONE!

 

Rustock.b-ADS attached to the System32-folder:

No System32-ADS found.

 

Looking for Rustock.b-files in the System32-folder:

No Rustock.b-files found in system32

 

 

******************************* End of Logfile ********************************

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:06:04, on 28.01.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\nvraidservice.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Messenger\msmsgs.exe

D:\Acrobat 5.0\Distillr\AcroTray.exe

D:\Programme\Hardcopy\hardcopy.exe

D:\FRITZ!\IWatch.exe

C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

D:\WinZip\WZQKPICK.EXE

C:\WINDOWS\notepad.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metager.de/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: FriFax32.exe.lnk = D:\FRITZ!\FriFax32.exe

O4 - Startup: Trillian.lnk = D:\Programme\Trillian\trillian.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Hardcopy.LNK = D:\Programme\Hardcopy\hardcopy.exe

O4 - Global Startup: ISDNWatch.lnk = D:\FRITZ!\IWatch.exe

O4 - Global Startup: Spontania Monitor.lnk = C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136215224218

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1391B7B-F497-4963-82F6-1E2FEEB28AA5}: NameServer = 192.168.120.252,192.168.120.253

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe

Share this post


Link to post
Share on other sites

Ok, good work! ;)

 

Please download, install, and update AVG antispyware

Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.

 

After the update finishes (the status bar at the bottom will display "Update successful")

Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.

Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan.

This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side.

 

When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button.

AVG antispyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As".

This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Close AVG antispyware and reboot!! Please post the log in your next reply.

 

David

Share this post


Link to post
Share on other sites

Hi David,

 

sad news. Here is the logfile of AVG Antispy:

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

A V G A n t i - S p y w a r e - S c a n - B e r i c h t

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

 

+ E r s t e l l t u m : 1 9 : 2 4 : 0 7 2 8 . 0 1 . 2 0 0 7

 

 

 

+ S c a n - E r g e b n i s :

 

 

 

 

 

 

 

C : \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / g a m e 5 . e x e - > D o w n l o a d e r . A g e n t . b e t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 8 \ A 0 1 0 2 0 9 1 . e x e - > D o w n l o a d e r . A g e n t . b e t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 8 \ A 0 1 0 2 0 9 2 . e x e - > D o w n l o a d e r . A g e n t . b e t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 8 \ A 0 1 0 2 0 9 3 . e x e - > D o w n l o a d e r . A g e n t . b e t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 9 1 . e x e - > D o w n l o a d e r . A g e n t . b e t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 4 . e x e - > D o w n l o a d e r . A g e n t . b e t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 8 6 5 4 . e x e - > D o w n l o a d e r . S m a l l . c i w : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 8 5 . e x e - > D o w n l o a d e r . S m a l l . c i w : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 8 6 . e x e - > D o w n l o a d e r . S m a l l . c i w : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 8 8 . e x e - > D o w n l o a d e r . S m a l l . c i w : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 9 0 . e x e - > D o w n l o a d e r . S m a l l . c i w : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 0 6 . e x e - > D o w n l o a d e r . S m a l l . c i w : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 7 \ A 0 0 7 6 8 7 9 . e x e - > D o w n l o a d e r . S m a l l . d a m : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / w i n c o m 3 2 . s y s - > D r o p p e r . A g e n t . b b v : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 8 9 . s y s - > D r o p p e r . A g e n t . b b v : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 8 . s y s - > D r o p p e r . A g e n t . b b v : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ L o k a l e E i n s t e l l u n g e n \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ Y X X U 7 E H G \ d e m o 3 [ 1 ] . e x e - > T r o j a n . B H O . t : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S D F i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / a d i r . d l l - > W o r m . B a n w a r u m . f : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 8 7 . d l l - > W o r m . B a n w a r u m . f : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 8 2 . e x e - > W o r m . B a n w a r u m . k : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 0 9 6 8 4 . e x e - > W o r m . B a n w a r u m . k : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 6 7 3 . e x e - > W o r m . B a n w a r u m . k : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 8 0 . e x e - > W o r m . B a n w a r u m . k : M i t B a c k u p g e s ä u b e r t ( u n t e r Q u a r a n t ä n e g e s t e l l t ) .

 

 

 

 

 

: : B e r i c h t e n d e

Share this post


Link to post
Share on other sites

No that's fine, just as expected. :(

 

Please perform this online scan: Kaspersky Webscan

Read the Requirements and Privacy statement, then select "Accept"

A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"

Select a target to scan: Click on "My Computer"

When the scan is complete choose to save the results as "Save as Text"

Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

 

David

Share this post


Link to post
Share on other sites

Hi David,

 

here are the logfiles.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:02:44, on 29.01.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\nvraidservice.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Messenger\msmsgs.exe

D:\Acrobat 5.0\Distillr\AcroTray.exe

D:\Programme\Hardcopy\hardcopy.exe

D:\FRITZ!\IWatch.exe

C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

D:\WinZip\WZQKPICK.EXE

D:\FRITZ!\FriFax32.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metager.de/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: FriFax32.exe.lnk = D:\FRITZ!\FriFax32.exe

O4 - Startup: Trillian.lnk = D:\Programme\Trillian\trillian.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Hardcopy.LNK = D:\Programme\Hardcopy\hardcopy.exe

O4 - Global Startup: ISDNWatch.lnk = D:\FRITZ!\IWatch.exe

O4 - Global Startup: Spontania Monitor.lnk = C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136215224218

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1391B7B-F497-4963-82F6-1E2FEEB28AA5}: NameServer = 192.168.120.252,192.168.120.253

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe

 

 

 

 

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

K A S P E R S K Y O N L I N E S C A N N E R R E P O R T

 

M o n d a y , J a n u a r y 2 9 , 2 0 0 7 1 1 : 0 1 : 3 2 A M

 

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P P r o f e s s i o n a l , S e r v i c e P a c k 2 ( B u i l d 2 6 0 0 )

 

K a s p e r s k y O n l i n e S c a n n e r v e r s i o n : 5 . 0 . 8 3 . 0

 

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 2 9 / 0 1 / 2 0 0 7

 

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 2 4 8 0 8 7

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

 

S c a n S e t t i n g s :

 

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : s t a n d a r d

 

S c a n A r c h i v e s : t r u e

 

S c a n M a i l B a s e s : t r u e

 

 

 

S c a n T a r g e t - M y C o m p u t e r :

 

C : \

 

D : \

 

E : \

 

J : \

 

K : \

 

L : \

 

 

 

S c a n S t a t i s t i c s :

 

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 2 9 5 9 3 6

 

N u m b e r o f v i r u s e s f o u n d : 9

 

N u m b e r o f i n f e c t e d o b j e c t s : 2 5 / 0

 

N u m b e r o f s u s p i c i o u s o b j e c t s : 0

 

D u r a t i o n o f t h e s c a n p r o c e s s : 0 2 : 5 0 : 5 4

 

 

 

I n f e c t e d O b j e c t N a m e / V i r u s N a m e / L a s t A c t i o n

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ A l l U s e r s \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ D r W a t s o n \ u s e r . d m p O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ L o k a l e E i n s t e l l u n g e n \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ L o k a l e E i n s t e l l u n g e n \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ L o k a l e E i n s t e l l u n g e n \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ L o k a l e E i n s t e l l u n g e n \ V e r l a u f \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ L o k a l e E i n s t e l l u n g e n \ V e r l a u f \ H i s t o r y . I E 5 \ M S H i s t 0 1 2 0 0 7 0 1 2 9 2 0 0 7 0 1 3 0 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ n t u s e r . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ B i r g i t . N - C H B Q J I O 7 I M V K M \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ 0 H 2 7 8 H E B \ g a m e [ 1 ] . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . B a n w a r u m . k s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ V e r l a u f \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ n t u s e r . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e . N T - A U T O R I T Ä T \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ N e t w o r k S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ N e t w o r k S e r v i c e . N T - A U T O R I T Ä T \ L o k a l e E i n s t e l l u n g e n \ A n w e n d u n g s d a t e n \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ N e t w o r k S e r v i c e . N T - A U T O R I T Ä T \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ N e t w o r k S e r v i c e . N T - A U T O R I T Ä T \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ M o u n t P o i n t M a n a g e r R e m o t e D a t a b a s e O b j e c t i s l o c k e d s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 4 \ A 0 0 7 4 0 6 1 . e x e I n f e c t e d : B a c k d o o r . W i n 3 2 . S d B o t . b d j s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 4 \ A 0 0 7 4 0 7 0 . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . S m a l l . d a m s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 7 \ A 0 0 7 6 8 6 7 . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . Z h e l a t i n . a s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 7 8 \ A 0 1 0 2 0 5 6 . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . Z h e l a t i n . a s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 8 8 . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . B a n w a r u m . k s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 8 9 . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . Z h e l a t i n . a s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 0 . e x e I n f e c t e d : P a c k e d . W i n 3 2 . T i b s . l s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 1 . e x e I n f e c t e d : P a c k e d . W i n 3 2 . T i b s . l s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 2 . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . Z h e l a t i n . d s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 3 . e x e I n f e c t e d : P a c k e d . W i n 3 2 . T i b s . l s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 1 \ A 0 1 1 1 7 9 6 . e x e I n f e c t e d : E m a i l - W o r m . W i n 3 2 . B a n w a r u m . k s k i p p e d

 

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 3 \ c h a n g e . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ D e b u g \ P A S S W D . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ S c h e d L g U . T x t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ S o f t w a r e D i s t r i b u t i o n \ R e p o r t i n g E v e n t s . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ S t i _ T r a c e . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ C a t R o o t 2 \ e d b . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ C a t R o o t 2 \ t m p . e d b O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ A p p E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ d e f a u l t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ d e f a u l t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S e c E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s o f t w a r e O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s o f t w a r e . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S y s E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ h 3 2 3 l o g . t x t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ l n w i n . e x e I n f e c t e d : P a c k e d . W i n 3 2 . T i b s . l s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ s v c h o s t . e x e : e x e . e x e : $ D A T A I n f e c t e d : T r o j a n . W i n 3 2 . A g e n t . a e k s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ I N D E X . B T R O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ I N D E X . M A P O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ M A P P I N G . V E R O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ M A P P I N G 1 . M A P O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ M A P P I N G 2 . M A P O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ O B J E C T S . D A T A O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ O B J E C T S . M A P O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ w i a d e b u g . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ w i a s e r v c . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ W i n d o w s U p d a t e . l o g O b j e c t i s l o c k e d s k i p p e d

 

D : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { E 3 E 2 B 0 4 9 - 9 5 A 3 - 4 5 9 3 - A 3 2 3 - 0 E 7 E 3 C 0 4 A 0 B 7 } \ R P 5 8 3 \ c h a n g e . l o g O b j e c t i s l o c k e d s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ F A R Y N 0 . A C T \ I N B O X . F L D \ J C 4 J D I 0 . M S G / [ F r o m b e f r i e n d < s g y n y d @ a c t o r s - p o o l . d e > ] [ D a t e F r i , 1 9 J a n 2 0 0 7 0 4 : 4 7 : 5 6 + 0 2 0 0 ] / F u l l I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . S m a l l . d a m s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ F A R Y N 0 . A C T \ I N B O X . F L D \ J C 4 J D I 0 . M S G M a i l : i n f e c t e d - 1 s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ B _ F _ M 0 . A C T \ I N B O X . F L D \ J C 4 J D T 0 . M S G / [ F r o m b e f r i e n d < s g y n y d @ a c t o r s - p o o l . d e > ] [ D a t e F r i , 1 9 J a n 2 0 0 7 0 4 : 4 7 : 5 6 + 0 2 0 0 ] / F u l l I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . S m a l l . d a m s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ B _ F _ M 0 . A C T \ I N B O X . F L D \ J C 4 J D T 0 . M S G M a i l : i n f e c t e d - 1 s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ R U D O L 0 . A C T \ I N B O X . F L D \ J C 4 J 0 9 0 . M S G / [ F r o m " V o l k s b a n k e n R a i f f e i s e n b a n k e n " < r e c h n u n g s u p p o r t - i d 0 4 7 0 1 2 3 v r @ v r - n e t w o r l d . d e > ] [ D a t e S u n , 1 4 J a n 2 0 0 7 0 8 : 0 7 : 2 8 + 0 1 0 0 ] / h t m l I n f e c t e d : T r o j a n - S p y . H T M L . B a n k f r a u d . o d s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ R U D O L 0 . A C T \ I N B O X . F L D \ J C 4 J 0 9 0 . M S G M a i l : i n f e c t e d - 1 s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ R U D O L 0 . A C T \ I N B O X . F L D \ J C 4 J 3 W 0 . M S G / [ F r o m " V o l k s b a n k e n R a i f f e i s e n b a n k e n " < s u p p o r t - 4 3 7 7 6 6 4 9 2 0 v r @ v r - n e t w o r l d . d e > ] [ D a t e T u e , 1 6 J a n 2 0 0 7 0 7 : 5 7 : 3 2 + 0 1 0 0 ] / h t m l I n f e c t e d : T r o j a n - S p y . H T M L . B a n k f r a u d . o d s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ R U D O L 0 . A C T \ I N B O X . F L D \ J C 4 J 3 W 0 . M S G M a i l : i n f e c t e d - 1 s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ P U C K _ 0 . A C T \ I N B O X . F L D \ J C 4 J 0 3 0 . M S G / [ F r o m " G E Z O n l i n e " < r e c h n u n g @ g e z . d e > ] [ D a t e S u n , 1 4 J a n 2 0 0 7 1 7 : 4 0 : 2 5 + 0 6 0 0 ] / R e c h n u n g _ G E Z . z i p / R e c h n u n g G E Z . p d f . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . S m a l l . e f e s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ P U C K _ 0 . A C T \ I N B O X . F L D \ J C 4 J 0 3 0 . M S G / [ F r o m " G E Z O n l i n e " < r e c h n u n g @ g e z . d e > ] [ D a t e S u n , 1 4 J a n 2 0 0 7 1 7 : 4 0 : 2 5 + 0 6 0 0 ] / R e c h n u n g _ G E Z . z i p I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . S m a l l . e f e s k i p p e d

 

E : \ S i c h e r u n g e n v o r N e u i n s t a l l a t i o n \ P M M a i l 2 0 0 0 \ P U C K _ 0 . A C T \ I N B O X . F L D \ J C 4 J 0 3 0 . M S G M a i l : i n f e c t e d - 2 s k i p p e d

 

 

 

S c a n p r o c e s s c o m p l e t e d .

Share this post


Link to post
Share on other sites

Hi there, good work! :D

 

It is a good idea to print off these instructions:

This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.

You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

A print out of the instructions would be a good reference to make sure you don't yet lost.

Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!

If you have any queries about the process or just general questions, just ask.

 

Please find and delete this file:

C:\WINDOWS\system32\lnwin.exe

 

Run HijackThis, click on Open the Misc Tools Section

Click on Open ADS Spy

uncheck the "Quick Scan"

uncheck the "Ignore safe system info data streams"

Finally, click Scan button. ADS Spy will scan the system and report all the ADS present in the system.

Click Save log. I will need that later on.

 

I want you to clean your cache and cookies from your internet explorer.

There are a few infected files which need to be removed from your system.

 

° Close all instances of Internet Explorer .

° Go to your control panel and open "Internet Options".

° Click on the "General" tab.

° Click the "Delete Cookies" button, then the "Delete Files" button.

° When prompted, place a tick in the "Delete all offline content" box and click OK.

 

Also, please clean other Temporary files and Empty the Recycle Bin

 

° Go to start and click on the "run" button.

° Type the following in the fox --> cleanmgr and click ok.

° Let it scan your system for files to remove.

° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.

° Press OK to remove them.

 

We need to purge your infected system restore points.

On the Desktop, right-click My Computer, then click Properties.

Click the System Restore tab near the top of the window.

Check Turn off System Restore, click Apply, and then click OK.

More information on how to disable your system restore can be found here.

 

We want to create a new, clean restore point. Please first reboot your computer.

On the Desktop, right-click My Computer, then click Properties.

Click the System Restore tab near the top of the window.

Uncheck "Turn off System Restore", click Apply, and then click OK.

 

Click Start > All Programs > Accessories > System Tools, and select System Restore.

In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.

Type a description for your new restore point - Something like "After trojan/spyware cleanup".

Click Create, and after it has created the restore point, click "Close".

Further instructions on creating a restore point can be found here

 

Please post the ADS spy log in your next reply..

David

Share this post


Link to post
Share on other sites

Hi David,

 

here is the ADS logfile:

 

C:\Dokumente und Einstellungen\Admin\Eigene Dateien\Eigene Bilder\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\Admin\Eigene Dateien\Lager\Smilies\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\Admin\Eigene Dateien\Lager\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Bilder\Beispielbilder\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Eigene Bilder\Beispielbilder\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\Birgit\Eigene Dateien\Eigene Bilder\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\Birgit\Eigene Dateien\Eigene Musik\Thumbs.db : encryptable (0 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM : zylomtest (0 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM : zylomtr{0000278T-TT9K-T8DU-1KFV-23O5NTEJMVRR} (15 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM : zylomtr{0000278T-TT9K-T8DU-1KFV-23O5NTEJMVS2} (15 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM : zylomtest (0 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM : zylomtr{0000278T-TT9K-T8DU-1KFV-23O5NTEJMVRR} (15 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM : zylomtr{0000278T-TT9K-T8DU-1KFV-23O5NTEJMVS2} (15 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\attribute.exe : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\blbeta.exe : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\confixx2_handbuch.zip : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\ElsterFormular2004-Setup.exe : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\hijackthis\hijackthis.zip : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\hijackthis\hijackthis_199.zip : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\matisse.zip : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\regsearch.zip : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\rustbfix.exe : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\Desktop\SDFix.exe : Zone.Identifier (26 bytes)

C:\Dokumente und Einstellungen\meilaodiy\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\a\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\b\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\css\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\f\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\g\1\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\g\2\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\g\3\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\g\4\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\g\5\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\g\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\h\faq\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\h\geb\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\h\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\haeder\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\l\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\m\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\msg\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\p\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\r\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\s\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\st\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\t1\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\t2\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\en\u\Thumbs.db : encryptable (0 bytes)

C:\Programme\Travian\img\Thumbs.db : encryptable (0 bytes)

C:\WINDOWS\system32\svchost.exe : exe.exe (35840 bytes)

 

 

tuk-tuk

Share this post


Link to post
Share on other sites

Ok, good. Run the ADSspy again, and find and check the following entry:

 

C:\WINDOWS\system32\svchost.exe : exe.exe (35840 bytes)

 

Then press the "Remove Selected" selected button, then reboot.

 

Then let me know how the system is running. I see clean logs now! :(

Share this post


Link to post
Share on other sites

Hi David,

 

first excuse my very very late response, please. I am down with influenza. :/

 

I have scanned my system with Ad-Aware, AVG Antispy and HijackThis. The logfiles I will copy into in the next posts.

 

I have to say, that I have not been online with the infected Windows system since kasperskyonlinescan. I am now online with Knoppix (Linux live DVD).

 

tuk-tuk

Share this post


Link to post
Share on other sites

Ad-Aware SE Build 1.06r1

Logfile Created on:Samstag, 3. Februar 2007 13:33:42

Using definitions file:SE1R147 25.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):10 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Ignore spanned files when scanning cab archives

Set : Scan registry for all users instead of current user only

Set : Automatically check all objects in results lists

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Block pop-ups aggressively

Set : Automatically select problematic objects in results lists

Set : Include info about ignored objects in log file, if detected in scan

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include used command line parameters in log file

Set : Include reference summary in log file

Set : Include module list in log file

Set : Include alternate data stream details in log file

Set : Show splash screen

Set : Backup current definitions file before updating

Set : Create and save WebUpdate log file

Set : Play sound at scan completion if scan locates critical objects

 

 

03.02.2007 13:33:42 - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Dokumente und Einstellungen\Birgit.N-CHBQJIO7IMVKM\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-573735546-839522115-1003\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 416

ThreadCreationTime : 03.02.2007 11:35:40

BasePriority : Normal

 

Scanning Module:\SystemRoot\System32\smss.exe...

Scanning Module:C:\WINDOWS\system32\ntdll.dll...

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 472

ThreadCreationTime : 03.02.2007 11:35:42

BasePriority : Normal

 

Scanning Module:\??\C:\WINDOWS\system32\csrss.exe...

Scanning Module:C:\WINDOWS\system32\CSRSRV.dll...

Scanning Module:C:\WINDOWS\system32\basesrv.dll...

Scanning Module:C:\WINDOWS\system32\winsrv.dll...

Scanning Module:C:\WINDOWS\system32\USER32.dll...

Scanning Module:C:\WINDOWS\system32\KERNEL32.dll...

Scanning Module:C:\WINDOWS\system32\GDI32.dll...

Scanning Module:C:\WINDOWS\system32\LPK.DLL...

Scanning Module:C:\WINDOWS\system32\USP10.dll...

Scanning Module:C:\WINDOWS\system32\msvcrt.dll...

Scanning Module:C:\WINDOWS\system32\ADVAPI32.dll...

Scanning Module:C:\WINDOWS\system32\RPCRT4.dll...

Scanning Module:C:\WINDOWS\system32\sxs.dll...

Scanning Module:C:\WINDOWS\system32\Apphelp.dll...

Scanning Module:C:\WINDOWS\system32\VERSION.dll...

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 504

ThreadCreationTime : 03.02.2007 11:35:43

BasePriority : High

 

Scanning Module:\??\C:\WINDOWS\system32\winlogon.exe...

Scanning Module:C:\WINDOWS\system32\AUTHZ.dll...

Scanning Module:C:\WINDOWS\system32\CRYPT32.dll...

Scanning Module:C:\WINDOWS\system32\MSASN1.dll...

Scanning Module:C:\WINDOWS\system32\NDdeApi.dll...

Scanning Module:C:\WINDOWS\system32\PROFMAP.dll...

Scanning Module:C:\WINDOWS\system32\NETAPI32.dll...

Scanning Module:C:\WINDOWS\system32\USERENV.dll...

Scanning Module:C:\WINDOWS\system32\PSAPI.DLL...

Scanning Module:C:\WINDOWS\system32\REGAPI.dll...

Scanning Module:C:\WINDOWS\system32\Secur32.dll...

Scanning Module:C:\WINDOWS\system32\SETUPAPI.dll...

Scanning Module:C:\WINDOWS\system32\WINSTA.dll...

Scanning Module:C:\WINDOWS\system32\WINTRUST.dll...

Scanning Module:C:\WINDOWS\system32\IMAGEHLP.dll...

Scanning Module:C:\WINDOWS\system32\WS2_32.dll...

Scanning Module:C:\WINDOWS\system32\WS2HELP.dll...

Scanning Module:C:\WINDOWS\system32\IMM32.DLL...

Scanning Module:C:\WINDOWS\system32\MSGINA.dll...

Scanning Module:C:\WINDOWS\system32\SHELL32.dll...

Scanning Module:C:\WINDOWS\system32\SHLWAPI.dll...

Scanning Module:C:\WINDOWS\system32\COMCTL32.dll...

Scanning Module:C:\WINDOWS\system32\ODBC32.dll...

Scanning Module:C:\WINDOWS\system32\comdlg32.dll...

Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll...

Scanning Module:C:\WINDOWS\system32\odbcint.dll...

Scanning Module:C:\WINDOWS\system32\SHSVCS.dll...

Scanning Module:C:\WINDOWS\system32\sfc.dll...

Scanning Module:C:\WINDOWS\system32\sfc_os.dll...

Scanning Module:C:\WINDOWS\system32\ole32.dll...

Scanning Module:C:\WINDOWS\system32\msctfime.ime...

Scanning Module:C:\WINDOWS\system32\WINSCARD.DLL...

Scanning Module:C:\WINDOWS\system32\WTSAPI32.dll...

Scanning Module:C:\WINDOWS\system32\uxtheme.dll...

Scanning Module:C:\WINDOWS\system32\WINMM.dll...

Scanning Module:C:\WINDOWS\system32\Ati2evxx.dll...

Scanning Module:C:\WINDOWS\system32\rsaenh.dll...

Scanning Module:C:\WINDOWS\system32\cscdll.dll...

Scanning Module:C:\WINDOWS\system32\WlNotify.dll...

Scanning Module:C:\WINDOWS\system32\WINSPOOL.DRV...

Scanning Module:C:\WINDOWS\system32\MPR.dll...

Scanning Module:C:\WINDOWS\system32\wldap32.dll...

Scanning Module:C:\WINDOWS\system32\SAMLIB.dll...

Scanning Module:C:\WINDOWS\system32\cscui.dll...

Scanning Module:C:\WINDOWS\system32\msv1_0.dll...

Scanning Module:C:\WINDOWS\system32\iphlpapi.dll...

Scanning Module:C:\WINDOWS\system32\MPRAPI.dll...

Scanning Module:C:\WINDOWS\system32\ACTIVEDS.dll...

Scanning Module:C:\WINDOWS\system32\adsldpc.dll...

Scanning Module:C:\WINDOWS\system32\ATL.DLL...

Scanning Module:C:\WINDOWS\system32\OLEAUT32.dll...

Scanning Module:C:\WINDOWS\system32\rtutils.dll...

Scanning Module:C:\WINDOWS\system32\xpsp2res.dll...

Scanning Module:C:\WINDOWS\system32\wdmaud.drv...

Scanning Module:C:\WINDOWS\system32\msacm32.drv...

Scanning Module:C:\WINDOWS\system32\MSACM32.dll...

Scanning Module:C:\WINDOWS\system32\midimap.dll...

Scanning Module:C:\WINDOWS\system32\COMRes.dll...

Scanning Module:C:\WINDOWS\system32\CLBCATQ.DLL...

Scanning Module:C:\WINDOWS\system32\NTMARTA.DLL...

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 548

ThreadCreationTime : 03.02.2007 11:35:44

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Betriebssystem Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Anwendung für Dienste und Controller

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.

OriginalFilename : services.exe

Scanning Module:C:\WINDOWS\system32\services.exe...

Scanning Module:C:\WINDOWS\system32\SCESRV.dll...

Scanning Module:C:\WINDOWS\system32\umpnpmgr.dll...

Scanning Module:C:\WINDOWS\system32\NCObjAPI.DLL...

Scanning Module:C:\WINDOWS\system32\MSVCP60.dll...

Scanning Module:C:\WINDOWS\system32\ShimEng.dll...

Scanning Module:C:\WINDOWS\AppPatch\AcGenral.DLL...

Scanning Module:C:\WINDOWS\system32\eventlog.dll...

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 560

ThreadCreationTime : 03.02.2007 11:35:44

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

Scanning Module:C:\WINDOWS\system32\lsass.exe...

Scanning Module:C:\WINDOWS\system32\LSASRV.dll...

Scanning Module:C:\WINDOWS\system32\SAMSRV.dll...

Scanning Module:C:\WINDOWS\system32\cryptdll.dll...

Scanning Module:C:\WINDOWS\system32\DNSAPI.dll...

Scanning Module:C:\WINDOWS\system32\NTDSAPI.dll...

Scanning Module:C:\WINDOWS\system32\msprivs.dll...

Scanning Module:C:\WINDOWS\system32\kerberos.dll...

Scanning Module:C:\WINDOWS\system32\netlogon.dll...

Scanning Module:C:\WINDOWS\system32\w32time.dll...

Scanning Module:C:\WINDOWS\system32\schannel.dll...

Scanning Module:C:\WINDOWS\system32\wdigest.dll...

Scanning Module:C:\WINDOWS\system32\scecli.dll...

Scanning Module:C:\WINDOWS\system32\ipsecsvc.dll...

Scanning Module:C:\WINDOWS\system32\oakley.DLL...

Scanning Module:C:\WINDOWS\system32\WINIPSEC.DLL...

Scanning Module:C:\WINDOWS\system32\pstorsvc.dll...

Scanning Module:C:\WINDOWS\system32\psbase.dll...

Scanning Module:C:\Programme\Steganos Internet Anonym 5\sselsp.dll...

Scanning Module:C:\WINDOWS\system32\mswsock.dll...

Scanning Module:C:\WINDOWS\system32\hnetcfg.dll...

Scanning Module:C:\WINDOWS\System32\wshtcpip.dll...

Scanning Module:C:\WINDOWS\system32\dssenh.dll...

 

#:6 [ati2evxx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 708

ThreadCreationTime : 03.02.2007 11:35:44

BasePriority : Normal

 

Scanning Module:C:\WINDOWS\system32\Ati2evxx.exe...

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 728

ThreadCreationTime : 03.02.2007 11:35:44

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:C:\WINDOWS\system32\svchost.exe...

Scanning Module:c:\windows\system32\rpcss.dll...

Scanning Module:c:\windows\system32\termsrv.dll...

Scanning Module:c:\windows\system32\ICAAPI.dll...

Scanning Module:c:\windows\system32\mstlsapi.dll...

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 812

ThreadCreationTime : 03.02.2007 11:35:45

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:C:\WINDOWS\System32\winrnr.dll...

Scanning Module:C:\WINDOWS\system32\rasadhlp.dll...

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 860

ThreadCreationTime : 03.02.2007 11:35:45

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\dhcpcsvc.dll...

Scanning Module:c:\windows\system32\wzcsvc.dll...

Scanning Module:c:\windows\system32\WMI.dll...

Scanning Module:c:\windows\system32\ESENT.dll...

Scanning Module:c:\windows\system32\schedsvc.dll...

Scanning Module:C:\WINDOWS\System32\MSIDLE.DLL...

Scanning Module:C:\WINDOWS\System32\rastls.dll...

Scanning Module:C:\WINDOWS\system32\CRYPTUI.dll...

Scanning Module:C:\WINDOWS\system32\WININET.dll...

Scanning Module:C:\WINDOWS\System32\RASAPI32.dll...

Scanning Module:C:\WINDOWS\System32\rasman.dll...

Scanning Module:C:\WINDOWS\System32\TAPI32.dll...

Scanning Module:C:\WINDOWS\System32\raschap.dll...

Scanning Module:c:\windows\system32\audiosrv.dll...

Scanning Module:c:\windows\system32\wkssvc.dll...

Scanning Module:c:\windows\system32\cryptsvc.dll...

Scanning Module:c:\windows\system32\certcli.dll...

Scanning Module:c:\windows\system32\dmserver.dll...

Scanning Module:c:\windows\system32\ersvc.dll...

Scanning Module:c:\windows\system32\es.dll...

Scanning Module:c:\windows\pchealth\helpctr\binaries\pchsvc.dll...

Scanning Module:c:\windows\system32\hidserv.dll...

Scanning Module:c:\windows\system32\HID.DLL...

Scanning Module:c:\windows\system32\srvsvc.dll...

Scanning Module:c:\windows\system32\netman.dll...

Scanning Module:c:\windows\system32\netshell.dll...

Scanning Module:c:\windows\system32\credui.dll...

Scanning Module:c:\windows\system32\WZCSAPI.DLL...

Scanning Module:c:\windows\system32\seclogon.dll...

Scanning Module:c:\windows\system32\sens.dll...

Scanning Module:c:\windows\system32\srsvc.dll...

Scanning Module:c:\windows\system32\POWRPROF.dll...

Scanning Module:c:\windows\system32\trkwks.dll...

Scanning Module:c:\windows\system32\wbem\wmisvc.dll...

Scanning Module:C:\WINDOWS\system32\VSSAPI.DLL...

Scanning Module:c:\windows\system32\wuauserv.dll...

Scanning Module:C:\WINDOWS\system32\wuaueng.dll...

Scanning Module:C:\WINDOWS\System32\ADVPACK.dll...

Scanning Module:C:\WINDOWS\System32\SHFOLDER.dll...

Scanning Module:C:\WINDOWS\System32\WINHTTP.dll...

Scanning Module:C:\WINDOWS\System32\Cabinet.dll...

Scanning Module:C:\WINDOWS\System32\mspatcha.dll...

Scanning Module:c:\windows\system32\ipnathlp.dll...

Scanning Module:c:\windows\system32\wscsvc.dll...

Scanning Module:c:\windows\system32\msi.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemcomn.dll...

Scanning Module:C:\WINDOWS\System32\Wbem\wbemcore.dll...

Scanning Module:C:\WINDOWS\System32\Wbem\esscli.dll...

Scanning Module:C:\WINDOWS\System32\Wbem\FastProx.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemsvc.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wmiutils.dll...

Scanning Module:C:\WINDOWS\System32\wbem\repdrvfs.dll...

Scanning Module:C:\WINDOWS\system32\comsvcs.dll...

Scanning Module:C:\WINDOWS\system32\MTXCLU.DLL...

Scanning Module:C:\WINDOWS\system32\WSOCK32.dll...

Scanning Module:C:\WINDOWS\system32\colbact.DLL...

Scanning Module:C:\WINDOWS\System32\CLUSAPI.DLL...

Scanning Module:C:\WINDOWS\System32\RESUTILS.DLL...

Scanning Module:C:\WINDOWS\System32\wbem\wmiprvsd.dll...

Scanning Module:C:\WINDOWS\System32\wbem\wbemess.dll...

Scanning Module:c:\windows\system32\browser.dll...

Scanning Module:C:\WINDOWS\System32\wbem\ncprov.dll...

Scanning Module:C:\WINDOWS\System32\netcfgx.dll...

Scanning Module:C:\WINDOWS\System32\upnp.dll...

Scanning Module:C:\WINDOWS\System32\SSDPAPI.dll...

Scanning Module:C:\WINDOWS\System32\rasmans.dll...

Scanning Module:c:\windows\system32\tapisrv.dll...

Scanning Module:C:\WINDOWS\System32\rastapi.dll...

Scanning Module:C:\WINDOWS\System32\unimdm.tsp...

Scanning Module:C:\WINDOWS\System32\uniplat.dll...

Scanning Module:C:\WINDOWS\System32\kmddsp.tsp...

Scanning Module:C:\WINDOWS\System32\ndptsp.tsp...

Scanning Module:C:\WINDOWS\System32\ipconf.tsp...

Scanning Module:C:\WINDOWS\System32\h323.tsp...

Scanning Module:C:\WINDOWS\System32\hidphone.tsp...

Scanning Module:C:\WINDOWS\System32\rasppp.dll...

Scanning Module:C:\WINDOWS\System32\ntlsapi.dll...

Scanning Module:C:\WINDOWS\System32\RASDLG.dll...

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 924

ThreadCreationTime : 03.02.2007 11:35:45

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\dnsrslvr.dll...

 

#:11 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 952

ThreadCreationTime : 03.02.2007 11:35:45

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\lmhsvc.dll...

Scanning Module:c:\windows\system32\webclnt.dll...

Scanning Module:C:\WINDOWS\system32\urlmon.dll...

Scanning Module:c:\windows\system32\regsvc.dll...

Scanning Module:c:\windows\system32\ssdpsrv.dll...

 

#:12 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1040

ThreadCreationTime : 03.02.2007 11:35:45

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

Scanning Module:C:\WINDOWS\system32\spoolsv.exe...

Scanning Module:C:\WINDOWS\system32\SPOOLSS.DLL...

Scanning Module:C:\WINDOWS\system32\localspl.dll...

Scanning Module:C:\WINDOWS\system32\cnbjmon.dll...

Scanning Module:C:\WINDOWS\system32\FritzColorPort.dll...

Scanning Module:C:\WINDOWS\system32\MFC70U.DLL...

Scanning Module:C:\WINDOWS\system32\MSVCR70.dll...

Scanning Module:C:\WINDOWS\system32\OLEACC.dll...

Scanning Module:C:\WINDOWS\system32\FritzPort.dll...

Scanning Module:C:\WINDOWS\system32\mdimon.dll...

Scanning Module:C:\WINDOWS\system32\pdfports.dll...

Scanning Module:d:\Acrobat 5.0\Distillr\adistres.dll...

Scanning Module:C:\WINDOWS\system32\pjlmon.dll...

Scanning Module:C:\WINDOWS\system32\tcpmon.dll...

Scanning Module:C:\WINDOWS\system32\usbmon.dll...

Scanning Module:C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll...

Scanning Module:C:\WINDOWS\system32\win32spl.dll...

Scanning Module:C:\WINDOWS\system32\NETRAP.dll...

Scanning Module:C:\WINDOWS\system32\inetpp.dll...

 

#:13 [guard.exe]

FilePath : d:\Programme\Grisoft\AVG Anti-Spyware 7.5\

ProcessID : 1136

ThreadCreationTime : 03.02.2007 11:35:46

BasePriority : Normal

FileVersion : 7, 5, 0, 47

ProductVersion : 7, 5, 0, 47

ProductName : AVG Anti-Spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : AVG Anti-Spyware guard

InternalName : AVG Anti-Spyware guard

LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.

OriginalFilename : guard.exe

Scanning Module:d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe...

Scanning Module:d:\Programme\Grisoft\AVG Anti-Spyware 7.5\engine.dll...

 

#:14 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1340

ThreadCreationTime : 03.02.2007 11:35:50

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Scanning Module:c:\windows\system32\wiaservc.dll...

Scanning Module:c:\windows\system32\CFGMGR32.dll...

Scanning Module:c:\windows\system32\mscms.dll...

Scanning Module:C:\WINDOWS\System32\actxprxy.dll...

Scanning Module:C:\WINDOWS\System32\sti.dll...

 

#:15 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1424

ThreadCreationTime : 03.02.2007 11:35:51

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

Scanning Module:C:\WINDOWS\system32\wdfmgr.exe...

 

#:16 [ati2evxx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1864

ThreadCreationTime : 03.02.2007 11:35:57

BasePriority : Normal

 

Scanning Module:C:\WINDOWS\system32\MSCTF.dll...

Scanning Module:D:\Programme\Hardcopy\HcDLL2_J_Win32.dll...

 

#:17 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1936

ThreadCreationTime : 03.02.2007 11:35:57

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Betriebssystem Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.

OriginalFilename : EXPLORER.EXE

Scanning Module:C:\WINDOWS\Explorer.EXE...

Scanning Module:C:\WINDOWS\system32\BROWSEUI.dll...

Scanning Module:C:\WINDOWS\system32\SHDOCVW.dll...

Scanning Module:C:\WINDOWS\System32\themeui.dll...

Scanning Module:C:\WINDOWS\System32\MSIMG32.dll...

Scanning Module:C:\WINDOWS\System32\msutb.dll...

Scanning Module:C:\PROGRA~1\WINDOW~2\wmpband.dll...

Scanning Module:C:\WINDOWS\system32\browselc.dll...

Scanning Module:C:\WINDOWS\system32\LINKINFO.dll...

Scanning Module:C:\WINDOWS\system32\ntshrui.dll...

Scanning Module:D:\PROGRA~1\SPYBOT~1\SDHelper.dll...

Scanning Module:C:\WINDOWS\system32\olepro32.dll...

Scanning Module:C:\WINDOWS\system32\DUSER.dll...

Scanning Module:D:\Programme\Microsoft Office\OFFICE11\msohev.dll...

Scanning Module:C:\WINDOWS\System32\webcheck.dll...

Scanning Module:C:\WINDOWS\System32\stobject.dll...

Scanning Module:C:\WINDOWS\System32\BatMeter.dll...

Scanning Module:C:\WINDOWS\system32\upnpui.dll...

Scanning Module:C:\WINDOWS\System32\drprov.dll...

Scanning Module:C:\WINDOWS\System32\ntlanman.dll...

Scanning Module:C:\WINDOWS\System32\NETUI0.dll...

Scanning Module:C:\WINDOWS\System32\NETUI1.dll...

Scanning Module:C:\WINDOWS\System32\davclnt.dll...

Scanning Module:C:\WINDOWS\system32\syncui.dll...

Scanning Module:D:\WINZIP\WZSHLSTB.DLL...

Scanning Module:C:\Programme\WinRAR\rarext.dll...

Scanning Module:c:\programme\steganos internet anonym 5\shredderse.dll...

Scanning Module:C:\Programme\ICQLite\ICQLiteShell.dll...

Scanning Module:C:\WINDOWS\system32\MFC42.DLL...

Scanning Module:C:\WINDOWS\system32\MFC42LOC.DLL...

Scanning Module:d:\Programme\Grisoft\AVG Anti-Spyware 7.5\context.dll...

Scanning Module:d:\PROGRA~1\ROMAIN~1\ATTRIB~1\acshell.dll...

Scanning Module:d:\PROGRA~1\ROMAIN~1\ATTRIB~1\AcLang.dll...

Scanning Module:d:\Programme\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll...

Scanning Module:C:\WINDOWS\system32\shdoclc.dll...

Scanning Module:C:\WINDOWS\System32\shimgvw.dll...

Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll...

Scanning Module:c:\windows\srchasst\srchui.dll...

Scanning Module:c:\windows\srchasst\srchctls.dll...

Scanning Module:C:\WINDOWS\msagent\agentdp2.dll...

Scanning Module:C:\WINDOWS\System32\msxml3.dll...

Scanning Module:C:\WINDOWS\System32\jscript.dll...

Scanning Module:C:\WINDOWS\system32\MLANG.dll...

Scanning Module:D:\Programme\Hardcopy\hardcopy.dll...

Scanning Module:C:\WINDOWS\system32\msadp32.acm...

Scanning Module:C:\WINDOWS\system32\xpsp1res.dll...

Scanning Module:C:\WINDOWS\system32\RichEd32.dll...

Scanning Module:C:\WINDOWS\system32\RICHED20.dll...

Scanning Module:C:\WINDOWS\System32\mydocs.dll...

 

#:18 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 144

ThreadCreationTime : 03.02.2007 11:35:58

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

Scanning Module:C:\WINDOWS\System32\alg.exe...

 

#:19 [wscntfy.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 280

ThreadCreationTime : 03.02.2007 11:35:59

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Security Center Notification App

InternalName : wscntfy.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wscntfy.exe

Scanning Module:C:\WINDOWS\system32\wscntfy.exe...

 

#:20 [soundman.exe]

FilePath : C:\WINDOWS\

ProcessID : 388

ThreadCreationTime : 03.02.2007 11:36:03

BasePriority : Normal

FileVersion : 5.1.0.29

ProductVersion : 5.1.0.29

ProductName : Realtek Sound Manager

CompanyName : Realtek Semiconductor Corp.

FileDescription : Realtek Sound Manager

InternalName : ALSMTray

LegalCopyright : Copyright © 2001-2004 Realtek Semiconductor Corp.

OriginalFilename : ALSMTray.exe

Comments : Realtek AC97 Audio Sound Manager

Scanning Module:C:\WINDOWS\SOUNDMAN.EXE...

 

#:21 [nvraidservice.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 396

ThreadCreationTime : 03.02.2007 11:36:03

BasePriority : Normal

FileVersion : 1.0.1

ProductVersion : 1.0.1

ProductName : NVIDIA® NVRAID

CompanyName : NVIDIA Corporation

FileDescription : Raid Service U.S. English Resources

InternalName : NvRaidServiceENU.dll

LegalCopyright : Copyright© NVIDIA Corporation 2000-2003.

LegalTrademarks : NVIDIA® is a registered trademark of NVIDIA Corporation.

OriginalFilename : NvRaidServiceENU.dll

Scanning Module:C:\WINDOWS\System32\nvraidservice.exe...

Scanning Module:C:\WINDOWS\System32\wbem\wbemprox.dll...

Scanning Module:C:\WINDOWS\System32\NvRaidSvENU.dll...

 

#:22 [atiptaxx.exe]

FilePath : C:\Programme\ATI Technologies\ATI Control Panel\

ProcessID : 440

ThreadCreationTime : 03.02.2007 11:36:03

BasePriority : Normal

FileVersion : 6.14.10.5046

ProductVersion : 6.14.10.5046

ProductName : ATI Desktop Component

CompanyName : ATI Technologies, Inc.

FileDescription : ATI Desktop Control Panel

InternalName : Atiptaxx.exe

LegalCopyright : Copyright © 1998-2002 ATI Technologies Inc.

OriginalFilename : Atiptaxx.exe

Scanning Module:C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe...

Scanning Module:C:\Programme\ATI Technologies\ATI Control Panel\atipdsxx.dll...

Scanning Module:C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.DEU...

Scanning Module:C:\Programme\ATI Technologies\ATI Control Panel\atipdxxx.dll...

Scanning Module:C:\WINDOWS\system32\DINPUT8.dll...

 

#:23 [wmiprvse.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 460

ThreadCreationTime : 03.02.2007 11:36:03

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : Wmiprvse.exe

Scanning Module:C:\WINDOWS\System32\wbem\wmiprvse.exe...

Scanning Module:C:\WINDOWS\System32\wbem\wmiprov.dll...

 

#:24 [jusched.exe]

FilePath : C:\Programme\Java\jre1.5.0_02\bin\

ProcessID : 476

ThreadCreationTime : 03.02.2007 11:36:04

BasePriority : Normal

 

Scanning Module:C:\Programme\Java\jre1.5.0_02\bin\jusched.exe...

 

#:25 [avgas.exe]

FilePath : D:\Programme\Grisoft\AVG Anti-Spyware 7.5\

ProcessID : 348

ThreadCreationTime : 03.02.2007 11:36:04

BasePriority : Normal

FileVersion : 7, 5, 0, 50

ProductVersion : 7, 5, 0, 50

ProductName : AVG Anti-Spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : AVG Anti-Spyware

InternalName : AVG Anti-Spyware

LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.

OriginalFilename : avgas.exe

Scanning Module:D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe...

Scanning Module:C:\WINDOWS\System32\shgina.dll...

Scanning Module:C:\WINDOWS\system32\wiashext.dll...

 

#:26 [unsecapp.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 1740

ThreadCreationTime : 03.02.2007 11:36:05

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : unsecapp.dll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : unsecapp.dll

Scanning Module:C:\WINDOWS\System32\wbem\unsecapp.exe...

 

#:27 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1840

ThreadCreationTime : 03.02.2007 11:36:06

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

Scanning Module:C:\WINDOWS\system32\ctfmon.exe...

 

#:28 [msmsgs.exe]

FilePath : C:\Programme\Messenger\

ProcessID : 1764

ThreadCreationTime : 03.02.2007 11:36:06

BasePriority : Normal

FileVersion : 4.7.3001

ProductVersion : Version 4.7.3001

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Windows Messenger

InternalName : msmsgs

LegalCopyright : Copyright © Microsoft Corporation 2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msmsgs.exe

Scanning Module:C:\Programme\Messenger\msmsgs.exe...

Scanning Module:C:\WINDOWS\system32\XPOB2RES.DLL...

 

#:29 [teatimer.exe]

FilePath : D:\Programme\Spybot - Search & Destroy\

ProcessID : 1724

ThreadCreationTime : 03.02.2007 11:36:09

BasePriority : Idle

FileVersion : 1, 4, 0, 2

ProductVersion : 1, 4, 0, 3

ProductName : Spybot - Search & Destroy

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.

LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.

OriginalFilename : TeaTimer.exe

Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

Scanning Module:D:\Programme\Spybot - Search & Destroy\TeaTimer.exe...

Scanning Module:C:\WINDOWS\system32\hhctrl.ocx...

Scanning Module:C:\WINDOWS\system32\mui\0007\hhctrlui.dll...

Scanning Module:D:\Programme\Spybot - Search & Destroy\advcheck.dll...

 

#:30 [acrotray.exe]

FilePath : D:\Acrobat 5.0\Distillr\

ProcessID : 1956

ThreadCreationTime : 03.02.2007 11:36:09

BasePriority : Normal

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

LegalCopyright : Copyright © 2001

OriginalFilename : AcroTray.exe

Scanning Module:D:\Acrobat 5.0\Distillr\AcroTray.exe...

 

#:31 [hardcopy.exe]

FilePath : D:\Programme\Hardcopy\

ProcessID : 1128

ThreadCreationTime : 03.02.2007 11:36:10

BasePriority : Normal

FileVersion : 16.1.09

ProductVersion : 16.1.09

ProductName : Hardcopy für Windows

CompanyName : sw4you, Siegfried Weckmann

FileDescription : Hardcopy - Drucken Fenster/Bildschirminhalt

InternalName : HARDCOPY

LegalCopyright : Copyright © Siegfried Weckmann 1995-2003

OriginalFilename : HARDCOPY.EXE

Scanning Module:D:\Programme\Hardcopy\hardcopy.exe...

Scanning Module:D:\Programme\Hardcopy\HcDllS.dll...

Scanning Module:D:\Programme\Hardcopy\ltkrn14n.dll...

Scanning Module:D:\Programme\Hardcopy\ltfil14n.dll...

Scanning Module:D:\Programme\Hardcopy\ltdis14n.dll...

 

#:32 [iwatch.exe]

FilePath : D:\FRITZ!\

ProcessID : 1148

ThreadCreationTime : 03.02.2007 11:36:11

BasePriority : Normal

FileVersion : 2.01.21

ProductVersion : 2.01.21

ProductName : ISDNWatch

CompanyName : AVM Berlin

FileDescription : ISDNWatch Monitor

InternalName : ISDNWatch

LegalCopyright : Copyright © AVM Berlin

OriginalFilename : IWatch.exe

Scanning Module:D:\FRITZ!\IWatch.exe...

Scanning Module:C:\WINDOWS\system32\MFC71.DLL...

Scanning Module:C:\WINDOWS\system32\MSVCR71.dll...

Scanning Module:D:\FRITZ!\C66dll.dll...

Scanning Module:C:\WINDOWS\system32\MFC71DEU.DLL...

Scanning Module:D:\FRITZ!\I2errdeu.dll...

 

#:33 [spontania4im.exe]

FilePath : C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\

ProcessID : 2012

ThreadCreationTime : 03.02.2007 11:36:11

BasePriority : Normal

 

Scanning Module:C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe...

 

#:34 [wzqkpick.exe]

FilePath : D:\WinZip\

ProcessID : 2052

ThreadCreationTime : 03.02.2007 11:36:11

BasePriority : Normal

FileVersion : 1.0 (32-bit)

ProductVersion : 9.0 (6224g)

ProductName : WinZip

CompanyName : WinZip Computing, Inc.

FileDescription : WinZip Executable

InternalName : WZQKPICK.EXE

LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved

LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc

OriginalFilename : WZQKPICK.EXE

Comments : StringFileInfo: German

Scanning Module:D:\WinZip\WZQKPICK.EXE...

 

#:35 [ad-aware.exe]

FilePath : D:\Programme\Lavasoft\Ad-Aware SE Plus\

ProcessID : 2788

ThreadCreationTime : 03.02.2007 12:33:12

BasePriority : Normal

FileVersion : 6.2.0.237

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

Scanning Module:D:\Programme\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe...

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Deep scanning and examining files (E:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for E:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 10

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

13:42:46 Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:09:03.485

Objects scanned:275181

Objects identified:0

Objects ignored:0

New critical objects:0

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 13:28:49, on 03.02.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\nvraidservice.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Messenger\msmsgs.exe

D:\Programme\Spybot - Search & Destroy\TeaTimer.exe

D:\Acrobat 5.0\Distillr\AcroTray.exe

D:\Programme\Hardcopy\hardcopy.exe

D:\FRITZ!\IWatch.exe

C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

D:\WinZip\WZQKPICK.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metager.de/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: FriFax32.exe.lnk = D:\FRITZ!\FriFax32.exe

O4 - Startup: Trillian.lnk = D:\Programme\Trillian\trillian.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Hardcopy.LNK = D:\Programme\Hardcopy\hardcopy.exe

O4 - Global Startup: ISDNWatch.lnk = D:\FRITZ!\IWatch.exe

O4 - Global Startup: Spontania Monitor.lnk = C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136215224218

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1391B7B-F497-4963-82F6-1E2FEEB28AA5}: NameServer = 192.168.120.252,192.168.120.253

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 13:28:49, on 03.02.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\nvraidservice.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Messenger\msmsgs.exe

D:\Programme\Spybot - Search & Destroy\TeaTimer.exe

D:\Acrobat 5.0\Distillr\AcroTray.exe

D:\Programme\Hardcopy\hardcopy.exe

D:\FRITZ!\IWatch.exe

C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

D:\WinZip\WZQKPICK.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metager.de/

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [d:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: FriFax32.exe.lnk = D:\FRITZ!\FriFax32.exe

O4 - Startup: Trillian.lnk = D:\Programme\Trillian\trillian.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Hardcopy.LNK = D:\Programme\Hardcopy\hardcopy.exe

O4 - Global Startup: ISDNWatch.lnk = D:\FRITZ!\IWatch.exe

O4 - Global Startup: Spontania Monitor.lnk = C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Spontania4IM\spontania4IM.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136215224218

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1391B7B-F497-4963-82F6-1E2FEEB28AA5}: NameServer = 192.168.120.252,192.168.120.253

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe

 

 

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

A V G A n t i - S p y w a r e - S c a n - B e r i c h t

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

 

+ E r s t e l l t u m : 1 3 : 2 4 : 1 1 0 3 . 0 2 . 2 0 0 7

 

 

 

+ S c a n - E r g e b n i s :

 

 

 

 

 

 

 

K e i n e B e d r o h u n g g e f u n d e n .

 

 

 

 

 

: : B e r i c h t e n d e

Share this post


Link to post
Share on other sites
Sign in to follow this