Brave Sentry und WinAntiVirus

#1 Hallo!

Mein Nachbar hat sich Brave Sentry und WinAntiVirus eingehandelt, anscheinend mit der Installation von Limewire.

Habe CleanUp! laufen lassen. Unten die Ausgabe von datFind.bat und das Log von HJT.

Bin für jeden Hinweis dankbar!

Beste Grüße,
Stefan

-------------------

Ausgabe von datFind.bat:

Verzeichnis von C:\WINDOWS\system32

02.10.2006 00:32 235.043 guard.tmp
02.10.2006 00:32 235.444 p0n80a5ued.dll
02.10.2006 00:32 234.594 wevdmod.dll
02.10.2006 00:29 236.130 kldca.dll
02.10.2006 00:27 234.594 irn2l55o1.dll
02.10.2006 00:26 0 1.txt
02.10.2006 00:26 0 2.txt
02.10.2006 00:26 4.608 adir.dll
02.10.2006 00:26 234.594 xfsp1res.dll
01.10.2006 23:57 235.607 iysecsnp.dll
01.10.2006 23:56 1.158 wpa.dbl
27.09.2006 22:48 233.984 chmcat.dll
27.09.2006 22:10 233.984 idxwan.dll
27.09.2006 22:10 235.224 i042laho1d4c.dll
27.09.2006 22:10 203.328 FNTCACHE.DAT
26.09.2006 16:57 235.807 gp28l3fu1.dll
26.09.2006 16:57 233.984 MLIMTF.dll
26.09.2006 16:54 235.887 gp0ul3d91.dll
26.09.2006 16:54 233.984 docpmon.dll
26.09.2006 16:50 233.984 dqnput.dll
26.09.2006 16:49 237.007 i0060adsed060.dll
26.09.2006 16:32 237.007 mhfutil.dll
26.09.2006 16:29 237.007 khdgae.dll
26.09.2006 16:28 236.312 s0pu0a79ed.dll
26.09.2006 16:26 236.312 kmdhept.dll
26.09.2006 16:21 235.667 vqa.dll
26.09.2006 16:19 12 tick481.bin
26.09.2006 15:52 2 wnstssu.exe
26.09.2006 15:50 184.832 swprodte.dll
26.09.2006 15:49 49.152 msimnpwm.exe
26.09.2006 15:49 35.328 dpmomspr.dll
26.09.2006 15:49 61.440 rdpwiasn.dll
26.09.2006 15:49 11.264 e1.dll
26.09.2006 15:49 24.576 dminupnp.dll
26.09.2006 15:49 15.360 protector.exe
26.09.2006 15:49 17.920 ntio256.sys
26.09.2006 15:48 46.592 zlbw.dll
26.09.2006 15:48 1 kr_done1
26.09.2006 15:48 157.184 2234_32.dll
26.09.2006 15:47 53.248 srvc.dll
26.09.2006 15:47 32.949 wxfgob32.dll
26.09.2006 15:47 32.949 tqrerg32.dll
26.09.2006 15:47 6.868 taskdir~.exe
26.09.2006 15:47 10.649 upnp.exe
26.09.2006 15:47 1.632 qvxgamet4.exe
26.09.2006 15:47 157.184 2236_32.dll
26.09.2006 15:47 69.632 qvxgamet3.exe
26.09.2006 15:47 1.632 qvxgamet2.exe
26.09.2006 15:46 0 inistone.ini
26.09.2006 15:46 1.232 TheMatrixHasYou.exe
26.09.2006 15:46 15.104 stonedrv.exe
26.09.2006 15:46 14.336 vxgame4.exe
26.09.2006 15:46 1.689 vxgame3.exe
26.09.2006 15:46 52.948 image.gif.exe
26.09.2006 15:46 52.948 taskdir.exe
26.09.2006 15:46 63 svcp.csv
26.09.2006 15:46 4 winsub.xml
26.09.2006 15:46 72.704 qybhmln.dll
26.09.2006 15:46 94.720 saktndc.dll
26.09.2006 15:46 5.744 vxgamet3.exe
26.09.2006 15:46 1.632 vxgamet4.exe
26.09.2006 15:46 5.744 testtestt.exe
26.09.2006 15:46 31.948 vxgame1.exe
26.09.2006 15:46 1 loadinfo.ini
26.09.2006 15:46 13.824 maxd641.exe
26.09.2006 15:46 5.908 vxgamet1.exe
26.09.2006 15:46 5.196 vxgamet2.exe
26.09.2006 15:46 1 vx.tll
26.09.2006 15:46 6.082 dlh9jkdq6.exe
26.09.2006 15:46 6.031 dlh9jkdq7.exe
26.09.2006 15:46 4.275 dlh9jkdq5.exe
26.09.2006 15:46 17.807 dlh9jkdq2.exe
26.09.2006 15:46 17 dlh9jkdq8.exe
26.09.2006 15:46 2.518 dlh9jkdq1.exe
26.09.2006 15:46 7.295 kernels8.exe
26.09.2006 15:45 1.233 dptf1cb5.sys
26.09.2006 15:45 234.272 tzflog.dll
26.09.2006 15:02 96.768 dxclib303562752.dll
26.09.2006 15:02 979 loadinfo.stt
26.09.2006 15:02 365.568 bkd.exe
26.09.2006 15:01 1.233 aaa00000.sys
26.09.2006 15:01 61.952 aaa00000.dll
26.09.2006 15:01 29.696 w059221f.dll
26.09.2006 15:01 61.952 dptf1cb5.dll
26.09.2006 15:01 29.696 w058b429.dll
26.09.2006 15:00 23.552 jobkbsc.exe
26.09.2006 15:00 51.712 orcchun.dll
26.09.2006 15:00 28.672 yttgp.exe
26.09.2006 15:00 127.488 nhrfc.dat
26.09.2006 15:00 127.488 ikdcqm.exe
26.09.2006 15:00 32.256 dmonwv.dll
26.09.2006 15:00 687.592 atmtd.dll
26.09.2006 15:00 687.592 atmtd.dll._
26.09.2006 15:00 234.272 dt3j.dll
26.09.2006 14:59 62.464 bszip.dll
26.09.2006 14:59 0 taskkill.com
26.09.2006 14:59 0 netstat.com
26.09.2006 14:59 0 ping.com
26.09.2006 14:59 0 cmd.com
26.09.2006 14:59 0 regedit.com
26.09.2006 14:59 0 tracert.com
26.09.2006 14:59 0 tasklist.com
18.09.2006 13:32 80.896 nsp13C.dll
14.09.2006 23:42 6.912 openglwxd.sys
14.09.2006 23:42 18.787 openglwx.dll
31.08.2006 16:37 126.976 nounzaa.dll

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

Verzeichnis von C:\WINDOWS

02.10.2006 00:36 1.266.148 ntbtlog.txt
02.10.2006 00:31 2.048 bootstat.dat
02.10.2006 00:27 214 wiadebug.log
02.10.2006 00:27 50 wiaservc.log
02.10.2006 00:27 32.630 SchedLgU.Txt
02.10.2006 00:26 6.096 ModemLog_Bluetooth Fax Modem.txt
02.10.2006 00:26 5.856 ModemLog_Bluetooth Modem.txt
02.10.2006 00:26 4.710 ModemLog_Agere Systems AC'97 Modem.txt
02.10.2006 00:26 0 0.log
26.09.2006 16:19 126.379 ocgen.log
26.09.2006 16:19 249.759 FaxSetup.log
26.09.2006 16:19 35.724 iis6.log
26.09.2006 16:19 88.779 comsetup.log
26.09.2006 16:19 1.917 imsins.log
26.09.2006 16:19 94.342 tsoc.log
26.09.2006 16:19 11.785 msgsocm.log
26.09.2006 16:19 8.612 ocmsn.log
26.09.2006 16:19 52.160 ntdtcsetup.log
26.09.2006 16:18 721.006 setupapi.log
26.09.2006 15:49 1.406.332 WindowsUpdate.log
26.09.2006 15:47 697.824 vascyxpA.exe
26.09.2006 15:47 27 tcb.pmw
26.09.2006 15:46 1.999 desktop.html
26.09.2006 15:46 171 em06y.ini
26.09.2006 15:46 79.648 em.ocx
26.09.2006 15:46 1.025 affbun.txt
26.09.2006 15:46 215.308 srvfkstqxt.exe
26.09.2006 15:46 17.807 xpupdate.exe
26.09.2006 15:46 163.840 sys09829496810.exe
26.09.2006 15:45 142 hfjih.dll
26.09.2006 15:02 0 newname.dat
26.09.2006 15:02 183.476 srvwavxkcy.exe
26.09.2006 15:02 53.120 srvmdfzpiu.exe
26.09.2006 15:02 32.768 unstall.exe
26.09.2006 15:02 292 mm06y.ini
26.09.2006 15:02 53.120 optimize.exe
26.09.2006 15:02 36.864 thiselt.exe
26.09.2006 15:01 78.336 unwn.exe
26.09.2006 15:01 53 wbepeo.dat
26.09.2006 15:01 2 tempf.txt
26.09.2006 15:01 106.496 Duce6.exe
26.09.2006 15:01 268.581 popupwithcast.exe
26.09.2006 15:01 79.816 amm06.ocx
26.09.2006 15:01 183.478 srvvascyxp.exe
26.09.2006 15:00 163.840 ms034968108292006.exe
26.09.2006 15:00 36.608 nem220.dll
26.09.2006 15:00 217.276 srvouscbfk.exe
26.09.2006 15:00 53.120 srvlkqwies.exe
26.09.2006 15:00 110.592 v1201.exe
26.09.2006 15:00 48.190 RDFX4.exe
22.09.2006 16:38 53.248 109uninst.exe
22.09.2006 16:36 53.248 uni_7eh.exe
22.09.2006 16:34 163.840 win3207108294968.exe
22.09.2006 16:34 163.840 win3209829496810.exe
20.09.2006 20:17 54.156 QTFont.qfn
18.09.2006 20:11 2.904 mozver.dat
18.09.2006 13:28 24.451 m.exe
17.09.2006 18:29 170 urls.dat
17.09.2006 18:29 12.343 htmlcode.dat
17.09.2006 18:15 1.587 win.ini
15.09.2006 23:22 480 Uninst2.htm
15.09.2006 23:21 53.248 uninst108.exe
15.09.2006 23:17 53.248 uni_e6h.exe
15.09.2006 10:54 24.451 vgfma.exe
14.09.2006 23:42 24.451 ftqdjt.exe
14.09.2006 23:33 54.272 ieredir.exe
14.09.2006 23:33 30.720 preredir.exe
14.09.2006 23:33 23.040 ieserver.exe
14.09.2006 23:33 32.768 dsrss.exe
27.08.2006 13:39 75 USBBC.ini
22.08.2006 00:41 159.744 win3208082949681.exe
13.08.2006 17:34 24 tm.ini
13.08.2006 16:58 0 tdf.dii
12.08.2006 14:04 223.601 setupact.log
11.08.2006 18:05 155.648 ms05681082949.exe
11.08.2006 18:05 155.648 sys02949681082.exe

Verzeichnis von C:\

02.10.2006 00:38 0 sys.txt
02.10.2006 00:37 15.923 system.txt
02.10.2006 00:36 127 systemtemp.txt
02.10.2006 00:34 97.587 system32.txt
02.10.2006 00:31 1.073.741.824 pagefile.sys

-------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:40:50, on 02.10.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acer.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yttgp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jobkbsc.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {BAD6C28D-2F1F-56B9-6B97-5C800D390793} - C:\WINDOWS\System32\nounzaa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programme\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [outlook] C:\Programme\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [dptf1cb5] RUNDLL32.EXE w058b429.dll,n 004f1cb100000003058b429
O4 - HKLM\..\Run: [loaddr] C:\DOKUME~1\BARBAR~1\LOKALE~1\Temp\silver.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sys09829496810] C:\WINDOWS\sys09829496810.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [ms05681082949] C:\WINDOWS\ms05681082949.exe
O4 - HKLM\..\Run: [win3208082949681] C:\WINDOWS\win3208082949681.exe
O4 - HKLM\..\Run: [win3207108294968] C:\WINDOWS\win3207108294968.exe
O4 - HKLM\..\Run: [saktndc.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\saktndc.dll,gsfsgof
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [np] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [sys02949681082] C:\WINDOWS\sys02949681082.exe
O4 - HKLM\..\Run: [win3209829496810] C:\WINDOWS\win3209829496810.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040428/qtinstall.info.apple.com/saba/de/win/QuickTimeInstaller.exe
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.de/app/uploader/FileUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dpmomspr.dll dminupnp.dll e1.dll
O20 - Winlogon Notify: openglwx - C:\WINDOWS\SYSTEM32\openglwx.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\irn2l55o1.dll
O20 - Winlogon Notify: swprodte - C:\WINDOWS\System32\swprodte.dll
O20 - Winlogon Notify: WLogon - C:\WINDOWS\SYSTEM32\srvc.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_32.dll
O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - C:\WINDOWS\System32\tqrerg32.dll
O21 - SSODL: QisNzDPFN - {31711DEB-9BDB-B741-FBB8-60C6624E91C7} - C:\WINDOWS\System32\bhrs.dll
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\2234_32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmFyYmFyYSBGcmllc3M\command.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\fswsclds.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2 1.
scanne
Look2Me-Destroyer V1.0.5
http://virus-protect.org/l2mfix.html

2.
poste das log
http://virus-protect.org/artikel/tools/combofix.html

3.
weil viele dateien vom look2me geloescht werden---poste noch mal die 4 logs von datfindbat - poste die daten bis August 2006
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo@Sabina,

Look2Me-Destroyer wird nicht wieder geöffnet. Hier noch einmal ein HJT-Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:53:08, on 03.10.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\swprodte.exe
C:\Programme\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acer.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yttgp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jobkbsc.exe
O1 - Hosts: MZ€
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programme\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [outlook] C:\Programme\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [dptf1cb5] RUNDLL32.EXE w058b429.dll,n 004f1cb100000003058b429
O4 - HKLM\..\Run: [loaddr] C:\DOKUME~1\BARBAR~1\LOKALE~1\Temp\silver.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sys09829496810] C:\WINDOWS\sys09829496810.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [ms05681082949] C:\WINDOWS\ms05681082949.exe
O4 - HKLM\..\Run: [win3208082949681] C:\WINDOWS\win3208082949681.exe
O4 - HKLM\..\Run: [win3207108294968] C:\WINDOWS\win3207108294968.exe
O4 - HKLM\..\Run: [saktndc.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\saktndc.dll,gsfsgof
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [np] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [sys02949681082] C:\WINDOWS\sys02949681082.exe
O4 - HKLM\..\Run: [win3209829496810] C:\WINDOWS\win3209829496810.exe
O4 - HKLM\..\Run: [ms] C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\29473\gm.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040428/qtinstall.info.apple.com/saba/de/win/QuickTimeInstaller.exe
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.de/app/uploader/FileUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dpmomspr.dll dminupnp.dll e1.dll
O20 - Winlogon Notify: openglwx - C:\WINDOWS\SYSTEM32\openglwx.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\k8pm0i71e8.dll
O20 - Winlogon Notify: swprodte - C:\WINDOWS\System32\swprodte.dll
O20 - Winlogon Notify: WLogon - C:\WINDOWS\SYSTEM32\srvc.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_32.dll
O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - C:\WINDOWS\System32\tqrerg32.dll
O21 - SSODL: QisNzDPFN - {31711DEB-9BDB-B741-FBB8-60C6624E91C7} - C:\WINDOWS\System32\bhrs.dll
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\2234_32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmFyYmFyYSBGcmllc3M\command.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\fswsclds.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

Noch mal neu
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hallo@Sabina,

Administrator - 06-10-03 12:19:50,70 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{8418B0C9-DC75-4928-A6D5-8072A6A697CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8418B0C9-DC75-4928-A6D5-8072A6A697CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8418B0C9-DC75-4928-A6D5-8072A6A697CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8418B0C9-DC75-4928-A6D5-8072A6A697CF}\InprocServer32]
@="C:\\WINDOWS\\system32\\vjhelper.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{B000E4CA-B94D-4CD8-9012-6A4808AFC15D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B000E4CA-B94D-4CD8-9012-6A4808AFC15D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B000E4CA-B94D-4CD8-9012-6A4808AFC15D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B000E4CA-B94D-4CD8-9012-6A4808AFC15D}\InprocServer32]
@="C:\\WINDOWS\\system32\\OUEAUT3N.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{97B51732-3CBE-4DDC-A8DA-32E652A0DBDB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97B51732-3CBE-4DDC-A8DA-32E652A0DBDB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97B51732-3CBE-4DDC-A8DA-32E652A0DBDB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97B51732-3CBE-4DDC-A8DA-32E652A0DBDB}\InprocServer32]
@="C:\\WINDOWS\\system32\\cebcatq.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\OUEAUT3N.DLL
C:\WINDOWS\system32\cebcatq.dll
C:\WINDOWS\system32\mhfutil.dll
C:\WINDOWS\system32\docpmon.dll
C:\WINDOWS\system32\vqa.dll
C:\WINDOWS\system32\khdgae.dll
C:\WINDOWS\system32\MLIMTF.dll
C:\WINDOWS\system32\kmdhept.dll
C:\WINDOWS\system32\dqnput.dll
C:\WINDOWS\system32\chmcat.dll
C:\WINDOWS\system32\iysecsnp.dll
C:\WINDOWS\system32\gp0ul3d91.dll
C:\WINDOWS\system32\s0pu0a79ed.dll
C:\WINDOWS\system32\hr0u05d9e.dll
C:\WINDOWS\system32\kldca.dll
C:\WINDOWS\system32\gp28l3fu1.dll
C:\WINDOWS\system32\i0060adsed060.dll
C:\WINDOWS\system32\idxwan.dll
C:\WINDOWS\system32\rtmotepg.dll
C:\WINDOWS\system32\i042laho1d4c.dll
C:\WINDOWS\system32\surialui.dll
C:\WINDOWS\system32\ggmf32.dll
C:\WINDOWS\system32\mqls31.dll
C:\WINDOWS\system32\f4j20e1oeh.dll
C:\WINDOWS\system32\hJ23msp.dll
C:\WINDOWS\system32\k8pm0i71e8.dll
C:\WINDOWS\system32\h0j4la1q1d.dll
C:\WINDOWS\system32\dt3j.dll
C:\WINDOWS\system32\tzflog.dll
C:\WINDOWS\system32\guard.tmp


Granting sedebugprivilege to Administratoren ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\ikdcqm.exe
O4 - HKLM\...\Run C:\WINDOWS\System32\ikdcqm.exe
F2 -REG:system.ini: Shell C:\WINDOWS\System32\yttgp.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\jobkbsc.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\ikdcqm.exe
C:\WINDOWS\system32\orcchun.dll
C:\WINDOWS\system32\jobkbsc.exe
C:\Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup\brodw.exe
C:\WINDOWS\hfjih.dll
C:\WINDOWS\system32\nhrfc.dat
C:\WINDOWS\system32\yttgp.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


26.09.2006 15:00 127488 nhrfc.dat.qoo
26.09.2006 15:00 127488 ikdcqm.exe.qoo
26.09.2006 15:00 51712 orcchun.dll.qoo
26.09.2006 15:00 28672 yttgp.exe.qoo
26.09.2006 15:00 23552 jobkbsc.exe.qoo
02.10.2006 00:50 142 hfjih.dll.qoo
26.09.2006 15:01 53 wbepeo.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\bkd.exe
C:\Programme\DeluxeCommunications\DxcBho.dll
C:\Programme\DeluxeCommunications\DxcCore.dll
C:\Programme\DeluxeCommunications\Dxc.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vxgamet1.exe
C:\WINDOWS\system32\vxgamet2.exe
C:\WINDOWS\system32\vxgamet3.exe
C:\WINDOWS\system32\vxgamet4.exe
C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\maxd641.exe
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\wnstssu.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\xpupdate.exe
C:\WINDOWS\RDFX4.exe
C:\WINDOWS\uni_ehhhh.exe
C:\Programme\Gemeinsame Dateien\Yazzle1438OinAdmin.exe
C:\Programme\Gemeinsame Dateien\Yazzle1438OinUninstaller.exe
C:\Programme\Gemeinsame Dateien\Yazzle1452OinAdmin.exe
C:\Programme\Gemeinsame Dateien\Yazzle1452OinUninstaller.exe
C:\Programme\Gemeinsame Dateien\Yazzle1440OinAdmin.exe
C:\Programme\Gemeinsame Dateien\Yazzle1440OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\NetMon
C:\Programme\Deskbar
C:\Programme\Inetget2
C:\Programme\network monitor
C:\Programme\outlook
C:\Programme\TheSearchAccelerator
C:\Programme\ToolBar888
C:\Programme\Gemeinsame Dateien\{31711DEA-05DA-1031-0919-030308280031}
C:\WINDOWS\QmFyYmFyYSBGcmllc3M

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Programme\SKS~1
C:\QooBox\Purity\Programme\SKS~1\ç?sks
C:\QooBox\Purity\Programme\SKS~1\rundll.exe


((((((((((((((((((((((((((((((( Files Created from 2003-09-06 to 2003.10.2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[COLOR=RED]Rootkit driver pe386 is present. A rootkit scan is required[/COLOR]

2013.12.2002 03:17 227887 --a------ C:\WINDOWS\system32\drivers\o2mmb.sys
2013.01.2003 10:31 6538 --a------ C:\WINDOWS\system32\drivers\acernbm.sys
2012.03.2003 09:34 30171 --a------ C:\WINDOWS\system32\drivers\btport.sys
2011.09.2002 00:45 41728 --a------ C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2010.12.2002 11:00 218240 --a------ C:\WINDOWS\system32\drivers\Expsab2.sys
2010.05.2002 11:20 116021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys
2009.12.2002 15:29 5441 --a------ C:\WINDOWS\system32\drivers\mbxfilt.sys
2008.11.2002 13:13 20579 --a------ C:\WINDOWS\system32\drivers\ozscr.sys
2008.04.2003 13:24 51208 --a------ C:\WINDOWS\system32\drivers\btwusb.sys
2008.01.2001 03:53 15576 -ra------ C:\WINDOWS\system32\drivers\usbbc.sys
2005.12.2003 08:34 33588 --a------ C:\WINDOWS\system32\drivers\wanatw4.sys
2005.06.2006 14:11 97792 --a------ C:\WINDOWS\system32\drivers\ACEDRV05.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Oece"="\"C:\\PROGRA~1\\SKS~1\\rundll.exe\" -vt yazb"
"Windows update loader"="C:\\Windows\\xpupdate.exe"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"Pmw"="C:\\Dokumente und Einstellungen\\Barbara\\Eigene Dateien\\M?crosoft\\s?ool32.exe"
"taskdir"="C:\\WINDOWS\\System32\\taskdir.exe"
"shell"="\"C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Web Folders\\ibm00005.exe\""
"BraveSentry"="C:\\Program Files\\BraveSentry\\BraveSentry.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe"
"LManager"="C:\\Programme\\Launch Manager\\QtZgAcer.EXE"
"AcerNotebookManager"=""
@=""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"Microsoft Windows Session Manager Subsystem"="C:\\WINDOWS\\smss.exe"
"Microsoft Windows Logon Process"="C:\\WINDOWS\\winlogon.exe"
"WinSysModule"="dsrss.exe"
"IE Redir"="C:\\WINDOWS\\ieredir.exe"
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"dptf1cb5"="RUNDLL32.EXE w058b429.dll,n 004f1cb100000003058b429"
"loaddr"="C:\\DOKUME~1\\BARBAR~1\\LOKALE~1\\Temp\\silver.exe"
"septpop06apsept"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"sys09829496810"="C:\\WINDOWS\\sys09829496810.exe"
"ms05681082949"="C:\\WINDOWS\\ms05681082949.exe"
"win3208082949681"="C:\\WINDOWS\\win3208082949681.exe"
"win3207108294968"="C:\\WINDOWS\\win3207108294968.exe"
"saktndc.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\saktndc.dll,gsfsgof"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"np"="c:\\windows\\system32\\upnp.exe"
"sys02949681082"="C:\\WINDOWS\\sys02949681082.exe"
"win3209829496810"="C:\\WINDOWS\\win3209829496810.exe"
"ms"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\29473\\gm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Programme\\WindowsUpdate\\xupypaj.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Programme\\Windows Media Player\\vimomugag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,36,01,00,00,00,00,00,00,42,04,00,00,f8,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,36,01,00,00,00,00,00,00,42,04,00,00,f8,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000001
"Wallpaper"="C:\\WINDOWS\\desktop.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{31711DEA-05DA-1031-0919-030308280031}"="\"C:\\Programme\\Gemeinsame Dateien\\{31711DEA-05DA-1031-0919-030308280031}\\Update.exe\" mc-110-12-0000140"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
"CDRecorder019"="{A3BC5E20-0235-1ABF-9CE1-00AA00512019}"
"QisNzDPFN"="{31711DEB-9BDB-B741-FBB8-60C6624E91C7}"
"DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\openglwx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\swprodte
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wifiks.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmsk64.sys

Completion time: 03.10.2006 12:23:52,10
ComboFix.txt


Administrator - 06-10-03 12:43:08.93 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-26 15:00 127488 nhrfc.dat.qoo
06-09-26 15:00 127488 ikdcqm.exe.qoo
06-09-26 15:00 51712 orcchun.dll.qoo
06-09-26 15:00 28672 yttgp.exe.qoo
06-09-26 15:00 23552 jobkbsc.exe.qoo
06-10-02 00:50 142 hfjih.dll.qoo
06-09-26 15:01 53 wbepeo.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Programme\SKS~1
C:\QooBox\Purity\Programme\SKS~1\ç?sks
C:\QooBox\Purity\Programme\SKS~1\rundll.exe


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-02 00:26 234,594 -r--s---- C:\WINDOWS\system32\xfsp1res.dll
2006-09-26 15:52 126,976 --a------ C:\WINDOWS\system32\nounzaa.dll
2006-09-26 15:50 184,832 --ah----- C:\WINDOWS\system32\swprodte.dll
2006-09-26 15:49 61,440 --ah----- C:\WINDOWS\system32\rdpwiasn.dll
2006-09-26 15:49 49,152 --ah----- C:\WINDOWS\system32\msimnpwm.exe
2006-09-26 15:49 35,328 --ah----- C:\WINDOWS\system32\dpmomspr.dll
2006-09-26 15:49 24,576 --ah----- C:\WINDOWS\system32\dminupnp.dll
2006-09-26 15:49 17,920 --a------ C:\WINDOWS\system32\ntio256.sys
2006-09-26 15:49 15,360 --a------ C:\WINDOWS\system32\protector.exe
2006-09-26 15:49 11,264 --a------ C:\WINDOWS\system32\e1.dll
2006-09-26 15:48 46,592 --a------ C:\WINDOWS\system32\zlbw.dll
2006-09-26 15:47 69,632 --a------ C:\WINDOWS\system32\qvxgamet3.exe
2006-09-26 15:47 6,868 --a------ C:\WINDOWS\system32\taskdir~.exe
2006-09-26 15:47 53,248 --a------ C:\WINDOWS\system32\srvc.dll
2006-09-26 15:47 32,949 --a------ C:\WINDOWS\system32\wxfgob32.dll
2006-09-26 15:47 32,949 --a------ C:\WINDOWS\system32\tqrerg32.dll
2006-09-26 15:47 157,184 --a------ C:\WINDOWS\system32\2236_32.dll
2006-09-26 15:47 157,184 --a------ C:\WINDOWS\system32\2234_32.dll
2006-09-26 15:47 10,649 --a------ C:\WINDOWS\system32\upnp.exe
2006-09-26 15:47 1,632 --a------ C:\WINDOWS\system32\qvxgamet4.exe
2006-09-26 15:47 1,632 --a------ C:\WINDOWS\system32\qvxgamet2.exe
2006-09-26 15:46 94,720 --a------ C:\WINDOWS\system32\saktndc.dll
2006-09-26 15:46 72,704 --a------ C:\WINDOWS\system32\qybhmln.dll
2006-09-26 15:46 6,082 --a------ C:\WINDOWS\system32\dlh9jkdq6.exe
2006-09-26 15:46 6,031 --a------ C:\WINDOWS\system32\dlh9jkdq7.exe
2006-09-26 15:46 52,948 --a------ C:\WINDOWS\system32\taskdir.exe
2006-09-26 15:46 52,948 --a------ C:\WINDOWS\system32\image.gif.exe
2006-09-26 15:46 5,744 --a------ C:\WINDOWS\system32\testtestt.exe
2006-09-26 15:46 4,608 --a------ C:\WINDOWS\system32\adir.dll
2006-09-26 15:46 4,275 --a------ C:\WINDOWS\system32\dlh9jkdq5.exe
2006-09-26 15:46 215,308 --a------ C:\WINDOWS\srvfkstqxt.exe
2006-09-26 15:46 2,518 --a------ C:\WINDOWS\system32\dlh9jkdq1.exe
2006-09-26 15:46 17,807 --a------ C:\WINDOWS\system32\dlh9jkdq2.exe
2006-09-26 15:46 17 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-09-26 15:46 15,104 --a------ C:\WINDOWS\system32\stonedrv.exe
2006-09-26 15:46 1,232 --a------ C:\WINDOWS\system32\TheMatrixHasYou.exe
2006-09-26 15:45 163,840 --a------ C:\WINDOWS\sys09829496810.exe
2006-09-26 15:02 53,120 --a------ C:\WINDOWS\srvmdfzpiu.exe
2006-09-26 15:02 32,768 --a------ C:\WINDOWS\unstall.exe
2006-09-26 15:02 183,476 --a------ C:\WINDOWS\srvwavxkcy.exe
2006-09-26 15:01 697,824 --a------ C:\WINDOWS\vascyxpA.exe
2006-09-26 15:01 668,784 -r-hs---- C:\WINDOWS\vascyxp.exe
2006-09-26 15:01 61,952 --a------ C:\WINDOWS\system32\dptf1cb5.dll
2006-09-26 15:01 53,120 --a------ C:\WINDOWS\optimize.exe
2006-09-26 15:01 29,696 --a------ C:\WINDOWS\system32\w059221f.dll
2006-09-26 15:01 29,696 --a------ C:\WINDOWS\system32\w058b429.dll
2006-09-26 15:01 268,581 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-26 15:01 183,478 --a------ C:\WINDOWS\srvvascyxp.exe
2006-09-26 15:01 1,233 --a------ C:\WINDOWS\system32\dptf1cb5.sys
2006-09-26 15:00 53,120 --a------ C:\WINDOWS\srvlkqwies.exe
2006-09-26 15:00 36,608 --a------ C:\WINDOWS\nem220.dll
2006-09-26 15:00 217,276 --a------ C:\WINDOWS\srvouscbfk.exe
2006-09-26 15:00 163,840 --a------ C:\WINDOWS\ms034968108292006.exe
2006-09-26 15:00 110,592 --a------ C:\WINDOWS\v1201.exe
2006-09-22 16:38 53,248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 16:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-22 16:34 163,840 --a------ C:\WINDOWS\win3209829496810.exe
2006-09-22 16:34 163,840 --a------ C:\WINDOWS\win3207108294968.exe
2006-09-18 13:32 80,896 --a------ C:\WINDOWS\system32\nsp13C.dll
2006-09-18 13:28 24,451 --a------ C:\WINDOWS\m.exe
2006-09-15 23:21 53,248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 23:16 53,248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-15 10:54 24,451 --a------ C:\WINDOWS\vgfma.exe
2006-09-14 23:41 6,912 --a------ C:\WINDOWS\system32\openglwxd.sys
2006-09-14 23:41 24,451 --a------ C:\WINDOWS\ftqdjt.exe
2006-09-14 23:41 18,787 --a------ C:\WINDOWS\system32\openglwx.dll
2006-09-14 23:33 54,272 --a------ C:\WINDOWS\ieredir.exe
2006-09-14 23:33 32,768 --a------ C:\WINDOWS\dsrss.exe
2006-09-14 23:33 30,720 --a------ C:\WINDOWS\preredir.exe
2006-09-14 23:33 23,040 --a------ C:\WINDOWS\ieserver.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[COLOR=RED]Rootkit driver pe386 is present. A rootkit scan is required[/COLOR]

2006-10-02 00:50 -------- d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla
2006-10-02 00:21 -------- d-------- C:\Programme\CleanUp!
2006-09-27 22:51 -------- d-------- C:\Programme\Hijackthis
2006-09-26 15:02 -------- d--h----- C:\Programme\BHO Plugin
2006-09-26 15:01 -------- d-------- C:\Programme\PSDream
2006-08-22 00:41 159744 --a------ C:\WINDOWS\win3208082949681.exe
2006-08-11 18:05 155648 --a------ C:\WINDOWS\sys02949681082.exe
2006-08-11 18:05 155648 --a------ C:\WINDOWS\ms05681082949.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe"
"LManager"="C:\\Programme\\Launch Manager\\QtZgAcer.EXE"
"AcerNotebookManager"=""
@=""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"Microsoft Windows Session Manager Subsystem"="C:\\WINDOWS\\smss.exe"
"Microsoft Windows Logon Process"="C:\\WINDOWS\\winlogon.exe"
"WinSysModule"="dsrss.exe"
"IE Redir"="C:\\WINDOWS\\ieredir.exe"
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"dptf1cb5"="RUNDLL32.EXE w058b429.dll,n 004f1cb100000003058b429"
"loaddr"="C:\\DOKUME~1\\BARBAR~1\\LOKALE~1\\Temp\\silver.exe"
"septpop06apsept"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"sys09829496810"="C:\\WINDOWS\\sys09829496810.exe"
"ms05681082949"="C:\\WINDOWS\\ms05681082949.exe"
"win3208082949681"="C:\\WINDOWS\\win3208082949681.exe"
"win3207108294968"="C:\\WINDOWS\\win3207108294968.exe"
"saktndc.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\saktndc.dll,gsfsgof"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"np"="c:\\windows\\system32\\upnp.exe"
"sys02949681082"="C:\\WINDOWS\\sys02949681082.exe"
"win3209829496810"="C:\\WINDOWS\\win3209829496810.exe"
"ms"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\29473\\gm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
"CDRecorder019"="{A3BC5E20-0235-1ABF-9CE1-00AA00512019}"
"QisNzDPFN"="{31711DEB-9BDB-B741-FBB8-60C6624E91C7}"
"DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\openglwx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\swprodte
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wifiks.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmsk64.sys

Completion time: 06-10-03 12:46:21.47
ComboFix2.txt
ComboFix.txt

-------------------

Ausgabe von datFind.bat:

Verzeichnis von C:\WINDOWS\system32

06-10-03 12:27 4,608 adir.dll
06-10-03 10:01 1,158 wpa.dbl
06-10-02 00:26 234,594 xfsp1res.dll
06-09-27 22:10 203,328 FNTCACHE.DAT
06-09-26 16:19 12 tick481.bin
06-09-26 15:50 184,832 swprodte.dll
06-09-26 15:49 61,440 rdpwiasn.dll
06-09-26 15:49 24,576 dminupnp.dll
06-09-26 15:49 11,264 e1.dll
06-09-26 15:49 35,328 dpmomspr.dll
06-09-26 15:49 49,152 msimnpwm.exe
06-09-26 15:49 17,920 ntio256.sys
06-09-26 15:49 15,360 protector.exe
06-09-26 15:48 46,592 zlbw.dll
06-09-26 15:48 1 kr_done1
06-09-26 15:48 157,184 2234_32.dll
06-09-26 15:47 53,248 srvc.dll
06-09-26 15:47 32,949 tqrerg32.dll
06-09-26 15:47 32,949 wxfgob32.dll
06-09-26 15:47 6,868 taskdir~.exe
06-09-26 15:47 10,649 upnp.exe
06-09-26 15:47 1,632 qvxgamet4.exe
06-09-26 15:47 157,184 2236_32.dll
06-09-26 15:47 69,632 qvxgamet3.exe
06-09-26 15:47 1,632 qvxgamet2.exe
06-09-26 15:46 0 inistone.ini
06-09-26 15:46 1,232 TheMatrixHasYou.exe
06-09-26 15:46 15,104 stonedrv.exe
06-09-26 15:46 52,948 image.gif.exe
06-09-26 15:46 52,948 taskdir.exe
06-09-26 15:46 4 winsub.xml
06-09-26 15:46 63 svcp.csv
06-09-26 15:46 72,704 qybhmln.dll
06-09-26 15:46 94,720 saktndc.dll
06-09-26 15:46 5,744 testtestt.exe
06-09-26 15:46 1 loadinfo.ini
06-09-26 15:46 1 vx.tll
06-09-26 15:46 6,082 dlh9jkdq6.exe
06-09-26 15:46 6,031 dlh9jkdq7.exe
06-09-26 15:46 4,275 dlh9jkdq5.exe
06-09-26 15:46 17,807 dlh9jkdq2.exe
06-09-26 15:46 2,518 dlh9jkdq1.exe
06-09-26 15:46 17 dlh9jkdq8.exe
06-09-26 15:45 1,233 dptf1cb5.sys
06-09-26 15:02 979 loadinfo.stt
06-09-26 15:01 29,696 w059221f.dll
06-09-26 15:01 61,952 dptf1cb5.dll
06-09-26 15:01 29,696 w058b429.dll
06-09-18 13:32 80,896 nsp13C.dll
06-09-14 23:42 18,787 openglwx.dll
06-09-14 23:42 6,912 openglwxd.sys
06-08-31 16:37 126,976 nounzaa.dll

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

Verzeichnis von C:\WINDOWS

06-10-03 12:53 3,724,894 ntbtlog.txt
06-10-03 12:45 2,048 bootstat.dat
06-10-03 12:27 4,710 ModemLog_Agere Systems AC'97 Modem.txt
06-10-03 12:27 3,866 ModemLog_Bluetooth Modem.txt
06-10-03 12:27 3,870 ModemLog_Bluetooth Fax Modem.txt
06-10-03 12:27 159 wiadebug.log
06-10-03 12:27 0 0.log
06-10-02 00:27 50 wiaservc.log
06-10-02 00:27 32,630 SchedLgU.Txt
06-09-26 16:19 249,759 FaxSetup.log
06-09-26 16:19 35,724 iis6.log
06-09-26 16:19 11,785 msgsocm.log
06-09-26 16:19 8,612 ocmsn.log
06-09-26 16:19 88,779 comsetup.log
06-09-26 16:19 94,342 tsoc.log
06-09-26 16:19 126,379 ocgen.log
06-09-26 16:19 52,160 ntdtcsetup.log
06-09-26 16:19 1,917 imsins.log
06-09-26 16:18 721,006 setupapi.log
06-09-26 15:49 1,406,332 WindowsUpdate.log
06-09-26 15:47 697,824 vascyxpA.exe
06-09-26 15:47 27 tcb.pmw
06-09-26 15:46 1,999 desktop.html
06-09-26 15:46 79,648 em.ocx
06-09-26 15:46 171 em06y.ini
06-09-26 15:46 1,025 affbun.txt
06-09-26 15:46 215,308 srvfkstqxt.exe
06-09-26 15:46 163,840 sys09829496810.exe
06-09-26 15:02 0 newname.dat
06-09-26 15:02 183,476 srvwavxkcy.exe
06-09-26 15:02 53,120 srvmdfzpiu.exe
06-09-26 15:02 32,768 unstall.exe
06-09-26 15:02 292 mm06y.ini
06-09-26 15:02 53,120 optimize.exe
06-09-26 15:01 2 tempf.txt
06-09-26 15:01 268,581 popupwithcast.exe
06-09-26 15:01 79,816 amm06.ocx
06-09-26 15:01 183,478 srvvascyxp.exe
06-09-26 15:00 163,840 ms034968108292006.exe
06-09-26 15:00 36,608 nem220.dll
06-09-26 15:00 217,276 srvouscbfk.exe
06-09-26 15:00 53,120 srvlkqwies.exe
06-09-26 15:00 110,592 v1201.exe
06-09-22 16:38 53,248 109uninst.exe
06-09-22 16:36 53,248 uni_7eh.exe
06-09-22 16:34 163,840 win3209829496810.exe
06-09-22 16:34 163,840 win3207108294968.exe
06-09-20 20:17 54,156 QTFont.qfn
06-09-18 20:11 2,904 mozver.dat
06-09-18 13:28 24,451 m.exe
06-09-17 18:29 12,343 htmlcode.dat
06-09-17 18:29 170 urls.dat
06-09-17 18:15 1,587 win.ini
06-09-15 23:22 480 Uninst2.htm
06-09-15 23:21 53,248 uninst108.exe
06-09-15 23:17 53,248 uni_e6h.exe
06-09-15 10:54 24,451 vgfma.exe
06-09-14 23:42 24,451 ftqdjt.exe
06-09-14 23:33 54,272 ieredir.exe
06-09-14 23:33 30,720 preredir.exe
06-09-14 23:33 23,040 ieserver.exe
06-09-14 23:33 32,768 dsrss.exe
06-08-27 13:39 75 USBBC.ini
06-08-22 00:41 159,744 win3208082949681.exe
06-08-13 17:34 24 tm.ini
06-08-13 16:58 0 tdf.dii
06-08-12 14:04 223,601 setupact.log
06-08-11 18:05 155,648 sys02949681082.exe
06-08-11 18:05 155,648 ms05681082949.exe

Verzeichnis von C:\

06-10-03 12:55 0 sys.txt
06-10-03 12:54 14,776 system.txt
06-10-03 12:53 127 systemtemp.txt
06-10-03 12:51 92,425 system32.txt
06-10-03 12:46 12,383 ComboFix.txt
06-10-03 12:45 1,073,741,824 pagefile.sys
06-10-03 12:23 15,833 ComboFix2.txt

#6 Gehe in die Registry
Start - Ausfuehren - regedit

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

loeschen:
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
"QisNzDPFN"="{31711DEB-9BDB-B741-FBB8-60C6624E91C7}"
"DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktop"=dword:00000001 - in 0 andern

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

loeschen
"{31711DEA-05DA-1031-0919-030308280031}"

----------------------

««
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yttgp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jobkbsc.exe

O1 - Hosts: MZ€

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programme\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [outlook] C:\Programme\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [dptf1cb5] RUNDLL32.EXE w058b429.dll,n 004f1cb100000003058b429
O4 - HKLM\..\Run: [loaddr] C:\DOKUME~1\BARBAR~1\LOKALE~1\Temp\silver.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe

O4 - HKLM\..\Run: [sys09829496810] C:\WINDOWS\sys09829496810.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [ms05681082949] C:\WINDOWS\ms05681082949.exe
O4 - HKLM\..\Run: [win3208082949681] C:\WINDOWS\win3208082949681.exe
O4 - HKLM\..\Run: [win3207108294968] C:\WINDOWS\win3207108294968.exe
O4 - HKLM\..\Run: [saktndc.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\saktndc.dll,gsfsgof
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [np] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [sys02949681082] C:\WINDOWS\sys02949681082.exe
O4 - HKLM\..\Run: [win3209829496810] C:\WINDOWS\win3209829496810.exe
O4 - HKLM\..\Run: [ms] C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\29473\gm.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O20 - AppInit_DLLs: dpmomspr.dll dminupnp.dll e1.dll
O20 - Winlogon Notify: openglwx - C:\WINDOWS\SYSTEM32\openglwx.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\k8pm0i71e8.dll
O20 - Winlogon Notify: swprodte - C:\WINDOWS\System32\swprodte.dll
O20 - Winlogon Notify: WLogon - C:\WINDOWS\SYSTEM32\srvc.dll

O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_32.dll
O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - C:\WINDOWS\System32\tqrerg32.dll
O21 - SSODL: QisNzDPFN - {31711DEB-9BDB-B741-FBB8-60C6624E91C7} - C:\WINDOWS\System32\bhrs.dll
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\2234_32.dll

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wifiks.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmsk64.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\openglwx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\swprodte

Files to delete:
C:\WINDOWS\System32\wifiks.sys
C:\WINDOWS\System32\xmsk64.sys
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00005.exe
C:\WINDOWS\System32\testtestt.exe
C:\WINDOWS\System32\dmonwv.dll
C:\Programme\WindowsUpdate\xupypaj.html
C:\WINDOWS\System32\yttgp.exe
C:\WINDOWS\System32\2236_32.dll
C:\WINDOWS\System32\2234_32.dll
C:\WINDOWS\System32\tqrerg32.dll
C:\WINDOWS\System32\dmonwv.dll
C:\WINDOWS\System32\bhrs.dll
C:\WINDOWS\system32\adir.dll
C:\WINDOWS\system32\tick481.bin
C:\WINDOWS\system32\swprodte.dll
C:\WINDOWS\system32\rdpwiasn.dll
C:\WINDOWS\system32\dminupnp.dll
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\dpmomspr.dll
C:\WINDOWS\system32\msimnpwm.exe
C:\WINDOWS\system32\ntio256.sys
C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\2234_32.dll
C:\WINDOWS\system32\srvc.dll
C:\WINDOWS\system32\tqrerg32.dll
C:\WINDOWS\system32\wxfgob32.dll
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\system32\upnp.exe
C:\WINDOWS\system32\qvxgamet4.exe
C:\WINDOWS\system32\2236_32.dll
C:\WINDOWS\system32\qvxgamet3.exe
C:\WINDOWS\system32\qvxgamet2.exe
C:\WINDOWS\system32\inistone.ini
C:\WINDOWS\system32\TheMatrixHasYou.exe
C:\WINDOWS\system32\stonedrv.exe
C:\WINDOWS\system32\image.gif.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\qybhmln.dll
C:\WINDOWS\system32\saktndc.dll
C:\WINDOWS\system32\testtestt.exe
C:\WINDOWS\system32\loadinfo.ini
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\dlh9jkdq6.exe
C:\WINDOWS\system32\dlh9jkdq7.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq1.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\dptf1cb5.sys
C:\WINDOWS\system32\loadinfo.stt
C:\WINDOWS\system32\w059221f.dll
C:\WINDOWS\system32\dptf1cb5.dll
C:\WINDOWS\system32\w058b429.dll
C:\WINDOWS\system32\nsp13C.dll
C:\WINDOWS\system32\openglwx.dll
C:\WINDOWS\system32\openglwxd.sys
C:\WINDOWS\system32\nounzaa.dll
C:\WINDOWS\System32\swprodte.exe
C:\WINDOWS\winlogon.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\vascyxpA.exe
C:\WINDOWS\tcb.pmw
C:\WINDOWS\desktop.html
C:\WINDOWS\em.ocx
C:\WINDOWS\em06y.ini
C:\WINDOWS\affbun.txt
C:\WINDOWS\srvfkstqxt.exe
C:\WINDOWS\sys09829496810.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\srvwavxkcy.exe
C:\WINDOWS\srvmdfzpiu.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\mm06y.ini
C:\WINDOWS\optimize.exe
C:\WINDOWS\tempf.txt
C:\WINDOWS\popupwithcast.exe
C:\WINDOWS\amm06.ocx
C:\WINDOWS\srvvascyxp.exe
C:\WINDOWS\ms034968108292006.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\srvouscbfk.exe
C:\WINDOWS\srvlkqwies.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\109uninst.exe
C:\WINDOWS\uni_7eh.exe
C:\WINDOWS\win3209829496810.exe
C:\WINDOWS\win3207108294968.exe
C:\WINDOWS\m.exe
C:\WINDOWS\htmlcode.dat
C:\WINDOWS\urls.dat
C:\WINDOWS\Uninst2.htm
C:\WINDOWS\uninst108.exe
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\vgfma.exe
C:\WINDOWS\ftqdjt.exe
C:\WINDOWS\ieredir.exe
C:\WINDOWS\preredir.exe
C:\WINDOWS\ieserver.exe
C:\WINDOWS\dsrss.exe
C:\WINDOWS\win3208082949681.exe
C:\WINDOWS\sys02949681082.exe
C:\WINDOWS\ms05681082949.exe
C:\Dokumente und Einstellungen\Barbara Friess\Lokale Einstellungen\Temp\silver.exe

Folders to delete:
C:\Programme\Gemeinsame Dateien\{31711DEA-05DA-1031-0919-030308280031}
C:\Program Files\BraveSentry
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\29473
C:\WINDOWS\QmFyYmFyYSBGcmllc3M
C:\Program Files\Internet Optimizer
C:\Programme\TheSearchAccelerator
C:\program files\popupwithcast
C:\Programme\Network Monitor
C:\Programme\PSDream

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
pote das log vom avenger, was nach neustart erscheint

**
Start - Programme - Zubehör - Systemprogramme - Datenträgerbereinigung
- Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
- Click:Temporäre Dateien, o.k

**
SCANNE MIT SMITFRAUFDIX - OPTION 1 UND 2
http://virus-protect.org/artikel/tools/smitfrautfix.html
POSTE HIER BEIDE SCANREPORTE

««
poste noch mal das log von combofix + die 4 logs von datfindbat - bis August 2006 !!
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Hallo@Sabina,

vielen Dank für die Anweisungen. Hier meine Ergebnisse:

In [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] war "{31711DEA-05DA-1031-0919-030308280031}" nicht zu finden - konnte also nicht gelöscht werden.

In HJT ließen sich
O20 - AppInit_DLLs: dpmomspr.dll dminupnp.dll e1.dll
O20 - Winlogon Notify: openglwx - C:\WINDOWS\SYSTEM32\openglwx.dll
zunächst nicht unterdrücken.

Nachdem ich alle Schritte durchgeführt habe, war schließlich
O20 - AppInit_DLLs: e1.dll dpmomspr.dll dminupnp.dll
immer noch da.

Habe mehrmals versucht, Avenger zu starten und immer die Fehlermeldung "could not create zip file" erhalten - scheint aber zumindest teilweise funktioniert zu haben.

Was würdest Du jetzt als nächsten Schritt empfehlen?

Beste Grüße,
Stefan

------------------------------------------

Verzeichnis von C:\Avenger

06-10-03 16:03 <DIR> .
06-10-03 16:03 <DIR> ..
06-10-03 16:24 276 1.reg
06-10-03 16:24 276 2.reg
06-10-03 16:24 754 23.reg
06-10-03 16:24 610 24.reg
80-01-01 00:00 21,840 xmsk64.sys
06-09-26 15:49 1,024 ibm00005.exe
06-09-26 15:46 5,744 testtestt.exe
06-06-07 19:55 3,753 xupypaj.html
06-09-26 15:47 157,184 2236_32.dll
06-09-26 15:48 157,184 2234_32.dll
06-09-26 15:47 32,949 tqrerg32.dll
05-09-26 15:47 14,848 bhrs.dll
06-10-03 12:27 4,608 adir.dll
06-09-26 16:19 12 tick481.bin
06-09-26 15:50 184,832 swprodte.dll
06-09-26 15:49 61,440 rdpwiasn.dll
06-09-26 15:49 24,576 dminupnp.dll
06-09-26 15:49 11,264 e1.dll
06-09-26 15:49 35,328 dpmomspr.dll
06-09-26 15:49 49,152 msimnpwm.exe
06-09-26 15:49 17,920 ntio256.sys
06-09-26 15:49 15,360 protector.exe
06-09-26 15:48 46,592 zlbw.dll
06-09-26 15:48 1 kr_done1
06-09-26 15:47 53,248 srvc.dll
06-09-26 15:47 32,949 wxfgob32.dll
06-09-26 15:47 6,868 taskdir~.exe
06-09-26 15:47 10,649 upnp.exe
06-09-26 15:47 1,632 qvxgamet4.exe
06-09-26 15:47 69,632 qvxgamet3.exe
06-09-26 15:47 1,632 qvxgamet2.exe
06-09-26 15:46 0 inistone.ini
06-09-26 15:46 1,232 TheMatrixHasYou.exe
06-09-26 15:46 15,104 stonedrv.exe
06-09-26 15:46 52,948 image.gif.exe
06-09-26 15:46 52,948 taskdir.exe
06-09-26 15:46 4 winsub.xml
06-09-26 15:46 63 svcp.csv
06-09-26 15:46 72,704 qybhmln.dll
06-09-26 15:46 94,720 saktndc.dll
06-09-26 15:46 1 loadinfo.ini
06-09-26 15:46 1 vx.tll
06-09-26 15:46 6,082 dlh9jkdq6.exe
06-09-26 15:46 6,031 dlh9jkdq7.exe
06-09-26 15:46 4,275 dlh9jkdq5.exe
06-09-26 15:46 17,807 dlh9jkdq2.exe
06-09-26 15:46 2,518 dlh9jkdq1.exe
06-09-26 15:46 17 dlh9jkdq8.exe
06-09-26 15:45 1,233 dptf1cb5.sys
06-09-26 15:02 979 loadinfo.stt
06-09-26 15:01 29,696 w059221f.dll
06-09-26 15:01 61,952 dptf1cb5.dll
06-09-26 15:01 29,696 w058b429.dll
06-09-18 13:32 80,896 nsp13C.dll
06-09-14 23:42 18,787 openglwx.dll
06-09-14 23:42 6,912 openglwxd.sys
06-08-31 16:37 126,976 nounzaa.dll
03-10-07 23:34 131,072 winlogon.exe
02-05-06 13:36 52,224 smss.exe
06-09-26 15:47 697,824 vascyxpA.exe
06-09-26 15:47 27 tcb.pmw
06-09-26 15:46 1,999 desktop.html
06-09-26 15:46 79,648 em.ocx
06-09-26 15:46 171 em06y.ini
06-09-26 15:46 1,025 affbun.txt
06-09-26 15:46 215,308 srvfkstqxt.exe
06-09-26 15:46 163,840 sys09829496810.exe
06-09-26 15:02 0 newname.dat
06-09-26 15:02 183,476 srvwavxkcy.exe
06-09-26 15:02 53,120 srvmdfzpiu.exe
06-09-26 15:02 32,768 unstall.exe
06-09-26 15:02 292 mm06y.ini
06-09-26 15:02 53,120 optimize.exe
06-09-26 15:01 2 tempf.txt
06-09-26 15:01 268,581 popupwithcast.exe
06-09-26 15:01 79,816 amm06.ocx
06-09-26 15:01 183,478 srvvascyxp.exe
06-09-26 15:00 163,840 ms034968108292006.exe
06-09-26 15:00 36,608 nem220.dll
06-09-26 15:00 217,276 srvouscbfk.exe
06-09-26 15:00 53,120 srvlkqwies.exe
06-09-26 15:00 110,592 v1201.exe
06-09-22 16:38 53,248 109uninst.exe
06-09-22 16:36 53,248 uni_7eh.exe
06-09-22 16:34 163,840 win3209829496810.exe
06-09-22 16:34 163,840 win3207108294968.exe
06-09-18 13:28 24,451 m.exe
06-09-17 18:29 12,343 htmlcode.dat
06-09-17 18:29 170 urls.dat
06-09-15 23:22 480 Uninst2.htm
06-09-15 23:21 53,248 uninst108.exe
06-09-15 23:17 53,248 uni_e6h.exe
06-09-15 10:54 24,451 vgfma.exe
06-09-14 23:42 24,451 ftqdjt.exe
06-09-14 23:33 54,272 ieredir.exe
06-09-14 23:33 30,720 preredir.exe
06-09-14 23:33 23,040 ieserver.exe
06-09-14 23:33 32,768 dsrss.exe
06-08-22 00:41 159,744 win3208082949681.exe
06-08-11 18:05 155,648 sys02949681082.exe
06-08-11 18:05 155,648 ms05681082949.exe
06-09-26 15:46 <DIR> BraveSentry
06-10-02 00:54 <DIR> 29473
06-09-26 15:00 <DIR> Internet Optimizer
06-09-26 15:01 <DIR> popupwithcast
06-09-26 15:01 <DIR> PSDream
06-10-03 16:36 0 dirAvenger.txt
102 Datei(en) 5,725,804 Bytes

Verzeichnis von C:\Avenger\BraveSentry

06-09-26 15:46 <DIR> .
06-09-26 15:46 <DIR> ..
06-09-26 15:46 472,576 BraveSentry.exe
06-09-26 15:46 410,974 BraveSentry0.bs
06-09-26 15:46 124,928 BraveSentry0.dll
06-09-26 15:46 29,460 BraveSentry1.bs
06-09-26 15:46 125,952 BraveSentry1.dll
06-09-26 15:46 117,760 BraveSentry2.dll
06-09-26 15:46 119,296 BraveSentry3.dll
06-09-26 15:46 114,688 Uninstall.exe
06-09-26 15:46 100 BraveSentry.lic
9 Datei(en) 1,515,734 Bytes

Verzeichnis von C:\Avenger\29473

06-10-02 00:54 <DIR> .
06-10-02 00:54 <DIR> ..
0 Datei(en) 0 Bytes

Verzeichnis von C:\Avenger\Internet Optimizer

06-09-26 15:00 <DIR> .
06-09-26 15:00 <DIR> ..
06-09-26 15:00 53,120 optimize.exe
1 Datei(en) 53,120 Bytes

Verzeichnis von C:\Avenger\popupwithcast

06-09-26 15:01 <DIR> .
06-09-26 15:01 <DIR> ..
06-07-12 12:25 262,144 Cast.dll
06-07-12 12:25 2,208 cload.dat
06-07-12 12:26 38,328 cp.dat
06-07-12 12:26 7,368 csys.dat
06-09-06 23:06 <DIR> CastStat
06-07-12 12:25 98,304 CastAux.dll
06-09-20 22:12 40,960 septpop06apsept.exe
06-09-26 15:01 <DIR> CastGen
06-09-26 15:01 <DIR> CastSys
6 Datei(en) 449,312 Bytes

Verzeichnis von C:\Avenger\popupwithcast\CastStat

06-09-26 15:01 <DIR> .
06-09-26 15:01 <DIR> ..
06-07-12 16:08 5,704 cast.dat
1 Datei(en) 5,704 Bytes

Verzeichnis von C:\Avenger\popupwithcast\CastGen

06-09-26 15:01 <DIR> .
06-09-26 15:01 <DIR> ..
06-10-02 00:27 1,112 h451924c629.dat
06-09-26 15:02 <DIR> Barbara
1 Datei(en) 1,112 Bytes

Verzeichnis von C:\Avenger\popupwithcast\CastGen\Barbara

06-09-26 15:02 <DIR> .
06-09-26 15:02 <DIR> ..
06-10-02 00:27 496 f451924d44d06.dat
1 Datei(en) 496 Bytes

Verzeichnis von C:\Avenger\popupwithcast\CastSys

06-09-26 15:01 <DIR> .
06-09-26 15:01 <DIR> ..
0 Datei(en) 0 Bytes

Verzeichnis von C:\Avenger\PSDream

06-09-26 15:01 <DIR> .
06-09-26 15:01 <DIR> ..
06-09-20 03:41 307,200 PSDream.exe
06-09-26 15:01 33,016 Uninstall.exe
2 Datei(en) 340,216 Bytes

Anzahl der angezeigten Dateien:
123 Datei(en) 8,091,498 Bytes
29 Verzeichnis(se), 40,788,754,432 Bytes frei

------------------------------------------

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vekowhyn

*******************

Script file located at: \??\C:\WINDOWS\xqhhxewy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wifiks.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wifiks.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wifiks.sys
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmsk64.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmsk64.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmsk64.sys
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Status: 0xc0000034



File C:\WINDOWS\System32\wifiks.sys not found!
Deletion of file C:\WINDOWS\System32\wifiks.sys failed!

Could not process line:
C:\WINDOWS\System32\wifiks.sys
Status: 0xc0000034



File C:\WINDOWS\System32\xmsk64.sys not found!
Deletion of file C:\WINDOWS\System32\xmsk64.sys failed!

Could not process line:
C:\WINDOWS\System32\xmsk64.sys
Status: 0xc0000034



File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00005.exe not found!
Deletion of file C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00005.exe failed!

Could not process line:
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00005.exe
Status: 0xc0000034



File C:\WINDOWS\System32\testtestt.exe not found!
Deletion of file C:\WINDOWS\System32\testtestt.exe failed!

Could not process line:
C:\WINDOWS\System32\testtestt.exe
Status: 0xc0000034



File C:\WINDOWS\System32\dmonwv.dll not found!
Deletion of file C:\WINDOWS\System32\dmonwv.dll failed!

Could not process line:
C:\WINDOWS\System32\dmonwv.dll
Status: 0xc0000034



File C:\Programme\WindowsUpdate\xupypaj.html not found!
Deletion of file C:\Programme\WindowsUpdate\xupypaj.html failed!

Could not process line:
C:\Programme\WindowsUpdate\xupypaj.html
Status: 0xc0000034



File C:\WINDOWS\System32\yttgp.exe not found!
Deletion of file C:\WINDOWS\System32\yttgp.exe failed!

Could not process line:
C:\WINDOWS\System32\yttgp.exe
Status: 0xc0000034



File C:\WINDOWS\System32\2236_32.dll not found!
Deletion of file C:\WINDOWS\System32\2236_32.dll failed!

Could not process line:
C:\WINDOWS\System32\2236_32.dll
Status: 0xc0000034



File C:\WINDOWS\System32\2234_32.dll not found!
Deletion of file C:\WINDOWS\System32\2234_32.dll failed!

Could not process line:
C:\WINDOWS\System32\2234_32.dll
Status: 0xc0000034



File C:\WINDOWS\System32\tqrerg32.dll not found!
Deletion of file C:\WINDOWS\System32\tqrerg32.dll failed!

Could not process line:
C:\WINDOWS\System32\tqrerg32.dll
Status: 0xc0000034



File C:\WINDOWS\System32\dmonwv.dll not found!
Deletion of file C:\WINDOWS\System32\dmonwv.dll failed!

Could not process line:
C:\WINDOWS\System32\dmonwv.dll
Status: 0xc0000034



File C:\WINDOWS\System32\bhrs.dll not found!
Deletion of file C:\WINDOWS\System32\bhrs.dll failed!

Could not process line:
C:\WINDOWS\System32\bhrs.dll
Status: 0xc0000034



File C:\WINDOWS\system32\adir.dll not found!
Deletion of file C:\WINDOWS\system32\adir.dll failed!

Could not process line:
C:\WINDOWS\system32\adir.dll
Status: 0xc0000034



File C:\WINDOWS\system32\tick481.bin not found!
Deletion of file C:\WINDOWS\system32\tick481.bin failed!

Could not process line:
C:\WINDOWS\system32\tick481.bin
Status: 0xc0000034



File C:\WINDOWS\system32\swprodte.dll not found!
Deletion of file C:\WINDOWS\system32\swprodte.dll failed!

Could not process line:
C:\WINDOWS\system32\swprodte.dll
Status: 0xc0000034



File C:\WINDOWS\system32\rdpwiasn.dll not found!
Deletion of file C:\WINDOWS\system32\rdpwiasn.dll failed!

Could not process line:
C:\WINDOWS\system32\rdpwiasn.dll
Status: 0xc0000034



File C:\WINDOWS\system32\dminupnp.dll not found!
Deletion of file C:\WINDOWS\system32\dminupnp.dll failed!

Could not process line:
C:\WINDOWS\system32\dminupnp.dll
Status: 0xc0000034



File C:\WINDOWS\system32\e1.dll not found!
Deletion of file C:\WINDOWS\system32\e1.dll failed!

Could not process line:
C:\WINDOWS\system32\e1.dll
Status: 0xc0000034



File C:\WINDOWS\system32\dpmomspr.dll not found!
Deletion of file C:\WINDOWS\system32\dpmomspr.dll failed!

Could not process line:
C:\WINDOWS\system32\dpmomspr.dll
Status: 0xc0000034



File C:\WINDOWS\system32\msimnpwm.exe not found!
Deletion of file C:\WINDOWS\system32\msimnpwm.exe failed!

Could not process line:
C:\WINDOWS\system32\msimnpwm.exe
Status: 0xc0000034



File C:\WINDOWS\system32\ntio256.sys not found!
Deletion of file C:\WINDOWS\system32\ntio256.sys failed!

Could not process line:
C:\WINDOWS\system32\ntio256.sys
Status: 0xc0000034



File C:\WINDOWS\system32\protector.exe not found!
Deletion of file C:\WINDOWS\system32\protector.exe failed!

Could not process line:
C:\WINDOWS\system32\protector.exe
Status: 0xc0000034



File C:\WINDOWS\system32\zlbw.dll not found!
Deletion of file C:\WINDOWS\system32\zlbw.dll failed!

Could not process line:
C:\WINDOWS\system32\zlbw.dll
Status: 0xc0000034



File C:\WINDOWS\system32\kr_done1 not found!
Deletion of file C:\WINDOWS\system32\kr_done1 failed!

Could not process line:
C:\WINDOWS\system32\kr_done1
Status: 0xc0000034



File C:\WINDOWS\system32\2234_32.dll not found!
Deletion of file C:\WINDOWS\system32\2234_32.dll failed!

Could not process line:
C:\WINDOWS\system32\2234_32.dll
Status: 0xc0000034



File C:\WINDOWS\system32\srvc.dll not found!
Deletion of file C:\WINDOWS\system32\srvc.dll failed!

Could not process line:
C:\WINDOWS\system32\srvc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\tqrerg32.dll not found!
Deletion of file C:\WINDOWS\system32\tqrerg32.dll failed!

Could not process line:
C:\WINDOWS\system32\tqrerg32.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wxfgob32.dll not found!
Deletion of file C:\WINDOWS\system32\wxfgob32.dll failed!

Could not process line:
C:\WINDOWS\system32\wxfgob32.dll
Status: 0xc0000034



File C:\WINDOWS\system32\taskdir~.exe not found!
Deletion of file C:\WINDOWS\system32\taskdir~.exe failed!

Could not process line:
C:\WINDOWS\system32\taskdir~.exe
Status: 0xc0000034



File C:\WINDOWS\system32\upnp.exe not found!
Deletion of file C:\WINDOWS\system32\upnp.exe failed!

Could not process line:
C:\WINDOWS\system32\upnp.exe
Status: 0xc0000034



File C:\WINDOWS\system32\qvxgamet4.exe not found!
Deletion of file C:\WINDOWS\system32\qvxgamet4.exe failed!

Could not process line:
C:\WINDOWS\system32\qvxgamet4.exe
Status: 0xc0000034



File C:\WINDOWS\system32\2236_32.dll not found!
Deletion of file C:\WINDOWS\system32\2236_32.dll failed!

Could not process line:
C:\WINDOWS\system32\2236_32.dll
Status: 0xc0000034



File C:\WINDOWS\system32\qvxgamet3.exe not found!
Deletion of file C:\WINDOWS\system32\qvxgamet3.exe failed!

Could not process line:
C:\WINDOWS\system32\qvxgamet3.exe
Status: 0xc0000034



File C:\WINDOWS\system32\qvxgamet2.exe not found!
Deletion of file C:\WINDOWS\system32\qvxgamet2.exe failed!

Could not process line:
C:\WINDOWS\system32\qvxgamet2.exe
Status: 0xc0000034



File C:\WINDOWS\system32\inistone.ini not found!
Deletion of file C:\WINDOWS\system32\inistone.ini failed!

Could not process line:
C:\WINDOWS\system32\inistone.ini
Status: 0xc0000034



File C:\WINDOWS\system32\TheMatrixHasYou.exe not found!
Deletion of file C:\WINDOWS\system32\TheMatrixHasYou.exe failed!

Could not process line:
C:\WINDOWS\system32\TheMatrixHasYou.exe
Status: 0xc0000034



File C:\WINDOWS\system32\stonedrv.exe not found!
Deletion of file C:\WINDOWS\system32\stonedrv.exe failed!

Could not process line:
C:\WINDOWS\system32\stonedrv.exe
Status: 0xc0000034



File C:\WINDOWS\system32\image.gif.exe not found!
Deletion of file C:\WINDOWS\system32\image.gif.exe failed!

Could not process line:
C:\WINDOWS\system32\image.gif.exe
Status: 0xc0000034



File C:\WINDOWS\system32\taskdir.exe not found!
Deletion of file C:\WINDOWS\system32\taskdir.exe failed!

Could not process line:
C:\WINDOWS\system32\taskdir.exe
Status: 0xc0000034



File C:\WINDOWS\system32\winsub.xml not found!
Deletion of file C:\WINDOWS\system32\winsub.xml failed!

Could not process line:
C:\WINDOWS\system32\winsub.xml
Status: 0xc0000034



File C:\WINDOWS\system32\svcp.csv not found!
Deletion of file C:\WINDOWS\system32\svcp.csv failed!

Could not process line:
C:\WINDOWS\system32\svcp.csv
Status: 0xc0000034



File C:\WINDOWS\system32\qybhmln.dll not found!
Deletion of file C:\WINDOWS\system32\qybhmln.dll failed!

Could not process line:
C:\WINDOWS\system32\qybhmln.dll
Status: 0xc0000034



File C:\WINDOWS\system32\saktndc.dll not found!
Deletion of file C:\WINDOWS\system32\saktndc.dll failed!

Could not process line:
C:\WINDOWS\system32\saktndc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\testtestt.exe not found!
Deletion of file C:\WINDOWS\system32\testtestt.exe failed!

Could not process line:
C:\WINDOWS\system32\testtestt.exe
Status: 0xc0000034



File C:\WINDOWS\system32\loadinfo.ini not found!
Deletion of file C:\WINDOWS\system32\loadinfo.ini failed!

Could not process line:
C:\WINDOWS\system32\loadinfo.ini
Status: 0xc0000034



File C:\WINDOWS\system32\vx.tll not found!
Deletion of file C:\WINDOWS\system32\vx.tll failed!

Could not process line:
C:\WINDOWS\system32\vx.tll
Status: 0xc0000034



File C:\WINDOWS\system32\dlh9jkdq6.exe not found!
Deletion of file C:\WINDOWS\system32\dlh9jkdq6.exe failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkdq6.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dlh9jkdq7.exe not found!
Deletion of file C:\WINDOWS\system32\dlh9jkdq7.exe failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkdq7.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dlh9jkdq5.exe not found!
Deletion of file C:\WINDOWS\system32\dlh9jkdq5.exe failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkdq5.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dlh9jkdq2.exe not found!
Deletion of file C:\WINDOWS\system32\dlh9jkdq2.exe failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkdq2.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dlh9jkdq1.exe not found!
Deletion of file C:\WINDOWS\system32\dlh9jkdq1.exe failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkdq1.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dlh9jkdq8.exe not found!
Deletion of file C:\WINDOWS\system32\dlh9jkdq8.exe failed!

Could not process line:
C:\WINDOWS\system32\dlh9jkdq8.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dptf1cb5.sys not found!
Deletion of file C:\WINDOWS\system32\dptf1cb5.sys failed!

Could not process line:
C:\WINDOWS\system32\dptf1cb5.sys
Status: 0xc0000034



File C:\WINDOWS\system32\loadinfo.stt not found!
Deletion of file C:\WINDOWS\system32\loadinfo.stt failed!

Could not process line:
C:\WINDOWS\system32\loadinfo.stt
Status: 0xc0000034



File C:\WINDOWS\system32\w059221f.dll not found!
Deletion of file C:\WINDOWS\system32\w059221f.dll failed!

Could not process line:
C:\WINDOWS\system32\w059221f.dll
Status: 0xc0000034



File C:\WINDOWS\system32\dptf1cb5.dll not found!
Deletion of file C:\WINDOWS\system32\dptf1cb5.dll failed!

Could not process line:
C:\WINDOWS\system32\dptf1cb5.dll
Status: 0xc0000034



File C:\WINDOWS\system32\w058b429.dll not found!
Deletion of file C:\WINDOWS\system32\w058b429.dll failed!

Could not process line:
C:\WINDOWS\system32\w058b429.dll
Status: 0xc0000034



File C:\WINDOWS\system32\nsp13C.dll not found!
Deletion of file C:\WINDOWS\system32\nsp13C.dll failed!

Could not process line:
C:\WINDOWS\system32\nsp13C.dll
Status: 0xc0000034



File C:\WINDOWS\system32\openglwx.dll not found!
Deletion of file C:\WINDOWS\system32\openglwx.dll failed!

Could not process line:
C:\WINDOWS\system32\openglwx.dll
Status: 0xc0000034



File C:\WINDOWS\system32\openglwxd.sys not found!
Deletion of file C:\WINDOWS\system32\openglwxd.sys failed!

Could not process line:
C:\WINDOWS\system32\openglwxd.sys
Status: 0xc0000034



File C:\WINDOWS\system32\nounzaa.dll not found!
Deletion of file C:\WINDOWS\system32\nounzaa.dll failed!

Could not process line:
C:\WINDOWS\system32\nounzaa.dll
Status: 0xc0000034



File C:\WINDOWS\System32\swprodte.exe not found!
Deletion of file C:\WINDOWS\System32\swprodte.exe failed!

Could not process line:
C:\WINDOWS\System32\swprodte.exe
Status: 0xc0000034



File C:\WINDOWS\winlogon.exe not found!
Deletion of file C:\WINDOWS\winlogon.exe failed!

Could not process line:
C:\WINDOWS\winlogon.exe
Status: 0xc0000034



File C:\WINDOWS\smss.exe not found!
Deletion of file C:\WINDOWS\smss.exe failed!

Could not process line:
C:\WINDOWS\smss.exe
Status: 0xc0000034



File C:\WINDOWS\vascyxpA.exe not found!
Deletion of file C:\WINDOWS\vascyxpA.exe failed!

Could not process line:
C:\WINDOWS\vascyxpA.exe
Status: 0xc0000034



File C:\WINDOWS\tcb.pmw not found!
Deletion of file C:\WINDOWS\tcb.pmw failed!

Could not process line:
C:\WINDOWS\tcb.pmw
Status: 0xc0000034



File C:\WINDOWS\desktop.html not found!
Deletion of file C:\WINDOWS\desktop.html failed!

Could not process line:
C:\WINDOWS\desktop.html
Status: 0xc0000034



File C:\WINDOWS\em.ocx not found!
Deletion of file C:\WINDOWS\em.ocx failed!

Could not process line:
C:\WINDOWS\em.ocx
Status: 0xc0000034



File C:\WINDOWS\em06y.ini not found!
Deletion of file C:\WINDOWS\em06y.ini failed!

Could not process line:
C:\WINDOWS\em06y.ini
Status: 0xc0000034



File C:\WINDOWS\affbun.txt not found!
Deletion of file C:\WINDOWS\affbun.txt failed!

Could not process line:
C:\WINDOWS\affbun.txt
Status: 0xc0000034



File C:\WINDOWS\srvfkstqxt.exe not found!
Deletion of file C:\WINDOWS\srvfkstqxt.exe failed!

Could not process line:
C:\WINDOWS\srvfkstqxt.exe
Status: 0xc0000034



File C:\WINDOWS\sys09829496810.exe not found!
Deletion of file C:\WINDOWS\sys09829496810.exe failed!

Could not process line:
C:\WINDOWS\sys09829496810.exe
Status: 0xc0000034



File C:\WINDOWS\newname.dat not found!
Deletion of file C:\WINDOWS\newname.dat failed!

Could not process line:
C:\WINDOWS\newname.dat
Status: 0xc0000034



File C:\WINDOWS\srvwavxkcy.exe not found!
Deletion of file C:\WINDOWS\srvwavxkcy.exe failed!

Could not process line:
C:\WINDOWS\srvwavxkcy.exe
Status: 0xc0000034



File C:\WINDOWS\srvmdfzpiu.exe not found!
Deletion of file C:\WINDOWS\srvmdfzpiu.exe failed!

Could not process line:
C:\WINDOWS\srvmdfzpiu.exe
Status: 0xc0000034



File C:\WINDOWS\unstall.exe not found!
Deletion of file C:\WINDOWS\unstall.exe failed!

Could not process line:
C:\WINDOWS\unstall.exe
Status: 0xc0000034



File C:\WINDOWS\mm06y.ini not found!
Deletion of file C:\WINDOWS\mm06y.ini failed!

Could not process line:
C:\WINDOWS\mm06y.ini
Status: 0xc0000034



File C:\WINDOWS\optimize.exe not found!
Deletion of file C:\WINDOWS\optimize.exe failed!

Could not process line:
C:\WINDOWS\optimize.exe
Status: 0xc0000034



File C:\WINDOWS\tempf.txt not found!
Deletion of file C:\WINDOWS\tempf.txt failed!

Could not process line:
C:\WINDOWS\tempf.txt
Status: 0xc0000034



File C:\WINDOWS\popupwithcast.exe not found!
Deletion of file C:\WINDOWS\popupwithcast.exe failed!

Could not process line:
C:\WINDOWS\popupwithcast.exe
Status: 0xc0000034



File C:\WINDOWS\amm06.ocx not found!
Deletion of file C:\WINDOWS\amm06.ocx failed!

Could not process line:
C:\WINDOWS\amm06.ocx
Status: 0xc0000034



File C:\WINDOWS\srvvascyxp.exe not found!
Deletion of file C:\WINDOWS\srvvascyxp.exe failed!

Could not process line:
C:\WINDOWS\srvvascyxp.exe
Status: 0xc0000034



File C:\WINDOWS\ms034968108292006.exe not found!
Deletion of file C:\WINDOWS\ms034968108292006.exe failed!

Could not process line:
C:\WINDOWS\ms034968108292006.exe
Status: 0xc0000034



File C:\WINDOWS\nem220.dll not found!
Deletion of file C:\WINDOWS\nem220.dll failed!

Could not process line:
C:\WINDOWS\nem220.dll
Status: 0xc0000034



File C:\WINDOWS\srvouscbfk.exe not found!
Deletion of file C:\WINDOWS\srvouscbfk.exe failed!

Could not process line:
C:\WINDOWS\srvouscbfk.exe
Status: 0xc0000034



File C:\WINDOWS\srvlkqwies.exe not found!
Deletion of file C:\WINDOWS\srvlkqwies.exe failed!

Could not process line:
C:\WINDOWS\srvlkqwies.exe
Status: 0xc0000034



File C:\WINDOWS\v1201.exe not found!
Deletion of file C:\WINDOWS\v1201.exe failed!

Could not process line:
C:\WINDOWS\v1201.exe
Status: 0xc0000034



File C:\WINDOWS\109uninst.exe not found!
Deletion of file C:\WINDOWS\109uninst.exe failed!

Could not process line:
C:\WINDOWS\109uninst.exe
Status: 0xc0000034



File C:\WINDOWS\uni_7eh.exe not found!
Deletion of file C:\WINDOWS\uni_7eh.exe failed!

Could not process line:
C:\WINDOWS\uni_7eh.exe
Status: 0xc0000034



File C:\WINDOWS\win3209829496810.exe not found!
Deletion of file C:\WINDOWS\win3209829496810.exe failed!

Could not process line:
C:\WINDOWS\win3209829496810.exe
Status: 0xc0000034



File C:\WINDOWS\win3207108294968.exe not found!
Deletion of file C:\WINDOWS\win3207108294968.exe failed!

Could not process line:
C:\WINDOWS\win3207108294968.exe
Status: 0xc0000034



File C:\WINDOWS\m.exe not found!
Deletion of file C:\WINDOWS\m.exe failed!

Could not process line:
C:\WINDOWS\m.exe
Status: 0xc0000034



File C:\WINDOWS\htmlcode.dat not found!
Deletion of file C:\WINDOWS\htmlcode.dat failed!

Could not process line:
C:\WINDOWS\htmlcode.dat
Status: 0xc0000034



File C:\WINDOWS\urls.dat not found!
Deletion of file C:\WINDOWS\urls.dat failed!

Could not process line:
C:\WINDOWS\urls.dat
Status: 0xc0000034



File C:\WINDOWS\Uninst2.htm not found!
Deletion of file C:\WINDOWS\Uninst2.htm failed!

Could not process line:
C:\WINDOWS\Uninst2.htm
Status: 0xc0000034



File C:\WINDOWS\uninst108.exe not found!
Deletion of file C:\WINDOWS\uninst108.exe failed!

Could not process line:
C:\WINDOWS\uninst108.exe
Status: 0xc0000034



File C:\WINDOWS\uni_e6h.exe not found!
Deletion of file C:\WINDOWS\uni_e6h.exe failed!

Could not process line:
C:\WINDOWS\uni_e6h.exe
Status: 0xc0000034



File C:\WINDOWS\vgfma.exe not found!
Deletion of file C:\WINDOWS\vgfma.exe failed!

Could not process line:
C:\WINDOWS\vgfma.exe
Status: 0xc0000034



File C:\WINDOWS\ftqdjt.exe not found!
Deletion of file C:\WINDOWS\ftqdjt.exe failed!

Could not process line:
C:\WINDOWS\ftqdjt.exe
Status: 0xc0000034



File C:\WINDOWS\ieredir.exe not found!
Deletion of file C:\WINDOWS\ieredir.exe failed!

Could not process line:
C:\WINDOWS\ieredir.exe
Status: 0xc0000034



File C:\WINDOWS\preredir.exe not found!
Deletion of file C:\WINDOWS\preredir.exe failed!

Could not process line:
C:\WINDOWS\preredir.exe
Status: 0xc0000034



File C:\WINDOWS\ieserver.exe not found!
Deletion of file C:\WINDOWS\ieserver.exe failed!

Could not process line:
C:\WINDOWS\ieserver.exe
Status: 0xc0000034



File C:\WINDOWS\dsrss.exe not found!
Deletion of file C:\WINDOWS\dsrss.exe failed!

Could not process line:
C:\WINDOWS\dsrss.exe
Status: 0xc0000034



File C:\WINDOWS\win3208082949681.exe not found!
Deletion of file C:\WINDOWS\win3208082949681.exe failed!

Could not process line:
C:\WINDOWS\win3208082949681.exe
Status: 0xc0000034



File C:\WINDOWS\sys02949681082.exe not found!
Deletion of file C:\WINDOWS\sys02949681082.exe failed!

Could not process line:
C:\WINDOWS\sys02949681082.exe
Status: 0xc0000034



File C:\WINDOWS\ms05681082949.exe not found!
Deletion of file C:\WINDOWS\ms05681082949.exe failed!

Could not process line:
C:\WINDOWS\ms05681082949.exe
Status: 0xc0000034



File C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\silver.exe not found!
Deletion of file C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\silver.exe failed!

Could not process line:
C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\silver.exe
Status: 0xc0000034



Folder C:\Programme\Gemeinsame Dateien\{31711DEA-05DA-1031-0919-030308280031} not found!
Deletion of folder C:\Programme\Gemeinsame Dateien\{31711DEA-05DA-1031-0919-030308280031} failed!

Could not process line:
C:\Programme\Gemeinsame Dateien\{31711DEA-05DA-1031-0919-030308280031}
Status: 0xc0000034



Folder C:\Program Files\BraveSentry not found!
Deletion of folder C:\Program Files\BraveSentry failed!

Could not process line:
C:\Program Files\BraveSentry
Status: 0xc0000034



Folder C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\29473 not found!
Deletion of folder C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\29473 failed!

Could not process line:
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\29473
Status: 0xc0000034



Folder C:\WINDOWS\QmFyYmFyYSBGcmllc3M not found!
Deletion of folder C:\WINDOWS\QmFyYmFyYSBGcmllc3M failed!

Could not process line:
C:\WINDOWS\QmFyYmFyYSBGcmllc3M
Status: 0xc0000034



Folder C:\Program Files\Internet Optimizer not found!
Deletion of folder C:\Program Files\Internet Optimizer failed!

Could not process line:
C:\Program Files\Internet Optimizer
Status: 0xc0000034



Folder C:\Programme\TheSearchAccelerator not found!
Deletion of folder C:\Programme\TheSearchAccelerator failed!

Could not process line:
C:\Programme\TheSearchAccelerator
Status: 0xc0000034



Folder C:\program files\popupwithcast not found!
Deletion of folder C:\program files\popupwithcast failed!

Could not process line:
C:\program files\popupwithcast
Status: 0xc0000034



Folder C:\Programme\Network Monitor not found!
Deletion of folder C:\Programme\Network Monitor failed!

Could not process line:
C:\Programme\Network Monitor
Status: 0xc0000034



Folder C:\Programme\PSDream not found!
Deletion of folder C:\Programme\PSDream failed!

Could not process line:
C:\Programme\PSDream
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{645FF040-5081-101B-9F08-00AA002F954E} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{645FF040-5081-101B-9F08-00AA002F954E} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{6BF52A52-394A-11D3-B153-00C04F79FAA6} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{6BF52A52-394A-11D3-B153-00C04F79FAA6} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\openglwx not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\openglwx failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\swprodte not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\swprodte failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

------------------------------------------

SmitFraudFix v2.104

Scan done at 17:06:40.74, 06-10-03
Run from C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="e1.dll dpmomspr.dll dminupnp.dll"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------------------------

SmitFraudFix v2.104

Scan done at 17:03:43.12, 06-10-03
Run from C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------------------------

Administrator - 06-10-03 17:07:36.34 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Programme\SKS~1
C:\QooBox\Purity\Programme\SKS~1\ç?sks
C:\QooBox\Purity\Programme\SKS~1\rundll.exe


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-03 16:39 60,416 --a------ C:\WINDOWS\system32\drivers\kbhhiiqw.sys
2006-10-03 16:39 1,080 --a------ C:\nvymdqsp.bat
2006-10-03 16:28 60,416 --a------ C:\WINDOWS\system32\drivers\hyasukwu.sys
2006-10-03 16:24 60,416 --a------ C:\WINDOWS\system32\drivers\trnpnans.sys
2006-10-03 16:24 1,080 --a------ C:\cibsjgjn.bat
2006-10-03 16:22 60,416 --a------ C:\WINDOWS\system32\drivers\itcxfgnb.sys
2006-10-03 16:22 1,080 --a------ C:\gncpvrbo.bat
2006-10-03 16:19 60,416 --a------ C:\WINDOWS\system32\drivers\twfutbmw.sys
2006-10-03 16:19 1,080 --a------ C:\aunxeryn.bat
2006-10-03 16:17 130,048 --a------ C:\avenger.exe
2006-10-03 16:15 60,416 --a------ C:\WINDOWS\system32\drivers\wvespspg.sys
2006-10-03 16:15 1,080 --a------ C:\ruosuaeu.bat
2006-10-03 16:02 60,416 --a------ C:\WINDOWS\system32\drivers\acrshhay.sys
2006-10-03 16:02 19,131 --a------ C:\avexport.bat
2006-10-03 16:02 126,976 --a------ C:\zip.exe
2006-10-03 16:02 1,080 --a------ C:\ooxepema.bat
2006-10-02 00:26 234,594 -r--s---- C:\WINDOWS\system32\xfsp1res.dll
2006-09-26 15:02 39,903 --a------ C:\WINDOWS\system32\qz.dll
2006-09-26 15:01 668,784 -r-hs---- C:\WINDOWS\vascyxp.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[COLOR=RED]Rootkit driver pe386 is present. A rootkit scan is required[/COLOR]

2006-10-02 00:50 -------- d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla
2006-10-02 00:21 -------- d-------- C:\Programme\CleanUp!
2006-09-27 22:51 -------- d-------- C:\Programme\Hijackthis
2006-09-26 15:02 -------- d--h----- C:\Programme\BHO Plugin


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe"
"LManager"="C:\\Programme\\Launch Manager\\QtZgAcer.EXE"
"AcerNotebookManager"=""
@=""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"cfnqeboe"="C:\\ooxepema.bat"
"noqwonqn"="C:\\ruosuaeu.bat"
"hjhafoun"="C:\\aunxeryn.bat"
"xhmbrmmg"="C:\\gncpvrbo.bat"
"doqfvwtj"="C:\\cibsjgjn.bat"
"vlwnsnud"="C:\\nvymdqsp.bat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 06-10-03 17:07:53.31
ComboFix3.txt
ComboFix2.txt
ComboFix.txt

------------------------------------------

Ausgabe von datFind.bat:

Verzeichnis von C:\WINDOWS\system32

06-10-03 16:15 11,192 xijtgulq.txt
06-10-03 10:01 1,158 wpa.dbl
06-10-02 00:26 234,594 xfsp1res.dll
06-09-27 22:10 203,328 FNTCACHE.DAT
06-09-26 15:03 320 stt82.ini
06-09-26 15:03 0 klgcptini.dat

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

Verzeichnis von C:\WINDOWS

06-10-03 17:12 6,048,638 ntbtlog.txt
06-10-03 17:03 223,841 setupact.log
06-10-03 17:00 2,048 bootstat.dat
06-10-03 16:22 11,192 errxbhrd.txt
06-10-03 16:03 11,192 lmiyiebj.txt
06-10-03 12:27 4,710 ModemLog_Agere Systems AC'97 Modem.txt
06-10-03 12:27 3,866 ModemLog_Bluetooth Modem.txt
06-10-03 12:27 3,870 ModemLog_Bluetooth Fax Modem.txt
06-10-03 12:27 159 wiadebug.log
06-10-03 12:27 0 0.log
06-10-02 00:27 50 wiaservc.log
06-10-02 00:27 32,630 SchedLgU.Txt
06-09-26 16:19 249,759 FaxSetup.log
06-09-26 16:19 1,917 imsins.log
06-09-26 16:19 126,379 ocgen.log
06-09-26 16:19 8,612 ocmsn.log
06-09-26 16:19 11,785 msgsocm.log
06-09-26 16:19 88,779 comsetup.log
06-09-26 16:19 94,342 tsoc.log
06-09-26 16:19 52,160 ntdtcsetup.log
06-09-26 16:19 35,724 iis6.log
06-09-26 16:18 721,006 setupapi.log
06-09-26 15:49 1,406,332 WindowsUpdate.log
06-09-20 20:17 54,156 QTFont.qfn
06-09-18 20:11 2,904 mozver.dat
06-09-17 18:15 1,587 win.ini
06-08-27 13:39 75 USBBC.ini
06-08-13 17:34 24 tm.ini
06-08-13 16:58 0 tdf.dii

Verzeichnis von C:\

06-10-03 17:13 0 sys.txt
06-10-03 17:13 12,750 system.txt
06-10-03 17:13 127 systemtemp.txt
06-10-03 17:12 90,329 system32.txt
06-10-03 17:07 5,823 ComboFix.txt
06-10-03 17:06 1,479 rapport.txt
06-10-03 17:04 898 rapport2.txt
06-10-03 17:00 1,073,741,824 pagefile.sys
06-10-03 16:40 60,298 avenger.txt
06-10-03 16:39 1,080 nvymdqsp.bat
06-10-03 16:39 19,131 avexport.bat
06-10-03 16:28 354 errorlog.txt
06-10-03 16:28 11,192 rfqfamwo.txt
06-10-03 16:24 1,080 cibsjgjn.bat
06-10-03 16:22 1,080 gncpvrbo.bat
06-10-03 16:19 1,080 aunxeryn.bat
06-10-03 16:19 11,192 j4¨lydpinea.txt
06-10-03 16:15 1,080 ruosuaeu.bat
06-10-03 16:03 1,080 ooxepema.bat
06-10-03 16:03 126,976 zip.exe
06-10-03 15:41 5,594 avengerSkript.txt
06-10-03 12:46 12,383 ComboFix2.txt
06-10-03 12:23 15,833 ComboFix3.txt

#8 Avenger

Zitat

Files to delete:
C:\WINDOWS\system32\drivers\kbhhiiqw.sys
C:\nvymdqsp.bat
C:\WINDOWS\system32\drivers\hyasukwu.sys
C:\WINDOWS\system32\drivers\trnpnans.sys
C:\cibsjgjn.bat
C:\WINDOWS\system32\drivers\itcxfgnb.sys
C:\gncpvrbo.bat
C:\WINDOWS\system32\drivers\twfutbmw.sys
C:\aunxeryn.bat
C:\WINDOWS\system32\drivers\wvespspg.sys
C:\ruosuaeu.bat
C:\WINDOWS\system32\drivers\acrshhay.sys
C:\WINDOWS\system32\stt82.ini
C:\WINDOWS\system32\klgcptini.dat
C:\avexport.bat
C:\zip.exe
C:\ooxepema.bat
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\vascyxp.exe
C:\nvymdqsp.bat
C:\cibsjgjn.bat
C:\gncpvrbo.bat
C:\aunxeryn.bat
C:\j4¨lydpinea.txt
C:\ruosuaeu.bat
C:\ooxepema.bat

poste das log
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei

----------

++
loesche alles, was im Avenger ist:- C:\Avenger\.....

**
leere den papierkorb


++
scanne und poste den report
http://virus-protect.org/cureit.html


++
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Hallo@Sabina,

vielen Dank für die schnellen Antworten.

Unten die Ausgaben von Avenger, Blacklight, Dr Web und F-Secure.

Der Scan hat nichts gefunden, Dr Web hingegen einiges, und F-Secure auch...

Beste Grüße,
Stefan


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wdmbftja

*******************

Script file located at: \??\C:\WINDOWS\vkaduebd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\kbhhiiqw.sys deleted successfully.
File C:\nvymdqsp.bat deleted successfully.
File C:\WINDOWS\system32\drivers\hyasukwu.sys deleted successfully.
File C:\WINDOWS\system32\drivers\trnpnans.sys deleted successfully.
File C:\cibsjgjn.bat deleted successfully.
File C:\WINDOWS\system32\drivers\itcxfgnb.sys deleted successfully.
File C:\gncpvrbo.bat deleted successfully.
File C:\WINDOWS\system32\drivers\twfutbmw.sys deleted successfully.
File C:\aunxeryn.bat deleted successfully.
File C:\WINDOWS\system32\drivers\wvespspg.sys deleted successfully.
File C:\ruosuaeu.bat deleted successfully.
File C:\WINDOWS\system32\drivers\acrshhay.sys deleted successfully.
File C:\WINDOWS\system32\stt82.ini deleted successfully.
File C:\WINDOWS\system32\klgcptini.dat deleted successfully.
File C:\avexport.bat deleted successfully.
File C:\zip.exe deleted successfully.
File C:\ooxepema.bat deleted successfully.
File C:\WINDOWS\system32\qz.dll deleted successfully.
File C:\WINDOWS\vascyxp.exe deleted successfully.


File C:\nvymdqsp.bat not found!
Deletion of file C:\nvymdqsp.bat failed!

Could not process line:
C:\nvymdqsp.bat
Status: 0xc0000034



File C:\cibsjgjn.bat not found!
Deletion of file C:\cibsjgjn.bat failed!

Could not process line:
C:\cibsjgjn.bat
Status: 0xc0000034



File C:\gncpvrbo.bat not found!
Deletion of file C:\gncpvrbo.bat failed!

Could not process line:
C:\gncpvrbo.bat
Status: 0xc0000034



File C:\aunxeryn.bat not found!
Deletion of file C:\aunxeryn.bat failed!

Could not process line:
C:\aunxeryn.bat
Status: 0xc0000034



File C:\j4¨lydpinea.txt not found!
Deletion of file C:\j4¨lydpinea.txt failed!

Could not process line:
C:\j4¨lydpinea.txt
Status: 0xc0000034



File C:\ruosuaeu.bat not found!
Deletion of file C:\ruosuaeu.bat failed!

Could not process line:
C:\ruosuaeu.bat
Status: 0xc0000034



File C:\ooxepema.bat not found!
Deletion of file C:\ooxepema.bat failed!

Could not process line:
C:\ooxepema.bat
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


10/03/06 18:40:20 [Info]: BlackLight Engine 1.0.47 initialized
10/03/06 18:40:20 [Info]: OS: 5.1 build 2600 (Service Pack 1)
10/03/06 18:40:21 [Note]: 7019 4
10/03/06 18:40:21 [Note]: 7005 0
10/03/06 18:40:34 [Note]: 7006 0
10/03/06 18:40:34 [Note]: 7011 216
10/03/06 18:40:34 [Note]: 7026 0
10/03/06 18:40:34 [Note]: 7026 0
10/03/06 18:40:37 [Note]: FSRAW library version 1.7.1020
10/03/06 18:40:47 [Note]: 2000 1012
10/03/06 18:40:47 [Note]: 2000 1012
10/03/06 18:42:06 [Note]: 7007 0





"INSTSRV.EXE;C:\SYSINFO\360DEGRE;Tool.InstSrv;;"
"SRVANY.EXE;C:\SYSINFO\360DEGRE;Program.SrvAny;;"
"FILE0009.CHK;C:\FOUND.005;Adware.DollarRevenue;;"
"FILE0013.CHK;C:\FOUND.005;Trojan.DownLoader.10660;Gelöscht.;"
"FILE0019.CHK;C:\FOUND.005;Trojan.DownLoader.10891;Nicht desinfizierbar.Verschoben.;"
"FILE0021.CHK;C:\FOUND.005;BackDoor.Haxdoor.290;Gelöscht.;"
"FILE0022.CHK;C:\FOUND.005;BackDoor.Haxdoor.290;Gelöscht.;"
"FILE0024.CHK;C:\FOUND.005;Adware.DollarRevenue;;"
"FILE0027.CHK;C:\FOUND.005;Adware.Give4Free;;"
"FILE0031.CHK;C:\FOUND.005;Adware.Give4Free;;"
"FILE0000.CHK\Javascript.1;C:\FOUND.009\FILE0000.CHK;Trojan.Click.1237;;"
"FILE0000.CHK;C:\FOUND.009;Archiv enthält infizierte Objekte;Verschoben.;"
"xfsp1res.dll;C:\WINDOWS\system32;Adware.Look2me;;"
"ib14.dll;C:\WINDOWS\system32;Trojan.PWS.Bancos.248;Gelöscht.;"
"wifiks.dll;C:\WINDOWS\system32;BackDoor.Haxdoor.290;Gelöscht.;"
"qz.sys;C:\WINDOWS\system32;BackDoor.Haxdoor.290;Gelöscht.;"
"~DF1EB6.tmp\Javascript.1;C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\~DF1EB6.tmp;Trojan.Click.1237;;"
"~DF1EB6.tmp\Javascript.2;C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\~DF1EB6.tmp;Trojan.Click.1237;;"
"~DF1EB6.tmp;C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp;Archiv enthält infizierte Objekte;Verschoben.;"
"hng2[2].dat;C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\WTIROXUR;Trojan.PWS.Snap;Gelöscht.;"
"em[1].ocx;C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\CXURQTS7;Adware.MediaMotor;;"
"2236[1].exe;C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\CXURQTS7;Trojan.MulDrop.3299;Gelöscht.;"
"Process.exe;C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;;"
"restart.exe;C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;;"
"ibm00004.dll;C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders;Trojan.PWS.Snap;Gelöscht.;"
"ibm00005.dll;C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders;Trojan.PWS.Snap;Gelöscht.;"
"ibm00006.dll;C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders;Trojan.PWS.Snap;Gelöscht.;"
"uzwfm.exe;C:\Programme\Gemeinsame Dateien\uzwf;Adware.TargetServer;;"
"uzwfl.exe;C:\Programme\Gemeinsame Dateien\uzwf;Adware.TargetServer;;"
"uzwfa.exe;C:\Programme\Gemeinsame Dateien\uzwf;Trojan.DownLoader.5289;Gelöscht.;"
"uzwfp.exe;C:\Programme\Gemeinsame Dateien\uzwf;Adware.TargetServer;;"
"uzwfc.dll;C:\Programme\Gemeinsame Dateien\uzwf\uzwfd;Adware.TargetServer;;"
"vihyciqal.dll;C:\Programme\MSN;Adware.Dh;;"
"vimomugag.html\Javascript.0;C:\Programme\Windows Media Player\vimomugag.html;Trojan.Click.1237;;"
"vimomugag.html;C:\Programme\Windows Media Player;Archiv enthält infizierte Objekte;Verschoben.;"
"uninstall.exe;C:\Programme\BHO Plugin;Adware.Give4Free;;"
"plugin.dll;C:\Programme\BHO Plugin;Adware.Give4Free;;"
"ikdcqm.exe.qoo;C:\QooBox;Trojan.Qoologic;Gelöscht.;"
"nhrfc.dat.qoo;C:\QooBox;Trojan.Qoologic;Gelöscht.;"
"yttgp.exe.qoo;C:\QooBox;Trojan.Qoologic;Gelöscht.;"
"orcchun.dll.qoo;C:\QooBox;Trojan.Qoologic;Gelöscht.;"
"jobkbsc.exe.qoo;C:\QooBox;Trojan.Qoologic;Gelöscht.;"







Scanning Report


Tuesday, October 03, 2006 20:01:59 - 20:34:55

Computer name: ACER-BFR
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

------------------------------------------------------------------------


Result: 29 malware found

Adware.AdMedia
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Adware.AdMedia&orig='disk'>
(spyware)

* System (Disinfected)

Adware.SearchingAll
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Adware.SearchingAll&orig='di

sk'>
(spyware)

* System (Disinfected)

DyFuCA
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=DyFuCA&orig='disk'>
(spyware)

* System (Disinfected)

MediaMotor
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=MediaMotor&orig='disk'>
(spyware)

* System

Possible Browser Hijack attempt
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Possible
Browser Hijack attempt&orig='disk'> (spyware)

* System (Disinfected)

Stealth_file
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?type=Stealth_file&filename=C:\

WINDOWS\SYSTEM32\LZX32.SYS&orig='disk'>
(hidden item)

* C:\WINDOWS\SYSTEM32\LZX32.SYS

Tracking Cookie
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Tracking
Cookie&orig='disk'> (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System
* System
* System

Trojan-Clicker.HTML.Agent.a
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Clicker.HTML.Agent.a&

orig='disk'>
(virus)

* C:\DOKUMENTE UND EINSTELLUNGEN\BARBARA\LOKALE
EINSTELLUNGEN\TEMPORARY INTERNET
FILES\CONTENT.IE5\S5EDYFCL\POPUP[1].HTML

Trojan-Clicker.Win32.Small.ja
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Clicker.Win32.Small.j

a&orig='disk'>
(virus)

* C:\PROGRAMME\BHO PLUGIN\UNINSTALL.EXE (Renamed)
* C:\PROGRAMME\BHO PLUGIN\PLUGIN.DLL (Renamed)

Trojan-Downloader.Win32.PurityScan.co
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.Puri

tyScan.co&orig='disk'>
(virus)

* C:\DOKUMENTE UND EINSTELLUNGEN\BARBARA
\ANWENDUNGSDATEN\?DOBE\MSDTC.EXE
* C:\DOKUMENTE UND EINSTELLUNGEN\BARBARA\LOKALE
EINSTELLUNGEN\TEMP\!UPDATE.EXE (Renamed)

Trojan-Downloader.Win32.Small.ctp
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.Smal

l.ctp&orig='disk'>
(virus)

* C:\PROGRAMME\MSN\VIHYCIQAL.DLL (Renamed)

Trojan-Downloader.Win32.TSUpdate.f
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.TSUp

date.f&orig='disk'>
(virus)

* C:\PROGRAMME\GEMEINSAME DATEIEN\UZWF\UZWFP.EXE (Renamed)

Trojan-Downloader.Win32.TSUpdate.n
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.TSUp

date.n&orig='disk'>
(virus)

* C:\PROGRAMME\GEMEINSAME DATEIEN\UZWF\UZWFM.EXE (Renamed)

Trojan-Downloader.Win32.TSUpdate.p
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.TSUp

date.p&orig='disk'>
(virus)

* C:\PROGRAMME\GEMEINSAME DATEIEN\UZWF\UZWFL.EXE (Renamed)

Trojan-Dropper.Win32.VB.dq
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Dropper.Win32.VB.dq&o

rig='disk'>
(virus)

* C:\DOKUMENTE UND EINSTELLUNGEN\BARBARA\LOKALE
EINSTELLUNGEN\TEMP\TEMPORARY INTERNET
FILES\CONTENT.IE5\CXURQTS7\EM[1].OCX (Renamed)

Win32.Trojan.Downloader
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Win32.Trojan.Downloader&orig

='disk'>
(spyware)

* System (Disinfected)

Win32.TrojanSpy.Banker
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Win32.TrojanSpy.Banker&orig=

'disk'>
(spyware)

* System (Disinfected)

Windows
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Windows&orig='disk'>
(spyware)

* System (Disinfected)

------------------------------------------------------------------------


Statistics

Scanned:

* Files: 19790
* System: 4357
* Not scanned: 2

Actions:

* Disinfected: 8
* Renamed: 8
* Deleted: 0
* None: 13
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

------------------------------------------------------------------------


Options

Scanning engines:

* F-Secure AVP: 6.0.171, 2006-10-03
* F-Secure Libra: 2.4.1, 2006-09-29
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Orion: 1.2.37, 2006-10-03
* F-Secure Pegasus: 1.19.0, 2006-08-29
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT
VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM
ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK
WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML
PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

#10 Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\Programme\Windows Media Player" >>files.txt
dir "C:\Programme\WindowsUpdate" >>files.txt
dir "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders" >>files.txt
dir "C:\Windows\System32\Com" >>files.txt
dir "C:\WINDOWS\system32\components" >>files.txt
dir "C:\WINDOWS\Downloaded Program Files" >>files.txt
dir "C:\Programme\Common Files" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Eigene Dateien" >>files.txt
dir "C:\Program Files" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp" >>files.txt
dir "C:\WINDOWS\Temp" >>files.txt
dir "C:\Temp" >>files.txt
dir "C:\Programme" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten" >>files.txt
dir "C:\Programme\Gemeinsame Dateien" >>files.txt
dir "C:Windows\tasks" >>files.txt
notepad files.txt

__________
MfG Sabina

rund um die PC-Sicherheit

#11 GutenAbend@Sabina:

Verzeichnis von C:\Programme\Windows Media Player

24.03.2003 16:50 <DIR> .
24.03.2003 16:50 <DIR> ..
29.08.2002 12:00 4.639 mplayer2.exe
29.08.2002 12:00 364.544 npdsplay.dll
29.08.2002 12:00 8.223 npwmsdrm.dll
29.08.2002 12:00 157.696 npdrmv2.dll
29.08.2002 12:00 225.280 setup_wm.exe
29.08.2002 12:00 520.192 wmpvis.dll
29.08.2002 12:00 294.912 dlimport.exe
29.08.2002 12:00 22.060 npds.zip
29.08.2002 12:00 403 npdrmv2.zip
24.03.2003 16:52 <DIR> Skins
29.08.2002 12:00 18.488 music.bmp
24.03.2003 16:54 <DIR> Visualizations
11.04.2003 15:11 520.192 wmplayer.exe
11 Datei(en) 2.136.629 Bytes
4 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Programme\WindowsUpdate

24.03.2003 16:50 <DIR> .
24.03.2003 16:50 <DIR> ..
04.08.2004 20:35 <DIR> V4
0 Datei(en) 0 Bytes
3 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders

24.03.2003 17:05 <DIR> .
24.03.2003 17:05 <DIR> ..
19.05.2001 08:57 561.209 MSONSEXT.DLL
19.03.1999 22:46 127.032 MSOWS407.DLL
04.06.1999 15:09 122.937 MSOWS409.DLL
18.03.1999 06:37 593.977 RAGENT.DLL
4 Datei(en) 1.405.155 Bytes
2 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Windows\System32\Com

24.03.2003 16:50 <DIR> .
24.03.2003 16:50 <DIR> ..
29.08.2002 12:00 77.348 comexp.msc
29.08.2002 12:00 61.440 comempty.dat
29.08.2002 12:00 5.120 comrereg.exe
29.08.2002 12:00 19.456 mtsadmin.tlb
29.08.2002 12:00 186.880 comadmin.dll
29.08.2002 12:00 8.192 comrepl.exe
6 Datei(en) 358.436 Bytes
2 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\WINDOWS\system32


Verzeichnis von C:\WINDOWS\Downloaded Program Files

24.03.2003 16:53 <DIR> .
24.03.2003 16:53 <DIR> ..
14.10.1997 18:52 697 DirectAnimation Java Classes.osd
27.10.2002 19:32 3.036 wmv9dmo.inf
09.10.2003 10:32 144 QTPlugin.inf
17.10.2004 16:04 9.890.762 QuickTimeInstallCache.qdat
27.08.2005 13:30 5.065 swflash.inf
30.06.2003 22:41 1.689 WMV9VCM.inf
28.04.2006 13:44 454.656 hyplug.ocx
28.04.2006 13:44 243 hyplug.inf
03.05.2006 03:57 876 jinstall-1_5_0_07.inf
20.01.2000 15:25 1.162 Microsoft XML Parser for Java.osd
29.06.2004 11:34 147.456 FileUploader.dll
29.06.2004 11:35 373 FileUploader.inf
25.06.2003 19:00 541 ca.pub
17.01.2006 17:11 580.663 daas_s.dll
03.02.2006 11:20 188.416 fsauc.dll
16.06.2006 15:31 181.856 fscax.dll
15.06.2006 10:19 483 fscax.inf
17 Datei(en) 11.458.118 Bytes
2 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Programme\Common Files

21.08.2004 10:37 <DIR> .
21.08.2004 10:37 <DIR> ..
21.08.2004 10:37 <DIR> System
0 Datei(en) 0 Bytes
3 Verzeichnis(se), 40.823.062.528 Bytes frei

Verzeichnis von C:\Dokumente und Einstellungen\Barbara

25.04.2004 03:03 <DIR> .
25.04.2004 03:03 <DIR> ..
24.03.2003 17:27 <DIR> WINDOWS
25.04.2004 03:03 <DIR> Eigene Dateien
24.03.2003 16:46 <DIR> Startmen�
25.04.2004 03:03 <DIR> Favoriten
25.04.2004 03:03 <DIR> Desktop
25.04.2004 03:05 <DIR> Bluetooth Software
06.06.2006 15:34 <DIR> OngameNetwork
26.09.2006 14:43 <DIR> .limewire
26.09.2006 14:53 <DIR> Incomplete
03.10.2006 19:05 <DIR> DoctorWeb
0 Datei(en) 0 Bytes
12 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Barbara\Eigene Dateien

25.04.2004 03:03 <DIR> .
25.04.2004 03:03 <DIR> ..
25.04.2004 03:03 <DIR> Eigene Bilder
25.04.2004 03:03 <DIR> Eigene Musik
24.03.2003 17:27 <DIR> My eBooks
25.04.2004 03:05 <DIR> Bluetooth Exchange Folder
18.08.2004 12:03 <DIR> Eigene Videos
24.01.2006 09:08 <DIR> Meine empfangenen Dateien
26.09.2006 14:54 <DIR> Incomplete
26.09.2006 15:46 <DIR> M?crosoft
0 Datei(en) 0 Bytes
10 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Program Files

15.05.2004 15:26 <DIR> .
15.05.2004 15:26 <DIR> ..
15.05.2004 15:26 <DIR> InterActual
23.07.2004 18:25 <DIR> FUJIFILM
0 Datei(en) 0 Bytes
4 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp

25.04.2004 03:03 <DIR> .
25.04.2004 03:03 <DIR> ..
26.09.2006 15:47 <DIR> Oaoo
0 Datei(en) 0 Bytes
3 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\WINDOWS\Temp

24.03.2003 16:43 <DIR> .
24.03.2003 16:43 <DIR> ..
04.10.2006 00:43 0 T30DebugLogFile.txt
1 Datei(en) 0 Bytes
2 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\


Verzeichnis von C:\Programme

24.03.2003 16:46 <DIR> .
24.03.2003 16:46 <DIR> ..
24.03.2003 16:46 <DIR> Gemeinsame Dateien
24.03.2003 16:50 <DIR> Windows NT
24.03.2003 16:50 <DIR> MSN
24.03.2003 16:50 <DIR> MSN Gaming Zone
24.03.2003 16:50 <DIR> Messenger
24.03.2003 16:50 <DIR> Windows Media Player
24.03.2003 16:50 <DIR> Online Services
24.03.2003 16:51 <DIR> ComPlus Applications
24.03.2003 16:51 <DIR> Internet Explorer
24.03.2003 16:51 <DIR> Outlook Express
24.03.2003 16:52 <DIR> NetMeeting
24.03.2003 16:52 <DIR> Movie Maker
24.03.2003 16:52 <DIR> Online-Dienste
24.03.2003 16:54 <DIR> microsoft frontpage
24.03.2003 16:54 <DIR> xerox
24.03.2003 17:02 <DIR> Intel
24.03.2003 17:06 <DIR> ATI Technologies
24.03.2003 17:09 <DIR> AvRack
24.03.2003 17:09 <DIR> Realtek Sound Manager
24.03.2003 17:24 <DIR> TravelMate 800 screensaver
24.03.2003 17:25 <DIR> Synaptics
24.03.2003 17:26 <DIR> Acer Inc
24.03.2003 17:26 <DIR> Launch Manager
24.03.2003 17:27 <DIR> Adobe
24.03.2003 17:27 <DIR> NewTech Infosystems
24.03.2003 17:29 <DIR> CyberLink
24.03.2003 17:29 <DIR> Acer
25.04.2004 03:04 <DIR> WIDCOMM
25.04.2004 21:40 <DIR> Ligos
26.04.2004 21:22 <DIR> Macromedia
26.04.2004 21:55 <DIR> Canon
27.04.2004 21:16 <DIR> iPhoto Plus 4
28.04.2004 18:26 <DIR> Microsoft Office
28.04.2004 18:34 <DIR> Microsoft Nachschlagewerke
28.04.2004 18:40 <DIR> Steinberg
01.05.2004 18:12 <DIR> PC-Linq
31.05.2004 16:22 <DIR> AOL 8.0
31.05.2004 16:23 <DIR> Real
31.05.2004 16:23 <DIR> Nullsoft
31.05.2004 16:23 <DIR> Viewpoint
31.05.2004 18:14 <DIR> T-DSL SpeedManager
30.07.2004 09:21 2.610.547 Setup.exe
03.08.2004 19:42 <DIR> AOL Connect
04.08.2004 13:45 <DIR> F-Secure Internet Security
18.08.2004 21:53 <DIR> Backgammon
21.08.2004 10:37 <DIR> Common Files
17.10.2004 16:01 <DIR> QuickTime
12.02.2005 21:08 <DIR> Core Design
25.05.2005 22:50 <DIR> directx
25.05.2005 22:51 <DIR> GameSpy Arcade
09.10.2005 13:56 <DIR> Google
12.01.2006 11:38 <DIR> @Last Software
18.01.2006 12:59 <DIR> MSN Messenger
18.01.2006 16:15 <DIR> xp-AntiSpy
18.01.2006 16:17 <DIR> Lavasoft
26.01.2006 17:30 <DIR> Skype
23.05.2006 13:22 <DIR> PartyGaming
05.06.2006 14:08 <DIR> Buhl finance
05.06.2006 14:10 <DIR> fun communications GmbH
06.06.2006 15:31 <DIR> Java
06.06.2006 17:58 <DIR> Eidos
18.09.2006 14:01 <DIR> Mozilla Firefox
26.09.2006 14:52 <DIR> LimeWire
27.09.2006 22:51 <DIR> Hijackthis
02.10.2006 00:21 <DIR> CleanUp!
23.01.2006 15:36 429 datFind.bat
2 Datei(en) 2.610.976 Bytes
66 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Anwendungsdaten

25.04.2004 03:03 <DIR> .
25.04.2004 03:03 <DIR> ..
24.03.2003 16:56 <DIR> Microsoft
24.03.2003 17:08 <DIR> Help
24.03.2003 18:07 <DIR> ApplicationHistory
31.05.2004 18:16 147 fusioncache.dat
02.07.2004 22:58 <DIR> Identities
26.09.2006 14:17 92.160 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
01.08.2006 19:16 38.752 GDIPFONTCACHEV1.DAT
26.05.2006 21:57 <DIR> Adobe
06.06.2006 15:32 <DIR> Google
18.09.2006 14:01 <DIR> Mozilla
3 Datei(en) 131.059 Bytes
9 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Barbara\Anwendungsdaten

25.04.2004 03:03 <DIR> .
25.04.2004 03:03 <DIR> ..
24.03.2003 17:05 <DIR> Identities
24.03.2003 17:08 <DIR> Help
24.03.2003 17:27 <DIR> InterTrust
26.04.2004 14:05 <DIR> MSN6
27.04.2004 20:30 <DIR> Macromedia
27.04.2004 20:51 <DIR> Adobe
30.04.2004 20:21 <DIR> Microsoft Web Folders
09.10.2005 13:56 <DIR> Google
18.01.2006 16:17 <DIR> Lavasoft
26.01.2006 17:15 <DIR> Skype
05.06.2006 14:13 <DIR> Buhl Data Service GmbH
06.06.2006 15:32 <DIR> Sun
19.06.2006 23:06 <DIR> AdobeUM
18.09.2006 14:01 <DIR> Mozilla
26.09.2006 15:46 1.516.179 Install.dat
26.09.2006 15:52 <DIR> ?asks
03.10.2006 20:09 <DIR> ?dobe
1 Datei(en) 1.516.179 Bytes
18 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten

24.03.2003 16:46 <DIR> .
24.03.2003 16:46 <DIR> ..
24.03.2003 17:29 <DIR> CyberLink
26.04.2004 14:05 <DIR> MSN6
27.04.2004 20:29 <DIR> Macromedia
17.10.2004 16:02 <DIR> QuickTime
26.01.2006 17:15 <DIR> Skype
26.05.2006 21:55 <DIR> Adobe
05.06.2006 14:10 <DIR> Buhl Data Service GmbH
05.06.2006 14:10 <DIR> fun communications
0 Datei(en) 0 Bytes
10 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Programme\Gemeinsame Dateien

24.03.2003 16:46 <DIR> .
24.03.2003 16:46 <DIR> ..
24.03.2003 16:46 <DIR> Microsoft Shared
24.03.2003 16:46 <DIR> SpeechEngines
24.03.2003 16:46 <DIR> ODBC
24.03.2003 16:51 <DIR> System
24.03.2003 16:52 <DIR> MSSoap
24.03.2003 16:52 <DIR> Dienste
24.03.2003 16:57 <DIR> InstallShield
24.03.2003 17:27 <DIR> Adobe
26.04.2004 21:22 <DIR> Macromedia
30.04.2004 20:22 <DIR> Designer
31.05.2004 16:22 <DIR> aolshare
31.05.2004 16:22 <DIR> aol
31.05.2004 16:23 <DIR> Real
31.05.2004 16:23 <DIR> aolback
28.04.2006 13:44 <DIR> Hypnotizer
05.06.2006 14:09 <DIR> Buhl Data Service
05.06.2006 14:09 <DIR> BDElster
06.06.2006 15:31 <DIR> Java
26.09.2006 15:02 <DIR> uzwf
0 Datei(en) 0 Bytes
21 Verzeichnis(se), 40.823.062.528 Bytes frei


Verzeichnis von C:\Windows\tasks

24.03.2003 16:52 <DIR> .
24.03.2003 16:52 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 40.823.062.528 Bytes frei

Verzeichnis von C:\Dokumente und Einstellungen\Administrator

06-09-27 22:48 <DIR> .
06-09-27 22:48 <DIR> ..
03-03-24 17:27 <DIR> WINDOWS
03-03-24 17:05 <DIR> Eigene Dateien
03-03-24 16:46 <DIR> Startmen�
03-03-24 17:05 <DIR> Favoriten
03-03-24 16:46 <DIR> Desktop
0 Datei(en) 0 Bytes
7 Verzeichnis(se), 40,825,520,128 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Administrator\Eigene Dateien

06-09-27 22:48 <DIR> .
06-09-27 22:48 <DIR> ..
03-03-24 17:05 <DIR> Eigene Bilder
03-03-24 17:05 <DIR> Eigene Musik
03-03-24 17:27 <DIR> My eBooks
0 Datei(en) 0 Bytes
5 Verzeichnis(se), 40,825,520,128 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp

06-09-27 22:48 <DIR> .
06-09-27 22:48 <DIR> ..
06-10-03 16:55 <DIR> BTN%Copy%1
06-10-03 17:38 910 logfile.txt
1 Datei(en) 910 Bytes
3 Verzeichnis(se), 40,825,520,128 Bytes frei


Verzeichnis von C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten

06-09-27 22:48 <DIR> .
06-09-27 22:48 <DIR> ..
03-03-24 16:56 <DIR> Microsoft
03-03-24 17:08 <DIR> Help
03-03-24 18:07 <DIR> ApplicationHistory
03-03-24 18:11 141 fusioncache.dat
06-10-02 00:50 <DIR> Mozilla
1 Datei(en) 141 Bytes
6 Verzeichnis(se), 40,825,520,128 Bytes frei

Verzeichnis von C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten

06-09-27 22:48 <DIR> .
06-09-27 22:48 <DIR> ..
03-03-24 17:05 <DIR> Identities
03-03-24 17:08 <DIR> Help
03-03-24 17:27 <DIR> InterTrust
06-10-02 00:50 <DIR> Mozilla
0 Datei(en) 0 Bytes
6 Verzeichnis(se), 40,825,520,128 Bytes frei

#12 0.
http://virus-protect.org/invisible.html
Versteckte- und Systemdateien sichtbar machen

1.
C:\Dokumente und Einstellungen\Barbara\Eigene Dateien
26.09.2006 15:46 - M?crosoft

das ist der purityscan, das Fragezeichen erscheint nur hier, in Wirklichkeit sind es mehrere kryptische Zeichen. Deshalb kann ich es nicht in den Avenger packen. Du musst manuell loeschen..im abgesicherten modus !
loesche M.....crosoft vom 26.09.2006

ebenfalls Purityscan-Trojaner:

C:\Dokumente und Einstellungen\Barbara\Anwendungsdaten
26.09.2006 15:52 - ?asks - loeschen ......asks
03.10.2006 20:09 - ?dobe - loeschen .....dobe

2.
avenger

Zitat

Folders to delete:
C:\Programme\Gemeinsame Dateien\uzwf
C:\Programme\PartyGaming
C:\Programme\fun communications GmbH
C:\Programme\PSDream

3.
scanne und poste den scanreport
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ohjjonsm

*******************

Script file located at: \??\C:\Program Files\tkbvoiyy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Programme\Gemeinsame Dateien\uzwf deleted successfully.
Folder C:\Programme\PartyGaming deleted successfully.
Folder C:\Programme\fun communications GmbH deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 01:05:55 05.10.2006

+ Scan-Ergebnis:



HKU\S-1-5-21-3376078148-2935130677-2106517767-1005\Software\BraveSentry -> Adware.Bravesentry : Gesäubert.
HKU\S-1-5-21-3376078148-2935130677-2106517767-1005\Software\BraveSentry\IE Security -> Adware.Bravesentry : Gesäubert.
HKU\S-1-5-21-3376078148-2935130677-2106517767-1005\Software\BraveSentry\Scan -> Adware.Bravesentry : Gesäubert.
HKU\S-1-5-21-3376078148-2935130677-2106517767-1005\Software\BraveSentry\System Security -> Adware.Bravesentry : Gesäubert.
HKU\S-1-5-21-3376078148-2935130677-2106517767-1005\Software\BraveSentry\Updates -> Adware.Bravesentry : Gesäubert.
HKU\S-1-5-21-3376078148-2935130677-2106517767-1005\Software\Microsoft\Windows\CurrentVersion\Run\\BraveSentry -> Adware.Bravesentry : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Startmenü\Programme\UCmore - The Search Accelerator -> Adware.Ucmore : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Startmenü\Programme\UCmore - The Search Accelerator\How To Uninstall.lnk -> Adware.Ucmore : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Startmenü\Programme\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Startmenü\Programme\UCmore - The Search Accelerator\UCmore Tour.lnk -> Adware.Ucmore : Gesäubert.
C:\Programme\AOL Connect\aolbrowser.exe -> Heuristic.Win32.Dialer : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\DoctorWeb\Quarantine\FILE0000.CHK -> Hijacker.Small.jf : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\DoctorWeb\Quarantine\vimomugag.html -> Hijacker.Small.jf : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\DoctorWeb\Quarantine\~DF1EB6.tmp -> Hijacker.Small.jf : Gesäubert.
:mozilla.10:C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\kjzje431.default\cookies.txt -> TrackingCookie.Cpvfeed : Gesäubert.
:mozilla.11:C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\kjzje431.default\cookies.txt -> TrackingCookie.Cpvfeed : Gesäubert.
:mozilla.13:C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\kjzje431.default\cookies.txt -> TrackingCookie.Cpvfeed : Gesäubert.
:mozilla.9:C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\kjzje431.default\cookies.txt -> TrackingCookie.Cpvfeed : Gesäubert.
:mozilla.12:C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\kjzje431.default\cookies.txt -> TrackingCookie.Mediaplex : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Advanced statistics.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Contact Us.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Demonoid Opens Registration during the Weekends.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Firefox plugin.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\New layout.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Recover password.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Register Now.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Server Move.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Using BitTorrent Without a PC.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\Zinoku BitTorrent Site Dedicated to Magazines.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\company of heroes.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\desperate housewives.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\family guy.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\fifa 07.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\fifa 2007.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\grey s anatomy.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\greys anatomy.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\jackass 2.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\just cause.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\justin timberlake.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\miami vice.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\nhl 07.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\nip tuck.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\prison break.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\scissor sisters.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\stargate atlantis.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\step up.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\the killers.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\the office.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\windows xp.zip/Setup.exe -> Worm.VB.dw : Gesäubert.
C:\Dokumente und Einstellungen\Barbara\Complete\world trade center.zip/Setup.exe -> Worm.VB.dw : Gesäubert.


::Berichtende



Im abgesicherten Modus:

---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 07:41 06-10-05

+ Scan-Ergebnis:



Keine Bedrohung gefunden.



::Berichtende

#14 selten sehe ich einen anfangs so verseuchten Rechner ich weiss nicht, wie du das geschafft hast

Avenger

Zitat

Files to delete:
C:\Dokumente und Einstellungen\Barbara\Anwendungsdaten\Install.dat

Folders to delete:
C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\Oaoo
C:\Dokumente und Einstellungen\Barbara\.limewire
C:\Dokumente und Einstellungen\Barbara\Incomplete
C:\Programme\LimeWire

1.) poste noch mal das log von HijackThis
2.) poste noch mal das log von Combofix
3.) poste noch mal die logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit

#15

Zitat

selten sehe ich einen anfangs so verseuchten Rechner ich weiss nicht, wie du das geschafft hast

ich weiß - mein Nachbar bekommt was zu hören...

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tbvrqwmo

*******************

Script file located at: \??\C:\jbblxvdp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Dokumente und Einstellungen\Barbara\Anwendungsdaten\Install.dat deleted successfully.
Folder C:\Dokumente und Einstellungen\Barbara\Lokale Einstellungen\Temp\Oaoo deleted successfully.
Folder C:\Dokumente und Einstellungen\Barbara\.limewire deleted successfully.
Folder C:\Dokumente und Einstellungen\Barbara\Incomplete deleted successfully.


Folder C:\Programme\LimeWire not found!
Deletion of folder C:\Programme\LimeWire failed!

Could not process line:
C:\Programme\LimeWire
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.





Logfile of HijackThis v1.99.1
Scan saved at 20:23, on 06-10-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [cfnqeboe] C:\ooxepema.bat
O4 - HKLM\..\Run: [noqwonqn] C:\ruosuaeu.bat
O4 - HKLM\..\Run: [hjhafoun] C:\aunxeryn.bat
O4 - HKLM\..\Run: [xhmbrmmg] C:\gncpvrbo.bat
O4 - HKLM\..\Run: [doqfvwtj] C:\cibsjgjn.bat
O4 - HKLM\..\Run: [vlwnsnud] C:\nvymdqsp.bat
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ubaehavm] C:\pqroromh.bat
O4 - HKLM\..\Run: [tyekljpt] C:\knglhdpe.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040428/qtinstall.info.apple.com/saba/de/win/QuickTimeInstaller.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.de/app/uploader/FileUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: e1.dll dpmomspr.dll dminupnp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\fswsclds.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





Administrator - 06-10-05 20:25:15.96 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Programme\SKS~1
C:\QooBox\Purity\Programme\SKS~1\ç?sks


((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))


2006-10-05 20:17 60,416 --a------ C:\WINDOWS\system32\drivers\wgunwcbq.sys
2006-10-05 20:17 1,080 --a------ C:\knglhdpe.bat
2006-10-05 19:39 60,416 --a------ C:\WINDOWS\system32\drivers\dqhkmydr.sys
2006-10-05 19:39 126,976 --a------ C:\zip.exe
2006-10-05 19:39 1,080 --a------ C:\pqroromh.bat
2006-10-05 00:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-03 19:05 5,025,645 --------- C:\drweb-cureit.exe
2006-10-03 16:17 130,048 --a------ C:\avenger.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[COLOR=RED]Rootkit driver pe386 is present. A rootkit scan is required[/COLOR]

2006-10-05 00:45 -------- d-------- C:\Programme\Grisoft
2006-10-02 00:50 -------- d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla
2006-10-02 00:21 -------- d-------- C:\Programme\CleanUp!
2006-09-27 22:51 -------- d-------- C:\Programme\Hijackthis


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe"
"LManager"="C:\\Programme\\Launch Manager\\QtZgAcer.EXE"
"AcerNotebookManager"=""
@=""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"cfnqeboe"="C:\\ooxepema.bat"
"noqwonqn"="C:\\ruosuaeu.bat"
"hjhafoun"="C:\\aunxeryn.bat"
"xhmbrmmg"="C:\\gncpvrbo.bat"
"doqfvwtj"="C:\\cibsjgjn.bat"
"vlwnsnud"="C:\\nvymdqsp.bat"
"!AVG Anti-Spyware"="\"C:\\Programme\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"ubaehavm"="C:\\pqroromh.bat"
"tyekljpt"="C:\\knglhdpe.bat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 06-10-05 20:25:29.18
ComboFix3.txt
ComboFix2.txt
ComboFix.txt



Verzeichnis von C:\WINDOWS\system32

06-10-03 20:18 9,158 TitanPokerIconDropTRA107.ico
06-10-03 16:15 11,192 xijtgulq.txt
06-10-03 10:01 1,158 wpa.dbl
06-09-27 22:10 203,328 FNTCACHE.DAT


Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

Verzeichnis von C:\WINDOWS

06-10-05 20:29 8,969,868 ntbtlog.txt
06-10-05 20:18 2,048 bootstat.dat
06-10-05 19:35 216 wiadebug.log
06-10-05 19:35 32,630 SchedLgU.Txt
06-10-05 19:35 50 wiaservc.log
06-10-05 19:34 6,092 ModemLog_Bluetooth Modem.txt
06-10-05 19:34 6,096 ModemLog_Bluetooth Fax Modem.txt
06-10-05 19:34 4,710 ModemLog_Agere Systems AC'97 Modem.txt
06-10-05 19:34 0 0.log
06-10-04 00:03 724,090 setupapi.log
06-10-03 17:03 223,841 setupact.log
06-10-03 16:22 11,192 errxbhrd.txt
06-10-03 16:03 11,192 lmiyiebj.txt
06-09-26 16:19 94,342 tsoc.log
06-09-26 16:19 1,917 imsins.log
06-09-26 16:19 126,379 ocgen.log
06-09-26 16:19 8,612 ocmsn.log
06-09-26 16:19 11,785 msgsocm.log
06-09-26 16:19 249,759 FaxSetup.log
06-09-26 16:19 35,724 iis6.log
06-09-26 16:19 52,160 ntdtcsetup.log
06-09-26 16:19 88,779 comsetup.log
06-09-26 15:49 1,406,332 WindowsUpdate.log
06-09-20 20:17 54,156 QTFont.qfn
06-09-18 20:11 2,904 mozver.dat
06-09-17 18:15 1,587 win.ini
06-08-27 13:39 75 USBBC.ini
06-08-13 17:34 24 tm.ini
06-08-13 16:58 0 tdf.dii

Verzeichnis von C:\

06-10-05 20:30 0 sys.txt
06-10-05 20:30 12,703 system.txt
06-10-05 20:29 127 systemtemp.txt
06-10-05 20:28 90,077 system32.txt
06-10-05 20:25 5,308 ComboFix.txt
06-10-05 20:21 41,416 files.txt
06-10-05 20:18 1,073,741,824 pagefile.sys
06-10-05 20:18 2,488 avenger.txt
06-10-05 20:17 1,080 knglhdpe.bat
06-10-05 20:15 468 errorlog.txt
06-10-05 19:39 1,080 pqroromh.bat
06-10-05 19:39 126,976 zip.exe
06-10-05 19:34 3,396 avenger1.txt
06-10-03 18:49 5,025,645 drweb-cureit.exe
06-10-03 18:18 1,366 ihghesup.txt
06-10-03 18:02 681 avengerSkript.txt
06-10-03 17:07 5,823 ComboFix2.txt
06-10-03 17:06 1,479 rapport.txt
06-10-03 17:04 898 rapport2.txt
06-10-03 16:28 11,192 rfqfamwo.txt
06-10-03 16:19 11,192 j4¨lydpinea.txt
06-10-03 12:46 12,383 ComboFix3.txt