Home » Viren, Trojaner & Malware Forum » Malware - ErrorCleaner PrivacyProtection Spyware&Malware Protection » Themenansicht
Malware - ErrorCleaner PrivacyProtection Spyware&Malware Protection |
||
|---|---|---|
| #0
| ||
|
23.03.2008, 16:17
Member
Beiträge: 12 |
||
 
|
|
|
|
23.03.2008, 17:28
Ehrenmitglied
 Beiträge: 29434 |
#2
MacTac
1. wende smitfraudfix an - option 2 + poste den report http://www.virus-protect.org/artikel/tools/smitfrautfix.html 2. Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern  Zitat KILLALL::Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden. cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen  danach: Combofix noch einmal anwenden PC neustarten « poste das neue Log von Combfix __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
24.03.2008, 15:10
Member
Themenstarter Beiträge: 12 |
#3
Hallo Sabina,
bin vorgegangen wie von Dir beschrieben. Bei Combofix sprang mein Norton Anti Virus an und wollte einige Scripte blocken. Da mein Rechner dann hing habe ich nicht alle Scripte,die Norton meldete, freigeben koennen. Habe das Norton-Fenster dann mit dem Task Manager geschlossen. Hoffe das Combofix trotzdem richtig ausgefuehrt wurde. Hier die Logs von Smitfraudfix und Combofix: SmitFraudFix v2.307 Scan done at 12:50:10,20, 24.03.2008 Run from C:\My Downloads\Malware 23.03.2008\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri Error while deleting C:\WINDOWS\drnpfdxwrs.dll. C:\WINDOWS\bokpkov.dll deleted. C:\WINDOWS\altvxvm.dll deleted. C:\WINDOWS\Installer\{e36eaa6b-0ce9-4fed-8ebb-80c7e96f68f8}\AvpSrv.dll deleted C:\WINDOWS\Installer\{b75ded30-81c9-4b40-8501-f91cb82a17c1}\zip.dll deleted »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Program Files\tmp???????.exe Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: MAC Bridge Miniport - Packet Scheduler Miniport DNS Server Search Order: 141.83.200.101 DNS Server Search Order: 141.83.200.105 Description: D-Link AirPlus Xtreme G DWL-G132 Wireless USB Adapter(rev.A) - Packet Scheduler Miniport DNS Server Search Order: 192.168.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{2165B789-EA1A-43B4-BA60-13E591287AE6}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3EF0125-179C-4454-B042-813FE18F7F60}: DhcpNameServer=141.83.200.101 141.83.200.105 HKLM\SYSTEM\CS1\Services\Tcpip\..\{2165B789-EA1A-43B4-BA60-13E591287AE6}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3EF0125-179C-4454-B042-813FE18F7F60}: DhcpNameServer=141.83.200.101 141.83.200.105 HKLM\SYSTEM\CS3\Services\Tcpip\..\{2165B789-EA1A-43B4-BA60-13E591287AE6}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{A3EF0125-179C-4454-B042-813FE18F7F60}: DhcpNameServer=141.83.200.101 141.83.200.105 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ComboFix 08-03-22.3 - Olaf 2008-03-24 13:09:19.2 - NTFSx86 Running from: C:\My Downloads\Malware 23.03.2008\ComboFix.exe [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . -- Other TimeOuts -- Findstr -MIF:/ sursen CF31308.exe /c cscript.exe //nologo SvcDrv.vbs cscript.exe //nologo SvcDrv.vbs "C:\Program Files\Symantec\LiveUpdate\AUpdate.exe" CF31308.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot" Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement" GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$" VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll" CF31308.exe /c cscript.exe //nologo SvcDrv.vbs cscript.exe //nologo SvcDrv.vbs CF31308.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot" CF31308.exe /c cscript.exe //nologo SvcDrv.vbs cscript.exe //nologo SvcDrv.vbs CF31308.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot" ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\rs.txt . ((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 ))))))))))))))))))))))))))))))) . 2008-03-24 12:48 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-03-24 12:48 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-03-24 12:48 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-03-24 12:48 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-03-24 12:48 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-03-24 12:48 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-03-24 12:48 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-03-16 10:14 . 2008-03-16 05:50 270,336 --a------ C:\WINDOWS\drnpfdxwrs.dll 2008-03-16 10:14 . 2008-03-16 05:50 176,128 --------- C:\WINDOWS\etlrlws.dll_tobedeleted 2008-03-16 10:14 . 2008-03-16 05:50 98,304 --a------ C:\WINDOWS\fmsxwqs.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-24 13:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-24 11:50 3,948 ----a-w C:\WINDOWS\system32\tmp.reg 2008-03-17 18:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-15 08:47 --------- d-----w C:\Program Files\PokerStars 2008-03-13 20:13 --------- d-----w C:\Program Files\Trillian 2008-02-13 21:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-13 21:18 --------- d-----w C:\Program Files\ElsterFormular 2008-02-12 19:50 --------- d-----w C:\Program Files\BitTorrent 1998-02-11 01:34 128,000 ----a-w C:\Program Files\UNWISE.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34D7198C-3B26-4434-B8B0-53DCE7410E70}] 2008-03-16 05:50 270336 --a------ C:\WINDOWS\drnpfdxwrs.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{269B1AAF-415B-4C27-B8D0-1618BB6F03A1}"= "C:\WINDOWS\etlrlws.dll" [ ] [HKEY_CLASSES_ROOT\clsid\{269b1aaf-415b-4c27-b8d0-1618bb6f03a1}] [HKEY_CLASSES_ROOT\etlrlws.1] [HKEY_CLASSES_ROOT\TypeLib\{05B21BE2-27AA-4156-8737-CDB43AE9D77F}] [HKEY_CLASSES_ROOT\etlrlws] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MyOverlayIcon1] @={F6C95B20-E9D5-4927-8C00-2B03B554417D} [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 00:01 43008] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-08-16 21:19 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-08-16 21:18 376832] "00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2001-10-04 19:40 212992] "000StTHK"="000StTHK.exe" [2001-06-24 05:28 24576 C:\WINDOWS\system32\000StTHK.exe] "Tpwrtray"="TPWRTRAY.EXE" [2001-09-14 22:56 192512 C:\WINDOWS\system32\TPWRTRAY.EXE] "TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2001-07-26 06:45 45056] "TFncKy"="TFncKy.exe" [] "TFNF5"="TFNF5.exe" [2001-08-04 02:08 73728 C:\WINDOWS\system32\TFNF5.exe] "TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2001-12-06 01:12 49152] "nwiz"="nwiz.exe" [2002-04-19 14:13 364544 C:\WINDOWS\system32\nwiz.exe] "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 09:53 188416] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [ ] "AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 12:41 586896] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-04-27 21:48 100056] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-30 09:46 180269] "EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 08:41 35328] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-03-18 17:06 262184] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-23 20:33 57344] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-09 02:58 98304] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992] C:\Documents and Settings\Olaf\Start Menu\Programs\Startup\ Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-10-03 10:12:27 156160] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-23 20:33 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-11-07 16:29 50736 C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service] --a------ 2004-12-16 16:49 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] --a------ 2007-09-08 00:01 43008 C:\Program Files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG] --a------ 2005-08-04 20:13 1294336 C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger] --a------ 2001-11-14 11:37 147456 c:\toshiba\ivp\ism\pinger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-05-09 02:58 98304 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2007-02-22 23:31 25388584 C:\Program Files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "wuauserv"=2 (0x2) "TapiSrv"=2 (0x2) "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\skype\\Phone\\Skype.exe"= "C:\\Program Files\\Trillian\\trillian.exe"= "C:\\Program Files\\ICQ6\\ICQ.exe"= "C:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe"= R0 pciSm;pciSm;C:\WINDOWS\system32\DRIVERS\tossmpci.sys [2001-08-10 02:42] R0 tosrfec;Bluetooth ACPI from Toshiba;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2001-07-13 12:26] R0 TVALDX;Toshiba ACPI-Based Value Added Logical Device Extension Driver;C:\WINDOWS\system32\DRIVERS\TVALDX.SYS [2001-08-17 23:27] R3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 14:32] R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-27 05:34] R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2001-08-24 10:02] S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-07-26 14:35] S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-08-10 11:26] S3 LCcFltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\LCcFltr.Sys [2001-09-19 11:11] S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2001-07-13 05:22] S3 PDNMp50;PDNMp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PDNMp50.sys [2006-11-28 22:46] S3 PDNSp50;PDNSp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PDNSp50.sys [2006-11-28 22:46] S3 pfsvgae;pfsvgae;C:\DOCUME~1\Olaf\LOCALS~1\Temp\pfsvgae.sys [] . Contents of the 'Scheduled Tasks' folder "2008-02-15 16:15:00 C:\WINDOWS\Tasks\1-Klick-Wartung.job" - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe "2008-03-07 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Olaf.job" - C:\PROGRA~1\NORTON~3\NORTON~1\Navw32.exeh/task: "2008-03-17 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe "2008-03-24 13:41:01 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-24 14:22:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-24 14:43:03 ComboFix-quarantined-files.txt 2008-03-24 13:42:19 ComboFix2.txt 2008-03-23 14:36:33 |
|
|
|
|
|
|
24.03.2008, 15:43
Ehrenmitglied
Beiträge: 29434 |
#4
Hallo,
du hast das script von Combofix nicht korrekt erstellt oder angewendet  1. poste das log vom HijackThis http://www.virus-protect.org/hjtkurz.html 2. http://www.virus-protect.org/artikel/tools/otmoveIt.html öffne: OTMoveIt.exe Kopiere rein: im linken Fenster ,wo steht: Paste Standard List of Files/Folders to be Move Zitat C:\WINDOWS\drnpfdxwrs.dllKlicke auf den Roten MoveIt! poste hier das Löschlog 3. wende sdfix an - geht nur im abgesicherten modus http://www.virus-protect.org/artikel/tools/sdfix.html poste dann hier den report __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
24.03.2008, 20:11
Member
Themenstarter Beiträge: 12 |
#5
Hey Sabina,
auf ein neues. Anbei findest Du das Logfile fuer 1. HijackThis 2. Loeschlog von MoveIt 3. Report von sdfix Viele Gruesse, MacTac Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:47:01, on 24.03.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\system32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Olaf\LOCALS~1\Temp\Rar$EX00.062\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: GNX Rolex - {34D7198C-3B26-4434-B8B0-53DCE7410E70} - C:\WINDOWS\drnpfdxwrs.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: etlrlws - {269B1AAF-415B-4C27-B8D0-1618BB6F03A1} - C:\WINDOWS\etlrlws.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 01 O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Shortcut to ccApp.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Shortcut to ccApp.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe (User 'Default user') O4 - Startup: Shortcut to ccApp.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173011785475 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab?nocache=20071219-1 O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - The Firebird Project - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 10698 bytes XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX C:\WINDOWS\drnpfdxwrs.dll unregistered successfully. C:\WINDOWS\drnpfdxwrs.dll moved successfully. C:\WINDOWS\etlrlws.dll_tobedeleted moved successfully. C:\WINDOWS\fmsxwqs.exe moved successfully. OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03242008_185247 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX SDFix: Version 1.160 Run by Olaf on 24.03.2008 at 19:13 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\rs.txt - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-24 19:36:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus" "C:\\Program Files\\skype\\Phone\\Skype.exe"="C:\\Program Files\\skype\\Phone\\Skype.exe:*:Enabled:Skype" "C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian" "C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6" "C:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe"="C:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe:*:Enabled:TacticalOps" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Fri 10 Aug 2001 64,512 A..H. --- "C:\WINDOWS\system32\PackethSvc.exe" Tue 27 Feb 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 11 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 22 Jun 2005 958,464 A.SH. --- "C:\Fotos\USA\29.08.04 Chicago\100CASIO\SIV2.tmp" Thu 4 Nov 2004 21,504 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0003.tmp" Wed 23 Feb 2005 28,672 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0004.tmp" Thu 4 Nov 2004 20,992 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0005.tmp" Thu 12 Oct 2006 380,928 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0019.tmp" Thu 4 Nov 2004 22,528 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0315.tmp" Thu 4 Nov 2004 26,624 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0666.tmp" Thu 4 Nov 2004 22,528 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL0829.tmp" Thu 4 Nov 2004 23,040 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL1231.tmp" Wed 23 Feb 2005 28,672 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL1517.tmp" Tue 5 Jul 2005 20,896,768 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL1576.tmp" Mon 15 Aug 2005 10,398,208 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL1659.tmp" Thu 4 Nov 2004 28,672 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL2282.tmp" Tue 9 Aug 2005 21,042,176 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL2470.tmp" Thu 4 Nov 2004 23,040 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL2744.tmp" Wed 23 Feb 2005 28,672 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL2800.tmp" Thu 4 Nov 2004 24,576 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3050.tmp" Thu 12 Oct 2006 82,432 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3268.tmp" Thu 4 Nov 2004 28,160 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3378.tmp" Thu 4 Nov 2004 23,552 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3773.tmp" Thu 4 Nov 2004 27,648 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3779.tmp" Thu 4 Nov 2004 23,040 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3787.tmp" Thu 4 Nov 2004 21,504 ...H. --- "C:\Documents and Settings\Olaf\Application Data\Microsoft\Word\~WRL3882.tmp" Finished! |
|
|
|
|
|
|
24.03.2008, 23:27
Ehrenmitglied
Beiträge: 29434 |
#6
Hallo MacTac
 1. mit dem HijackThis löschen ("fixen") Klicke: "Do a system scan only" Setze ein Häckchen in das Kästchen vor den genannten Eintrag und wähle fix checked. + starte den Rechner neu. Zitat O2 - BHO: GNX Rolex - {34D7198C-3B26-4434-B8B0-53DCE7410E70} - C:\WINDOWS\drnpfdxwrs.dll PC neustarten »» scanne mit Bitdefender + poste den Report + ein neues log von Combofix http://board.protecus.de/t8642.htm __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
26.03.2008, 22:04
Member
Themenstarter Beiträge: 12 |
#7
Hey Sabina,
bei hijackthis bin ich vorgegangen wie von Dir angefuehrt. Konnte deine genannten Eintrage jedoch nicht vorfinden und die Haekchen setzen. Zitat Zitat:Bin dann deiner Anleitung weiter gefolgt. Anbei findest Du den Scan report von Bitdefender und das Combofix logfile: BitDefender Online Scanner C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx=>(message 102): Fw-2: WG: Gert?nkehalter (-problem gel?st =>[Subject: =?iso-8859-15?Q?FW:_Fw-2:_WG:_Gert=E4n][Date: Mon, 20 Feb 2006 17:16:46 +0100]=>(MIME part)=>=?iso-8859-15?Q?Getr=E4nkeabstellen.zip=>Getr?nkeabstellen.exeDetected with: Application.Joke.Cdtray.A C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx=>(message 102): Fw-2: WG: Gert?nkehalter (-problem gel?st =>[Subject: =?iso-8859-15?Q?FW:_Fw-2:_WG:_Gert=E4n][Date: Mon, 20 Feb 2006 17:16:46 +0100]=>(MIME part)=>=?iso-8859-15?Q?Getr=E4nkeabstellen.zip=>Getr?nkeabstellen.exeDisinfection failed C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx=>(message 102): Fw-2: WG: Gert?nkehalter (-problem gel?st =>[Subject: =?iso-8859-15?Q?FW:_Fw-2:_WG:_Gert=E4n][Date: Mon, 20 Feb 2006 17:16:46 +0100]=>(MIME part)=>=?iso-8859-15?Q?Getr=E4nkeabstellen.zip=>Getr?nkeabstellen.exeDeleted C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx=>(message 102): Fw-2: WG: Gert?nkehalter (-problem gel?st =>[Subject: =?iso-8859-15?Q?FW:_Fw-2:_WG:_Gert=E4n][Date: Mon, 20 Feb 2006 17:16:46 +0100]=>(MIME part)=>=?iso-8859-15?Q?Getr=E4nkeabstellen.zipUpdated C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx=>(message 102): Fw-2: WG: Gert?nkehalter (-problem gel?st =>[Subject: =?iso-8859-15?Q?FW:_Fw-2:_WG:_Gert=E4n][Date: Mon, 20 Feb 2006 17:16:46 +0100]=>(MIME part)Updated C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx=>(message 102): Fw-2: WG: Gert?nkehalter (-problem gel?st Updated C:\Documents and Settings\Olaf\Local Settings\Application Data\Identities\{394497DD-E309-4BFB-96F5-D8A211082348}\Microsoft\Outlook Express\Spassmails.dbx Updated C:\i\OnlineCasinos\Casino Treasure.exe Detected with: Adware.Casino.BQ C:\i\OnlineCasinos\Casino Treasure.exe Deleted C:\Ole\Movies\von Jan\DivXPro_5.03\DivXPro503GAINBundle.exe=>(VISE Installer s)=>Gain_Trickler.exe Detected with: Adware.Gator.C C:\Ole\Movies\von Jan\DivXPro_5.03\DivXPro503GAINBundle.exe=>(VISE Installer s)=>Gain_Trickler.exe Deleted C:\Ole\Movies\von Jan\DivXPro_5.03\DivXPro503GAINBundle.exe=>(VISE Installer s) Update failed C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Detected with: Adware.AWS.A C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Deleted C:\Program Files\AIM\Sysfiles\WxBug.EXE Update failed C:\Program Files\AIM\Sysfiles\WxBug.EXE=>(Embedded EXE r)=>wise0008 Detected with: Adware.AWS.A C:\Program Files\AIM\Sysfiles\WxBug.EXE=>(Embedded EXE r)=>wise0008 Deleted C:\Program Files\AIM\Sysfiles\WxBug.EXE=>(Embedded EXE r) Update failed C:\Program Files\Kazaa\CloudLoad.dat Detected with: Application.Kazaa.O C:\Program Files\Kazaa\CloudLoad.dat Disinfection failed C:\Program Files\Kazaa\CloudLoad.dat Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 1) Detected with: Application.Cydoor.S C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 1) Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 1) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 13) Detected with: Application.Topsearch.B C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 13) Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 13) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 198) Detected with: Adware.Altnet.K C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 198) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 199) Detected with: Application.Brilliantdigital.B C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 199) Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 199) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 201) Detected with: Adware.BDE C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 201) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 203)=>bdedetect1.dll Detected with: Adware.Brilliantdigital.1007.A C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 203)=>bdedetect1.dll Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 203) Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 203)=>bdeclean.exe Detected with: Adware.Brilliantdigital.3022.A C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 203)=>bdeclean.exe Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 203) Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 204) Detected with: Adware.Brilliantdigital.1100.A C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 204) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 205) Detected with: Adware.Altnet.B C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 205) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 206) Detected with: Adware.Brilliantdigital.C C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 206) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o)=>PgMonitr.exe Detected with: Application.Delfin.Media.Viewer.B C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o)=>PgMonitr.exe Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o)=>PgMonitr.exe Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o) Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o)=>PgSDK.DLL Detected with: Application.Delfin.Media.Viewer.D C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o)=>PgSDK.DLL Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o)=>PgSDK.DLL Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 207)=>(VISE Installer o) Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 208) Infected with: Trojan.Downloader.3346.A C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 208) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 209) Detected with: Application.Imesh.H C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 209) Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 209) Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r)=>SaveNow.exe Detected with: Adware.Whenu.Savenow.AP C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r)=>SaveNow.exe Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r) Update failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r)=>Uninst.exe Detected with: Application.Under.Investigation.Kazaa.C C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r)=>Uninst.exe Disinfection failed C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r)=>Uninst.exe Deleted C:\Program Files\Kazaa\My Shared Folder\kmd202_de.exe=>(CAB Sfx o)=>\Disk1\data2.cab=>(IShield Module 210)=>(CAB Sfx r) Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0D8B2EB3.tmp=>(Quarantine-2)=>[Subject: {Spam? 10.33} Lieferungs-Bescheid][Date: Thu, 09 Dec 2004 19:55:45 GMT]=>(MIME part)=>daten.eml.com Infected with: Win32.Sober.I@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0D8B2EB3.tmp=>(Quarantine-2)=>[Subject: {Spam? 10.33} Lieferungs-Bescheid][Date: Thu, 09 Dec 2004 19:55:45 GMT]=>(MIME part)=>daten.eml.com Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0D8B2EB3.tmp=>(Quarantine-2)=>[Subject: {Spam? 10.33} Lieferungs-Bescheid][Date: Thu, 09 Dec 2004 19:55:45 GMT]=>(MIME part) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0D8B2EB3.tmp=>(Quarantine-2) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0D8B2EB3.tmp Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\169845F1.AV$=>(Quarantine-2) Infected with: Win32.Bagle.CC@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\169845F1.AV$=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F4417E.tmp=>(Quarantine-2)=>[Subject: {Spam? 06.23} Ihre E-Mail wurde verwei][Date: Sun, 02 Jan 2005 22:01:56 GMT]=>(MIME part)=>data_info3251.txt.bat Infected with: Win32.Sober.I@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F4417E.tmp=>(Quarantine-2)=>[Subject: {Spam? 06.23} Ihre E-Mail wurde verwei][Date: Sun, 02 Jan 2005 22:01:56 GMT]=>(MIME part)=>data_info3251.txt.bat Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F4417E.tmp=>(Quarantine-2)=>[Subject: {Spam? 06.23} Ihre E-Mail wurde verwei][Date: Sun, 02 Jan 2005 22:01:56 GMT]=>(MIME part) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F4417E.tmp=>(Quarantine-2) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F4417E.tmp Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28B54D5A.tmp=>(Quarantine-2) Infected with: Win32.Bagle.CC@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28B54D5A.tmp=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28DF107C.tmp=>(Quarantine-2)=>[Subject: Ihre neuen Account-Daten][Date: Mon, 03 Jan 2005 11:11:45 GMT]=>(MIME part)=>Daten.com Infected with: Win32.Sober.I@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28DF107C.tmp=>(Quarantine-2)=>[Subject: Ihre neuen Account-Daten][Date: Mon, 03 Jan 2005 11:11:45 GMT]=>(MIME part)=>Daten.com Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28DF107C.tmp=>(Quarantine-2)=>[Subject: Ihre neuen Account-Daten][Date: Mon, 03 Jan 2005 11:11:45 GMT]=>(MIME part) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28DF107C.tmp=>(Quarantine-2) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28DF107C.tmp Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\29BF6C35.AV$=>(Quarantine-2) Infected with: Win32.Bagle.CC@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\29BF6C35.AV$=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B147397.tmp=>(Quarantine-2)=>[Subject: {Spam? 05.86} Mail-Fehler!][Date: Mon, 09 May 2005 18:58:50 UTC]=>(MIME part)=>autoemail-text.zip=>Winzipped-Text_Data.txt .pif Infected with: Win32.Sober.O@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B147397.tmp=>(Quarantine-2)=>[Subject: {Spam? 05.86} Mail-Fehler!][Date: Mon, 09 May 2005 18:58:50 UTC]=>(MIME part)=>autoemail-text.zip=>Winzipped-Text_Data.txt .pif Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B147397.tmp=>(Quarantine-2)=>[Subject: {Spam? 05.86} Mail-Fehler!][Date: Mon, 09 May 2005 18:58:50 UTC]=>(MIME part)=>autoemail-text.zip Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B147397.tmp=>(Quarantine-2)=>[Subject: {Spam? 05.86} Mail-Fehler!][Date: Mon, 09 May 2005 18:58:50 UTC]=>(MIME part) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B147397.tmp=>(Quarantine-2) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B147397.tmp Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3C475C1A.tmp=>(Quarantine-2) Infected with: Joke.Cursor.A C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3C475C1A.tmp=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BDD271D.tmp=>(Quarantine-2)=>[Subject: Lieferungs-Bescheid][Date: Tue, 04 Jan 2005 15:07:44 GMT]=>(MIME part)=>daten.scr Infected with: Win32.Sober.I@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BDD271D.tmp=>(Quarantine-2)=>[Subject: Lieferungs-Bescheid][Date: Tue, 04 Jan 2005 15:07:44 GMT]=>(MIME part)=>daten.scr Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BDD271D.tmp=>(Quarantine-2)=>[Subject: Lieferungs-Bescheid][Date: Tue, 04 Jan 2005 15:07:44 GMT]=>(MIME part) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BDD271D.tmp=>(Quarantine-2) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BDD271D.tmp Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4CAE1C8E.AV$=>(Quarantine-2) Infected with: Win32.Bagle.CC@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4CAE1C8E.AV$=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4CB1468A.AV$=>(Quarantine-2) Infected with: Win32.Bagle.CC@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4CB1468A.AV$=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4CC11878.AV$=>(Quarantine-2) Infected with: Win32.Netsky.B@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4CC11878.AV$=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F633013.htm=>(Quarantine-2) Infected with: Trojan.Isbar.83 C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F633013.htm=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5C4736CD.tmp=>(Quarantine-2) Infected with: Win32.Netsky.B@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5C4736CD.tmp=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\61661D72.tmp=>(Quarantine-2)=>[Subject: FwD: Mailer Error][Date: Thu, 30 Dec 2004 10:12:45 GMT]=>(MIME part)=>Auto_Mail.doc.com Infected with: Win32.Sober.I@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\61661D72.tmp=>(Quarantine-2)=>[Subject: FwD: Mailer Error][Date: Thu, 30 Dec 2004 10:12:45 GMT]=>(MIME part)=>Auto_Mail.doc.com Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\61661D72.tmp=>(Quarantine-2)=>[Subject: FwD: Mailer Error][Date: Thu, 30 Dec 2004 10:12:45 GMT]=>(MIME part) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\61661D72.tmp=>(Quarantine-2) Updated C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\61661D72.tmp Update failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C2151E4.AV$=>(Quarantine-2) Infected with: Win32.Bagle.CC@mm C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6C2151E4.AV$=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7677703C.dll=>(Quarantine-2) Detected with: Adware.AWS.A C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7677703C.dll=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DBE33AF.exe=>(Quarantine-2) Detected with: Application.Adware.GoldCas.A C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DBE33AF.exe=>(Quarantine-2) Disinfection failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DBE33AF.exe=>(Quarantine-2) Deleted C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DC25DAC.exe=>(Quarantine-2) Detected with: Application.Adware.GoldCas.A C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DC25DAC.exe=>(Quarantine-2) Disinfection failed C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7DC25DAC.exe=>(Quarantine-2) Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP142\A0022368.bat Infected with: Trojan.Winreg.Qoologic.A C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP142\A0022368.bat Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022422.exe Infected with: Trojan.Dropper.Zirit.B C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022422.exe Disinfection failed C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022422.exe Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022423.dll Infected with: Trojan.Downloader.Zlob.ABPC C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022423.dll Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022432.dll Infected with: Trojan.Downloader.Zlob.ABPC C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022432.dll Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022433.dll Infected with: Trojan.Downloader.Zlob.ABPC C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022433.dll Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022434.dll Infected with: Trojan.Dropper.Zirit.A C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022434.dll Disinfection failed C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022434.dll Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022435.dll Infected with: Trojan.Dropper.Zirit.A C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022435.dll Disinfection failed C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022435.dll Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022437.exe Infected with: Trojan.Dropper.Zirit.B C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022437.exe Disinfection failed C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP143\A0022437.exe Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022559.exe Detected with: Adware.Casino.BQ C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022559.exe Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022560.dll=>(Quarantine-2) Detected with: Adware.AWS.A C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022560.dll=>(Quarantine-2) Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022561.exe=>(Quarantine-2) Detected with: Application.Adware.GoldCas.A C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022561.exe=>(Quarantine-2) Disinfection failed C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022561.exe=>(Quarantine-2) Deleted C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022562.exe=>(Quarantine-2) Detected with: Application.Adware.GoldCas.A C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022562.exe=>(Quarantine-2) Disinfection failed C:\System Volume Information\_restore{53F3B365-2354-4D6E-89CA-A070E4641321}\RP144\A0022562.exe=>(Quarantine-2) Deleted C:\_OTMoveIt\MovedFiles\03242008_185247\WINDOWS\drnpfdxwrs.dll Infected with: Trojan.Downloader.Zlob.ABPC C:\_OTMoveIt\MovedFiles\03242008_185247\WINDOWS\drnpfdxwrs.dll Deleted C:\_OTMoveIt\MovedFiles\03242008_185247\WINDOWS\etlrlws.dll_tobedeleted Infected with: Trojan.Downloader.Zlob.ABPC C:\_OTMoveIt\MovedFiles\03242008_185247\WINDOWS\etlrlws.dll_tobedeleted Deleted C:\_OTMoveIt\MovedFiles\03242008_185247\WINDOWS\fmsxwqs.exe Infected with: Trojan.Downloader.Zlob.ABPC C:\_OTMoveIt\MovedFiles\03242008_185247\WINDOWS\fmsxwqs.exe Deleted ComboFix 08-03-22.3 - Olaf 2008-03-26 20:39:14.5 - NTFSx86 Running from: C:\My Downloads\Malware 23.03.2008\ComboFix.exe [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . -- Other TimeOuts -- VFind -td "C:\WINDOWS\system32\baiso*" CF28446.exe /c " VFind.exe -ltf -s-1300000 -d+2007-12-26 C:\WINDOWS\* >Windir.dat" VFind.exe -ltf -s-1300000 -d+2007-12-26 C:\WINDOWS\* CF28446.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" >progfile.dat" VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" CF28446.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot" Findstr -MIF:/ sursen CF28446.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" >progfile.dat" VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" CF28446.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot" Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement" GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$" VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll" CF28446.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" >progfile.dat" VFind.exe -ltf -s-1000000 -d+2007-12-26 "C:\Program Files\*" CF28446.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot" ((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 ))))))))))))))))))))))))))))))) . 2008-03-25 18:44 . 2008-03-26 06:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-03-24 19:06 . 2008-03-24 19:06 <DIR> d-------- C:\WINDOWS\ERUNT 2008-03-24 19:02 . 2008-03-24 19:51 <DIR> d-------- C:\SDFix 2008-03-24 18:52 . 2008-03-24 18:52 <DIR> d-------- C:\_OTMoveIt 2008-03-24 12:48 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-03-24 12:48 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-03-24 12:48 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-03-24 12:48 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-03-24 12:48 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-03-24 12:48 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-03-24 12:48 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-26 19:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-25 19:36 --------- d-----w C:\Program Files\Kazaa 2008-03-24 11:50 3,948 ----a-w C:\WINDOWS\system32\tmp.reg 2008-03-17 18:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-15 08:47 --------- d-----w C:\Program Files\PokerStars 2008-03-13 20:13 --------- d-----w C:\Program Files\Trillian 2008-02-13 21:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-13 21:18 --------- d-----w C:\Program Files\ElsterFormular 2008-02-12 19:50 --------- d-----w C:\Program Files\BitTorrent 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 1998-02-11 01:34 128,000 ----a-w C:\Program Files\UNWISE.EXE . ((((((((((((((((((((((((((((( snapshot@2008-03-23_15.35.09.00 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-25 17:45:26 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll + 2008-03-25 17:45:26 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll + 2008-03-25 17:45:26 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll + 2008-03-25 17:45:28 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2008-03-25 17:45:29 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2008-03-25 17:45:27 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll + 2008-03-24 04:23:44 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-03-24 18:06:39 6,119,424 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-03-24 18:06:40 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-03-24 04:23:44 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-03-24 18:06:29 6,119,424 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-03-24 18:06:29 180,224 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat - 2008-03-23 13:00:04 41,066 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-03-26 05:38:07 41,066 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-03-23 13:00:04 313,514 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-03-26 05:38:07 313,514 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MyOverlayIcon1] @={F6C95B20-E9D5-4927-8C00-2B03B554417D} [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 00:01 43008] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-08-16 21:19 94208] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-08-16 21:18 376832] "00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2001-10-04 19:40 212992] "000StTHK"="000StTHK.exe" [2001-06-24 05:28 24576 C:\WINDOWS\system32\000StTHK.exe] "Tpwrtray"="TPWRTRAY.EXE" [2001-09-14 22:56 192512 C:\WINDOWS\system32\TPWRTRAY.EXE] "TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2001-07-26 06:45 45056] "TFncKy"="TFncKy.exe" [] "TFNF5"="TFNF5.exe" [2001-08-04 02:08 73728 C:\WINDOWS\system32\TFNF5.exe] "TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2001-12-06 01:12 49152] "nwiz"="nwiz.exe" [2002-04-19 14:13 364544 C:\WINDOWS\system32\nwiz.exe] "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 09:53 188416] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [ ] "AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 12:41 586896] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-04-27 21:48 100056] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-30 09:46 180269] "EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 08:41 35328] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-03-18 17:06 262184] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-23 20:33 57344] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-09 02:58 98304] C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992] C:\Documents and Settings\Olaf\Start Menu\Programs\Startup\ Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-10-03 10:12:27 156160] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-23 20:33 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-11-07 16:29 50736 C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service] --a------ 2004-12-16 16:49 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] --a------ 2007-09-08 00:01 43008 C:\Program Files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG] --a------ 2005-08-04 20:13 1294336 C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger] --a------ 2001-11-14 11:37 147456 c:\toshiba\ivp\ism\pinger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-05-09 02:58 98304 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2007-02-22 23:31 25388584 C:\Program Files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "wuauserv"=2 (0x2) "TapiSrv"=2 (0x2) "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\skype\\Phone\\Skype.exe"= "C:\\Program Files\\Trillian\\trillian.exe"= "C:\\Program Files\\ICQ6\\ICQ.exe"= "C:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe"= R0 pciSm;pciSm;C:\WINDOWS\system32\DRIVERS\tossmpci.sys [2001-08-10 02:42] R0 tosrfec;Bluetooth ACPI from Toshiba;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2001-07-13 12:26] R0 TVALDX;Toshiba ACPI-Based Value Added Logical Device Extension Driver;C:\WINDOWS\system32\DRIVERS\TVALDX.SYS [2001-08-17 23:27] R3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 14:32] R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-27 05:34] R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2001-08-24 10:02] S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-07-26 14:35] S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-08-10 11:26] S3 LCcFltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\LCcFltr.Sys [2001-09-19 11:11] S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2001-07-13 05:22] S3 PDNMp50;PDNMp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PDNMp50.sys [2006-11-28 22:46] S3 PDNSp50;PDNSp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PDNSp50.sys [2006-11-28 22:46] S3 pfsvgae;pfsvgae;C:\DOCUME~1\Olaf\LOCALS~1\Temp\pfsvgae.sys [] . Contents of the 'Scheduled Tasks' folder "2008-02-15 16:15:00 C:\WINDOWS\Tasks\1-Klick-Wartung.job" - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe "2008-03-07 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Olaf.job" - C:\PROGRA~1\NORTON~3\NORTON~1\Navw32.exeh/task: "2008-03-25 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe "2008-03-25 21:59:14 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-26 20:48:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-26 20:52:25 ComboFix-quarantined-files.txt 2008-03-26 19:52:02 ComboFix2.txt 2008-03-24 13:43:11 ComboFix3.txt 2008-03-23 14:36:33 Ciao MacTac |
|
|
|
|
|
|
26.03.2008, 23:29
Ehrenmitglied
Beiträge: 29434 |
#8
Hallo,
«« Gehe in die Registry Start - Ausühren - regedit [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MyOverlayIcon1 - löschen gleichzeitig muss auch der Unterschlüssel gelöscht werden: @={F6C95B20-E9D5-4927-8C00-2B03B554417D} den anderen Unterschlüssel: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files] @="{750fdf0e-2a26-11d1-a3ea-080036587f03}" LASSEN, WIE ER IST - NICHTS VERÄNDERN !!!! -- [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 - in 0 ändern _______________________________________________________________________________ «« OTMoveIt klicken: CleanUp! button Begin cleanup process? klicke: Yes. - "Do you want to reboot?" klicke Yes so wird von OTMoveIt2 automatisch alles an Tools entfernt, die zur Virenreinigung geladen wurden. «« Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann wieder aktivieren) http://www.virus-protect.org/systemwiederherstellung.html «« C:\Program Files\Kazaa und C:\i\OnlineCasinos - deinstallieren, bitdefender hat sowieso die Hälte ausgelöscht.... dann sollte wieder alles o.k. sein. Wenn es noch Probleme geben sollte...melde dich __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
27.03.2008, 20:04
Member
Themenstarter Beiträge: 12 |
#9
Hallo Sabina,
erst einmal vielen Dank fuer die schnelle Abhilfe :-) Scheint alles funktioniert zu haben. Abschliessend eine letzte Frage, wie deinstalliere ich Kazaa und OnlineCasinos sauber(das schlepp ich schon ewig mit mir rum)? Unter >>Systemsteuerung->Add and Remove Hardware sind diese Programme nicht gelistet. ------------------------ Ciao MacTac |
|
|
|
|
|
|
27.03.2008, 20:08
Moderator
Beiträge: 5694 |
#10
Zitat MacTac posteteKazaa ist meiner Meinung nach keine Hardware... Meinst du unter START -> Systemsteureung -> Software? findest du diese Programme dort? Gruss Swiss |
|
|
|
|
|
|
27.03.2008, 20:19
Member
Themenstarter Beiträge: 12 |
#11
Grins,
entschuldige, meinte START -> Systemsteuerung (Control Panel)-> Software(Add and Remove Programs) dort sind sie nicht gelistet MacTac |
|
|
|
|
|
|
27.03.2008, 20:55
Moderator
Beiträge: 5694 |
#12
Zitat Sabina posteteGeht das nicht?? gruss Swiss Dieser Beitrag wurde am 27.03.2008 um 21:15 Uhr von Tonstudio editiert.
|
|
|
|
|
|
|
27.03.2008, 21:56
Member
Themenstarter Beiträge: 12 |
#13
Moin,
das Zitat von Sabina ist mir bekannt, meine Frage ging in die Richtung, ob ein einfaches Loeschen der Ordner auch alle Eintraege beseitigt und kein Restmuell auf dem Rechner liegen bleibt. Normalerweise deinstalliere ich Programme unter Systemsteurungen-Software, dort sind sie aber nicht aufgefuehrt, und unter Start->alle Programme ebenfalls nicht. Wenn deinstallieren=loeschen heisst, dann tue ich das ;-) Gute Nacht, MacTac |
|
|
|
|
|
|
28.03.2008, 00:38
Ehrenmitglied
Beiträge: 29434 |
#14
lösche sie mit
http://www.virus-protect.org/artikel/tools/otmoveIt.html Kopiere rein: im linken Fenster ,wo steht: Paste Standard List of Files/Folders to be Move Zitat C:\Program Files\KazaaKlicke auf den Roten MoveIt! «« Counterspy sollte den Rest rausholen, vor allem in der Registry http://www.virus-protect.org/counterspy1.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
- » Spyware&Malware Protection,PrivacyProtector,ErrorCleaner
- » Spyware&Malware Protection,PrivacyProtector,ErrorCleaner
- » Malware (Privacy Protector, Spyware&Malware Protection)
- » PrivacyProtection, Spyware&MalwareProtection, ErrorCleaner
- » PrivacyProtection, Spyware&MalwareProtection, ErrorCleaner, Explorer infiziert?
Seite(n): 1
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
habe mir ueber "FakeCodec" oben genannte Malware eingefangen.
Danach erhielt ich Infektionsmeldungen, mein Desktophintergrund wechselte und war ein einziger grosser Link, der Internetexplorer leitete mich zu diversen Webseiten von Anti-Spy-Virus-Malware Programmen, der Taskmanager wurde deaktiviert, halt auch wie in anderen Beitraegen erwaehnt.
Ich habe Combofix ausgefuehrt mit folgendem Resultat:
1. die Desktop Icons wurden entfernt (3 Stck)
2. keine Infektionsmeldungen mehr
3. der Task Manager ist wieder aktiviert
4. das Desktopbild wurde entfernt
5. Im IExplorer sind weiterhin die Buttons RemovePopups, ScanSpyware, Security Test, Spam Protection vorhanden
Meine Fragen:
Waehrend combofix lief, versuchte "tmp0.exe" eine Verbindung mit dem www aufzubauen. Habe ich ueber Symantec geblockt, da ich mir nicht sicher war ob es zu Combofix gehoert. War das richtig?
Reicht Combofix aus oder sind weitere Aktionen notwendig, um dieser Malware endgueltig den Garaus zu machen?
Vielen Dank im voraus !
Hier das Log von ComboFix:
ComboFix 08-03-22.3 - Olaf 2008-03-23 15:09:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.229 [GMT 1:00]
Running from: C:\My Downloads\Malware 23.03.2008\ComboFix.exe
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
-- Other TimeOuts --
Findstr -MIF:/ sursen
CF1762.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
CF1762.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Olaf\Desktop\Error Cleaner.url
C:\Documents and Settings\Olaf\Desktop\Privacy Protector.url
C:\Documents and Settings\Olaf\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Olaf\Favorites\Error Cleaner.url
C:\Documents and Settings\Olaf\Favorites\Privacy Protector.url
C:\Documents and Settings\Olaf\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.
2008-03-16 10:15 . 2008-03-16 10:15 21,608 --a------ C:\Program Files\antiviirus.exe
2008-03-16 10:15 . 2008-03-16 10:15 16,484 -r-hs---- C:\Program Files\tmp0.exe
2008-03-16 10:14 . 2008-03-16 05:50 270,336 --a------ C:\WINDOWS\drnpfdxwrs.dll
2008-03-16 10:14 . 2008-03-16 05:50 237,568 --a------ C:\WINDOWS\altvxvm.dll
2008-03-16 10:14 . 2008-03-16 05:50 217,088 --a------ C:\WINDOWS\bokpkov.dll
2008-03-16 10:14 . 2008-03-16 05:50 176,128 --a------ C:\WINDOWS\etlrlws.dll
2008-03-16 10:14 . 2008-03-16 05:50 98,304 --a------ C:\WINDOWS\fmsxwqs.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 14:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-17 18:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 08:47 --------- d-----w C:\Program Files\PokerStars
2008-03-13 20:13 --------- d-----w C:\Program Files\Trillian
2008-02-13 21:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 21:18 --------- d-----w C:\Program Files\ElsterFormular
2008-02-12 19:50 --------- d-----w C:\Program Files\BitTorrent
1998-02-11 01:34 128,000 ----a-w C:\Program Files\UNWISE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34D7198C-3B26-4434-B8B0-53DCE7410E70}]
2008-03-16 05:50 270336 --a------ C:\WINDOWS\drnpfdxwrs.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{269B1AAF-415B-4C27-B8D0-1618BB6F03A1}"= "C:\WINDOWS\etlrlws.dll" [2008-03-16 05:50 176128]
[HKEY_CLASSES_ROOT\clsid\{269b1aaf-415b-4c27-b8d0-1618bb6f03a1}]
[HKEY_CLASSES_ROOT\etlrlws.1]
[HKEY_CLASSES_ROOT\TypeLib\{05B21BE2-27AA-4156-8737-CDB43AE9D77F}]
[HKEY_CLASSES_ROOT\etlrlws]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MyOverlayIcon1]
@={F6C95B20-E9D5-4927-8C00-2B03B554417D}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 00:01 43008]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-08-16 21:19 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-08-16 21:18 376832]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2001-10-04 19:40 212992]
"000StTHK"="000StTHK.exe" [2001-06-24 05:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2001-09-14 22:56 192512 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2001-07-26 06:45 45056]
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2001-08-04 02:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2001-12-06 01:12 49152]
"nwiz"="nwiz.exe" [2002-04-19 14:13 364544 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 09:53 188416]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [ ]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 12:41 586896]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-04-27 21:48 100056]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-30 09:46 180269]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 08:41 35328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-03-18 17:06 262184]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-23 20:33 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-09 02:58 98304]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]
"antiviirus"="C:\Program Files\antiviirus.exe" [2008-03-16 10:15 21608]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992]
C:\Documents and Settings\Olaf\Start Menu\Programs\Startup\
Shortcut to ccApp.lnk - C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-09-18 22:51:46 58992]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-10-03 10:12:27 156160]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bokpkov"= {ECFD8C28-96BC-44D9-AA98-E1A7906216EB} - C:\WINDOWS\bokpkov.dll [2008-03-16 05:50 217088]
"altvxvm"= {C0347F45-BC52-47DD-9F34-4CAF5C4EE527} - C:\WINDOWS\altvxvm.dll [2008-03-16 05:50 237568]
"AvpSrv"= {e36eaa6b-0ce9-4fed-8ebb-80c7e96f68f8} - C:\WINDOWS\Installer\{e36eaa6b-0ce9-4fed-8ebb-80c7e96f68f8}\AvpSrv.dll [2008-03-16 10:14 18582]
"zip"= {b75ded30-81c9-4b40-8501-f91cb82a17c1} - C:\WINDOWS\Installer\{b75ded30-81c9-4b40-8501-f91cb82a17c1}\zip.dll [2008-03-16 10:16 23130]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-23 20:33 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 16:29 50736 C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-12-16 16:49 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-08 00:01 43008 C:\Program Files\BitTorrent\bittorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
--a------ 2005-08-04 20:13 1294336 C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2001-11-14 11:37 147456 c:\toshiba\ivp\ism\pinger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-09 02:58 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-02-22 23:31 25388584 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"wuauserv"=2 (0x2)
"TapiSrv"=2 (0x2)
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe"=
R0 pciSm;pciSm;C:\WINDOWS\system32\DRIVERS\tossmpci.sys [2001-08-10 02:42]
R0 tosrfec;Bluetooth ACPI from Toshiba;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2001-07-13 12:26]
R0 TVALDX;Toshiba ACPI-Based Value Added Logical Device Extension Driver;C:\WINDOWS\system32\DRIVERS\TVALDX.SYS [2001-08-17 23:27]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 14:32]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-27 05:34]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2001-08-24 10:02]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-07-26 14:35]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-08-10 11:26]
S3 LCcFltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\LCcFltr.Sys [2001-09-19 11:11]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2001-07-13 05:22]
S3 PDNMp50;PDNMp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PDNMp50.sys [2006-11-28 22:46]
S3 PDNSp50;PDNSp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PDNSp50.sys [2006-11-28 22:46]
S3 pfsvgae;pfsvgae;C:\DOCUME~1\Olaf\LOCALS~1\Temp\pfsvgae.sys []
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 16:15:00 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-03-07 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Olaf.job"
- C:\PROGRA~1\NORTON~3\NORTON~1\Navw32.exeh/task:
"2008-03-17 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-03-17 20:04:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 15:33:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-23 15:36:30
ComboFix-quarantined-files.txt 2008-03-23 14:35:57