WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Infected?

3 posters

descriptionInfected? EmptyInfected?5th February 2009, 12:30 pm

more_horiz
Dear all fur a great website.

Attached you will find my log from Hijack

I would be very if some one can help me.

Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:39, on 05.02.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\SMINST\scheduler.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Natific\Natific M3K\NatificColorTransmitterTrayApplication.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CH&c=74&bd=smb&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [HPWWANGSAssistant] c:\SWSetup\HPQWWAN\HPWWanGSAssistant.exe /TrayMode
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DBISQL9] "c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SybaseCentral43] "c:\program files\sybase\shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - Startup: Natific M3K.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://natific.sharepointhosting.ch
O15 - Trusted IP range: http://178.245.245.26
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://natag002.natific.intra:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://natag002.natific.intra:4343/officescan/console/html/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://natag002.natific.intra:4343/officescan/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://natag002.natific.intra:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = natific.intra
O17 - HKLM\Software\..\Telephony: DomainName = natific.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = natific.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = natific.intra
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Adaptive Server Anywhere - DatacolorASAService (ASANYs_DatacolorASAService) - iAnywhere Solutions, Inc. - c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Natific M3K (natific_m3k) - Szintézis-NET Kft. - C:\Program Files\Natific\Natific M3K\NatificM3KService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13713 bytes

descriptionInfected? EmptyRe: Infected?5th February 2009, 2:11 pm

more_horiz
Hello.
Don't think so, log looks okay to me. What problems are you having?

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

  • First, unzip it.
  • Then right click JavaRa and select "Run as administrator" to run the program..
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Infected? DXwU4
Infected? VvYDg

descriptionInfected? EmptyRe: Infected?6th February 2009, 9:59 am

more_horiz
Hi!

The most problematic issues I have is that I cannot access any antivirus hompages.

Thank you

Holits

descriptionInfected? EmptyRe: Infected?6th February 2009, 10:25 am

more_horiz
I have G Data installed, on the one computer I cant download new updates, on a new computer it works fine....

descriptionInfected? EmptyRe: Infected?6th February 2009, 3:23 pm

more_horiz
Here is log form ComboFix

ComboFix 09-02-04.01 - MAKA 2009-02-06 15:30:00.2 - NTFSx86
Microsoft®️ Windows Vista™️ Business 6.0.6001.1.1252.1.1033.18.2023.889 [GMT 1:00]
ausgeführt von:: c:\users\MAKA\Desktop\ComboFix.exe
AV: G DATA AntiVirus 2008 *On-access scanning disabled* (Outdated)
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf
H:\Autorun.inf
I:\autorun.inf

.
((((((((((((((((((((((( Dateien erstellt von 2009-01-06 bis 2009-02-06 ))))))))))))))))))))))))))))))
.

2009-02-06 15:41 . 2009-02-06 15:41 4,096 --a------ c:\windows\System32\053D9.tmp
2009-02-06 15:06 . 2009-02-06 15:06 4,096 --a------ c:\windows\System32\0CC43.tmp
2009-02-06 12:18 . 2009-02-06 12:18 4,096 --a------ c:\windows\System32\0CBC6.tmp
2009-02-06 11:06 . 2009-02-06 11:06 4,096 --a------ c:\windows\System32\0DC88.tmp
2009-02-06 10:58 . 2009-02-06 10:57 410,984 --a------ c:\windows\System32\deploytk.dll
2009-02-06 10:31 . 2009-02-06 10:31 4,096 --a------ c:\windows\System32\0E52F.tmp
2009-02-06 10:28 . 2009-02-06 10:28 d-------- c:\users\All Users\G DATA
2009-02-06 10:28 . 2009-02-06 10:28 d-------- c:\programdata\G DATA
2009-02-06 10:24 . 2009-02-06 10:24 47,184 --a------ c:\windows\System32\drivers\MiniIcpt.sys
2009-02-06 10:24 . 2009-02-06 10:24 41,928 --a------ c:\windows\System32\drivers\GDTdiIcpt.sys
2009-02-06 10:24 . 2009-02-06 10:24 32,200 --a------ c:\windows\System32\drivers\HookCentre.sys
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Videos
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Searches
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Saved Games
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Pictures
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Music
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Links
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Downloads
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Documents
2009-02-06 10:23 . 2007-09-11 03:17 39,880 --a------ c:\windows\System32\drivers\gdwfpcd32.sys
2009-02-06 10:22 . 2009-02-06 10:23 d-------- c:\program files\G DATA AntiVirus
2009-02-06 10:22 . 2009-02-06 10:23 d-------- c:\program files\Common Files\G DATA
2009-02-06 08:14 . 2009-02-06 08:14 4,096 --a------ c:\windows\System32\0F44C.tmp
2009-02-06 07:34 . 2009-02-06 07:34 4,096 --a------ c:\windows\System32\0D364.tmp
2009-02-05 15:56 . 2009-02-05 15:56 4,096 --a------ c:\windows\System32\0CF7E.tmp
2009-02-05 13:21 . 2008-12-03 14:03 151,552 --a------ c:\temp\JavaRa.exe
2009-02-05 08:43 . 2009-02-05 08:43 4,096 --a------ c:\windows\System32\0F556.tmp
2009-02-04 20:16 . 2009-02-04 20:16 4,096 --a------ c:\windows\System32\0C522.tmp
2009-02-04 19:20 . 2009-02-04 19:20 4,096 --a------ c:\windows\System32\0D9E9.tmp
2009-02-04 17:32 . 2009-02-04 17:32 4,096 --a------ c:\windows\System32\0B4DD.tmp
2009-02-04 12:28 . 2006-11-06 11:55 748,344 --a------ c:\temp\Filemon.exe
2009-02-04 10:45 . 2009-02-04 10:45 4,096 --a------ c:\windows\System32\05B68.tmp
2009-02-04 10:27 . 2009-02-04 11:03 d-------- c:\temp\Datacolor
2009-02-04 08:04 . 2009-02-04 08:04 4,096 --a------ c:\windows\System32\0E1D5.tmp
2009-02-04 07:37 . 2009-02-04 07:37 4,096 --a------ c:\windows\System32\0BDC2.tmp
2009-02-03 22:16 . 2009-02-03 22:16 4,096 --a------ c:\windows\System32\0AEA5.tmp
2009-02-03 19:04 . 2009-02-03 19:04 4,096 --a------ c:\windows\System32\0AC08.tmp
2009-02-03 18:17 . 2009-02-03 18:17 6,258,825 --a------ C:\DATACOLOR_TOOLS.zip
2009-02-03 17:29 . 2009-02-03 17:29 d-------- c:\temp\m3k
2009-02-03 16:25 . 2009-02-03 16:25 4,096 --a------ c:\windows\System32\0560B.tmp
2009-02-03 16:00 . 2009-02-03 16:00 0 --a------ c:\windows\nsreg.dat
2009-02-03 14:14 . 2009-02-03 14:14 4,096 --a------ c:\windows\System32\0B0F6.tmp
2009-02-03 10:49 . 2009-02-03 10:49 4,096 --a------ c:\windows\System32\0AE77.tmp
2009-02-03 09:48 . 2009-02-03 09:48 4,096 --a------ c:\windows\System32\0C7E0.tmp
2009-02-02 08:40 . 2009-02-02 08:40 4,096 --a------ c:\windows\System32\0B9CC.tmp
2009-02-01 19:47 . 2009-02-01 19:47 4,096 --a------ c:\windows\System32\0C5BE.tmp
2009-02-01 14:29 . 2009-02-01 14:29 4,096 --a------ c:\windows\System32\0AED4.tmp
2009-02-01 12:13 . 2009-02-01 12:13 4,096 --a------ c:\windows\System32\0BBFE.tmp
2009-01-31 08:13 . 2009-01-31 08:13 4,096 --a------ c:\windows\System32\0201D.tmp
2009-01-30 18:38 . 2009-01-30 18:38 d-------- c:\program files\VisocoSoftware
2009-01-30 18:38 . 2006-02-27 00:59 189,952 --a------ c:\windows\System32\dbexpany.dll
2009-01-30 18:02 . 2009-01-30 18:02 d-------- c:\program files\Natific
2009-01-30 11:56 . 2009-01-30 11:56 4,096 --a------ c:\windows\System32\0B70E.tmp
2009-01-29 18:48 . 2009-01-29 18:48 4,096 --a------ c:\windows\System32\0CCB0.tmp
2009-01-29 17:44 . 2009-01-29 17:44 4,096 --a------ c:\windows\System32\0F17F.tmp
2009-01-29 14:41 . 2009-01-29 14:41 4,096 --a------ c:\windows\System32\01821.tmp
2009-01-29 11:16 . 2009-01-29 11:16 4,096 --a------ c:\windows\System32\0ADDB.tmp
2009-01-29 09:32 . 2009-01-29 09:32 4,096 --a------ c:\windows\System32\0BAF6.tmp
2009-01-28 22:03 . 2009-01-28 22:03 4,096 --a------ c:\windows\System32\0BB23.tmp
2009-01-28 08:12 . 2009-01-28 08:12 4,096 --a------ c:\windows\System32\0D68F.tmp
2009-01-28 06:44 . 2009-01-28 06:44 4,096 --a------ c:\windows\System32\0C927.tmp
2009-01-27 22:57 . 2009-01-27 22:58 4,096 --a------ c:\windows\System32\0DF37.tmp
2009-01-27 19:19 . 2009-01-27 19:19 4,096 --a------ c:\windows\System32\0C428.tmp
2009-01-27 07:50 . 2009-01-27 07:50 4,096 --a------ c:\windows\System32\0C14B.tmp
2009-01-26 20:14 . 2009-01-26 20:14 4,096 --a------ c:\windows\System32\0FE2C.tmp
2009-01-26 16:12 . 2009-01-26 16:12 4,096 --a------ c:\windows\System32\0C061.tmp
2009-01-26 14:43 . 2009-01-26 14:43 4,096 --a------ c:\windows\System32\0B6F0.tmp
2009-01-26 11:40 . 2009-01-26 11:40 4,096 --a------ c:\windows\System32\0C225.tmp
2009-01-26 07:30 . 2009-01-26 07:30 4,096 --a------ c:\windows\System32\0C5CD.tmp
2009-01-26 06:29 . 2009-01-26 06:29 4,096 --a------ c:\windows\System32\0D5A5.tmp
2009-01-24 18:41 . 2009-01-24 18:41 4,096 --a------ c:\windows\System32\0C8D9.tmp
2009-01-24 14:32 . 2009-01-24 14:32 4,096 --a------ c:\windows\System32\0B7D9.tmp
2009-01-24 14:24 . 2009-01-24 14:24 4,096 --a------ c:\windows\System32\0B460.tmp
2009-01-24 14:19 . 2009-01-24 14:19 4,096 --a------ c:\windows\System32\0BFD5.tmp
2009-01-24 08:30 . 2009-01-24 08:30 4,096 --a------ c:\windows\System32\0BB43.tmp
2009-01-23 18:10 . 2009-01-23 18:10 4,096 --a------ c:\windows\System32\0C4B5.tmp
2009-01-23 16:37 . 2009-01-23 16:37 4,096 --a------ c:\windows\System32\0BAF5.tmp
2009-01-23 08:29 . 2009-01-23 08:29 4,096 --a------ c:\windows\System32\0B01C.tmp
2009-01-23 07:56 . 2009-01-23 07:56 4,096 --a------ c:\windows\System32\0BC2D.tmp
2009-01-22 19:25 . 2009-01-22 19:25 4,096 --a------ c:\windows\System32\0B75C.tmp
2009-01-22 17:01 . 2009-01-22 17:01 4,096 --a------ c:\windows\System32\0B615.tmp
2009-01-22 14:37 . 2009-01-22 14:37 4,096 --a------ c:\windows\System32\0A784.tmp
2009-01-22 12:40 . 2009-01-22 12:40 4,096 --a------ c:\windows\System32\0B412.tmp
2009-01-22 04:03 . 2009-01-22 04:03 4,096 --a------ c:\windows\System32\0AC93.tmp
2009-01-22 01:25 . 2009-01-22 01:25 4,096 --a------ c:\windows\System32\0BD45.tmp
2009-01-21 15:34 . 2009-01-21 15:34 4,096 --a------ c:\windows\System32\0C58F.tmp
2009-01-21 12:13 . 2009-01-21 12:13 4,096 --a------ c:\windows\System32\0B79B.tmp
2009-01-21 01:46 . 2009-01-21 01:46 4,096 --a------ c:\windows\System32\0B135.tmp
2009-01-21 00:38 . 2009-01-21 00:38 4,096 --a------ c:\windows\System32\0AF80.tmp
2009-01-20 16:57 . 2009-01-20 16:57 4,096 --a------ c:\windows\System32\0F21B.tmp
2009-01-20 14:24 . 2009-01-20 14:24 4,096 --a------ c:\windows\System32\0F085.tmp
2009-01-20 14:06 . 2009-01-20 14:06 4,096 --a------ c:\windows\System32\0BE6E.tmp
2009-01-20 01:47 . 2009-01-20 01:47 4,096 --a------ c:\windows\System32\0BBA0.tmp
2009-01-19 15:05 . 2009-01-19 15:05 4,096 --a------ c:\windows\System32\0B6EF.tmp
2009-01-19 01:36 . 2009-01-19 01:36 4,096 --a------ c:\windows\System32\0BBBF.tmp
2009-01-18 14:34 . 2009-01-18 14:34 4,096 --a------ c:\windows\System32\0C5E.tmp
2009-01-18 04:57 . 2009-01-18 04:57 d-------- c:\users\MAKA\AppData\Roaming\Notepad++
2009-01-18 04:57 . 2009-01-18 04:57 d-------- c:\program files\Notepad++
2009-01-18 01:41 . 2009-01-18 01:41 4,096 --a------ c:\windows\System32\0B144.tmp
2009-01-17 17:20 . 2009-01-17 17:20 4,096 --a------ c:\windows\System32\0D049.tmp
2009-01-17 12:15 . 2009-01-17 12:15 4,096 --a------ c:\windows\System32\068A1.tmp
2009-01-17 07:41 . 2009-01-17 07:41 d-------- c:\program files\CyberChrome
2009-01-17 07:39 . 2006-12-20 11:55 3,066,968 --a------ c:\windows\System32\hinstd.dll
2009-01-17 07:39 . 2006-12-20 10:00 2,511,360 --a------ c:\windows\System32\haspds_windows.dll
2009-01-17 07:39 . 2006-11-22 10:01 693,760 --a------ c:\windows\System32\drivers\hardlock.sys
2009-01-17 07:39 . 2006-12-20 10:00 671,112 --a------ c:\windows\System32\hdinst_windows.dll
2009-01-17 07:39 . 2006-11-22 10:01 327,168 --a------ c:\windows\System32\drivers\akshasp.sys
2009-01-17 07:39 . 2002-07-26 17:02 153,088 --a------ c:\windows\System32\UNWISE.EXE
2009-01-17 07:39 . 2006-10-16 19:35 104,576 --a------ c:\windows\System32\drivers\aksclass.sys
2009-01-17 07:39 . 2006-11-22 10:01 100,096 --a------ c:\windows\System32\drivers\aksusb.sys
2009-01-17 07:39 . 2006-11-30 11:06 69,632 --a------ c:\windows\System32\hasp_inst_help1.dll
2009-01-17 07:39 . 2005-09-06 17:06 28,672 --a------ c:\windows\System32\hlduinst.exe
2009-01-17 07:39 . 2006-10-16 19:35 7,168 --a------ c:\windows\System32\akscoinst.dll
2009-01-17 02:42 . 2009-01-17 02:42 4,096 --a------ c:\windows\System32\0AC07.tmp
2009-01-16 15:31 . 2009-01-16 15:31 4,096 --a------ c:\windows\System32\0AA13.tmp
2009-01-15 15:41 . 2009-01-15 15:41 4,096 --a------ c:\windows\System32\0DA18.tmp
2009-01-15 15:31 . 2009-01-15 15:31 4,096 --a------ c:\windows\System32\09D28.tmp
2009-01-15 01:39 . 2009-01-15 01:39 4,096 --a------ c:\windows\System32\0B0E7.tmp
2009-01-14 01:47 . 2009-01-14 01:47 4,096 --a------ c:\windows\System32\0B2DA.tmp
2009-01-13 16:51 . 2009-01-13 16:51 4,096 --a------ c:\windows\System32\0BF58.tmp
2009-01-13 13:35 . 2009-01-13 13:35 4,096 --a------ c:\windows\System32\0ADBB.tmp
2009-01-13 06:34 . 2009-01-13 06:34 d-------- c:\program files\FileZilla FTP Client
2009-01-13 04:30 . 2009-01-13 04:30 4,096 --a------ c:\windows\System32\0FDCE.tmp
2009-01-13 03:48 . 2009-01-13 03:48 4,096 --a------ c:\windows\System32\0BF67.tmp
2009-01-12 16:30 . 2009-01-12 16:30 4,096 --a------ c:\windows\System32\0C782.tmp

descriptionInfected? EmptyRe: Infected?6th February 2009, 3:24 pm

more_horiz
part two of the same file


.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 09:56 --------- d-----w c:\program files\Java
2009-02-06 09:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 23:24 --------- d-----w c:\users\MAKA\AppData\Roaming\Skype
2009-02-05 23:08 --------- d-----w c:\users\MAKA\AppData\Roaming\skypePM
2009-02-05 10:24 --------- d-----w c:\program files\Trend Micro
2009-02-04 16:32 --------- d-----w c:\programdata\Adaptive Server Anywhere 9
2009-02-04 10:27 --------- d-----w c:\users\MAKA\AppData\Roaming\FileZilla
2009-01-15 07:22 --------- d-----w c:\programdata\Microsoft Help
2008-12-28 16:08 --------- d-----w c:\users\MAKA\AppData\Roaming\Roxio
2008-12-27 14:19 --------- d-----w c:\program files\Xcarab
2008-12-26 18:00 --------- d-----w c:\users\MAKA\AppData\Roaming\U3
2008-12-16 19:05 --------- d-----w c:\programdata\Roxio
2008-12-10 16:41 --------- d-----w c:\programdata\Datacolor
2008-12-10 16:39 --------- d-----w c:\program files\Common Files\Datacolor
2008-12-10 16:36 --------- d-----w c:\program files\Common Files\Borland Shared
2008-12-10 16:35 --------- d-----w c:\program files\Datacolor
2008-12-10 14:57 --------- d-----w c:\program files\Sybase
2008-09-08 11:43 174 --sha-w c:\program files\desktop.ini
2008-12-17 22:34 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 22:34 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 22:34 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 22:34 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 22:34 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-01-19 07:34 169,822 --sha-r c:\windows\System32\kqdqpgy.dll
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_20.40.23.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-04 19:14:55 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2009-02-06 14:38:26 2,484 ----a-w c:\windows\bthservsdp.dat
- 2009-02-04 19:16:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-06 14:40:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-04 19:16:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-06 14:40:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-04 19:19:06 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-04 19:19:06 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-04 19:16:51 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-06 14:41:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-04 19:16:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 14:41:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-04 19:16:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-06 14:41:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-09-19 13:44:04 15,664 ----a-w c:\windows\System32\drivers\GEARAspiWDM.sys
+ 2006-10-03 18:47:52 109,360 ----a-w c:\windows\System32\GEARAspi.dll
- 2007-10-19 13:59:53 135,168 ----a-w c:\windows\System32\java.exe
+ 2009-02-06 09:57:01 144,792 ----a-w c:\windows\System32\java.exe
- 2007-10-19 13:59:53 135,168 ----a-w c:\windows\System32\javaw.exe
+ 2009-02-06 09:57:01 144,792 ----a-w c:\windows\System32\javaw.exe
- 2007-10-19 13:59:53 139,264 ----a-w c:\windows\System32\javaws.exe
+ 2009-02-06 09:57:01 148,888 ----a-w c:\windows\System32\javaws.exe
- 2009-02-04 19:23:49 162,164 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-06 14:15:21 162,164 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-04 19:23:49 770,460 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-06 14:15:21 770,460 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-07 19:49:09 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-02-06 09:29:30 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-02-04 19:19:46 15,090 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-223047310-760144544-513043358-1003_UserData.bin
+ 2009-02-06 14:12:34 15,786 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-223047310-760144544-513043358-1003_UserData.bin
- 2009-02-04 19:19:44 100,006 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 14:12:29 101,292 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-04 16:35:18 73,584 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 14:12:26 74,866 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-01-26 12:11:57 413,416 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-02-05 22:22:16 415,622 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-01-17 04:13:21 164,313,215 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-06 09:24:19 164,315,546 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-06 09:24:12 65,536 ----a-w c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087\vcomp.dll
.

descriptionInfected? EmptyRe: Infected?6th February 2009, 3:24 pm

more_horiz
thrid part


-- Snapshot auf jetziges Datum zurückgesetzt --
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DBISQL9"="c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" [2007-02-26 139264]
"SybaseCentral43"="c:\program files\sybase\shared\Sybase Central 4.3\win32\scjview.exe" [2007-02-23 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-05-08 331552]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-11 317128]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-20 404248]
"HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-09-07 4162864]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-07 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-07 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-07 154136]
"AVKTray"="c:\program files\G DATA AntiVirus\AVKTray\AVKTray.exe" [2007-09-24 603720]

c:\users\MAKA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Natific M3K.lnk - c:\users\MAKA\AppData\Roaming\Microsoft\Installer\{095CC82D-8684-4215-BFBC-2267BBCF5B48}\_4AD5F2476D306C03243940.exe [2009-01-30 1150]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 719664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-09-01 192512]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2008-10-06 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 16:19 49152 c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

descriptionInfected? EmptyRe: Infected?6th February 2009, 3:25 pm

more_horiz
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{89F4B4FC-A3F6-4727-815E-71F6691F603F}c:\\windows\\sminst\\scheduler.exe"= UDP:c:\windows\sminst\scheduler.exe:Scheduler
"UDP Query User{B0F12F74-20AA-4A41-9EA1-291FFA292D81}c:\\windows\\sminst\\scheduler.exe"= TCP:c:\windows\sminst\scheduler.exe:Scheduler
"{7FA58DDD-9E87-47E5-9CB4-4F59AEFF42AA}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AE5DE5D8-1F97-4F60-8B44-40FA5ED38D4E}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{45436D07-F2EA-422A-9C71-A0D57A0544C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD23F878-003B-43C4-801D-48DD76E18CD5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{11343961-8633-454E-BEE0-EC3FCD37DA64}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{408F45A1-05EA-478E-9839-2F1A5DAA13CE}c:\\windows\\system32\\mstsc.exe"= UDP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"UDP Query User{BC3558C1-D674-4F81-98DC-03EFB09843C3}c:\\windows\\system32\\mstsc.exe"= TCP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"TCP Query User{B542034E-DF6E-41A8-8AD4-26A8F1F8C10D}c:\\windows\\system32\\mstsc.exe"= UDP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"UDP Query User{50C6AEB7-EBAD-4744-A51E-73449B6E9BFC}c:\\windows\\system32\\mstsc.exe"= TCP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"TCP Query User{53829268-9440-4CC3-AACE-5640E2157D6F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ABB2EECD-0BF6-42D2-936A-78CC5F999B57}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{CB33E0E8-A844-4785-9F4E-9C3F3265A9C6}c:\\windows\\sminst\\scheduler.exe"= UDP:c:\windows\sminst\scheduler.exe:Scheduler
"UDP Query User{A757EE6F-2274-4773-89E5-6B3CBDCA2D39}c:\\windows\\sminst\\scheduler.exe"= TCP:c:\windows\sminst\scheduler.exe:Scheduler
"{5CE9522C-80EA-4AA0-8EFE-2D04EDD58AAF}"= UDP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{274F0483-BCCB-4075-9893-4497E48E42F8}"= TCP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{BA30D2F3-521A-4D9D-A329-C2D7B8BC1AED}"= UDP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{64AF8E38-311D-4849-B418-C487D58236A4}"= TCP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{4D6B543F-A12E-45C4-AF54-90659E5F6E3E}"= UDP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{E09E3055-C502-4ABD-8622-A50DE374D85E}"= TCP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{92923F84-1EDD-4DC0-8398-EFC32F3E65A7}"= UDP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager
"{D6B63CC8-6EBB-492D-B99C-CEF29FF11E2F}"= TCP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager
"TCP Query User{92F1A22B-B3C1-4EE3-89CA-9045BB0F86D0}c:\\program files\\zattoo\\zattood.exe"= UDP:c:\program files\zattoo\zattood.exe:zattood
"UDP Query User{A4845137-A872-4C6B-9B15-848812121AD1}c:\\program files\\zattoo\\zattood.exe"= TCP:c:\program files\zattoo\zattood.exe:zattood
"TCP Query User{2C0DA30A-9D63-4609-A0E5-83948CF0249C}c:\\program files\\zattoo\\zattoo.exe"= UDP:c:\program files\zattoo\zattoo.exe:
"UDP Query User{F318CF33-6483-4940-8EFD-8DBC4D1AE064}c:\\program files\\zattoo\\zattoo.exe"= TCP:c:\program files\zattoo\zattoo.exe:
"TCP Query User{37715433-5051-4B6D-910F-B9AAA599372E}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= UDP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"UDP Query User{E41D8C5C-831D-494C-AB05-87A418E5F507}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= TCP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"TCP Query User{E4393286-17F1-4498-94BF-ADEB99E5904C}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= UDP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"UDP Query User{EC497345-9DAE-4AF3-85F8-579A83965F0F}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= TCP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"TCP Query User{9B8A2827-9D24-41EA-AB01-6F3F531717E7}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbeng9.exe"= UDP:c:\program files\sybase\sql anywhere 9\win32\dbeng9.exe:Adaptive Server Anywhere Database Engine
"UDP Query User{14784D08-70AC-4B6C-B438-788A61C3968F}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbeng9.exe"= TCP:c:\program files\sybase\sql anywhere 9\win32\dbeng9.exe:Adaptive Server Anywhere Database Engine
"TCP Query User{530BCA08-A744-4F96-BF1C-8926C959A419}c:\\program files\\juniper\\netscreen-remote\\vpn.exe"= UDP:c:\program files\juniper\netscreen-remote\vpn.exe:VPN Connection Manager
"UDP Query User{0ED508A9-FA7C-43A6-9DB3-A3B7A867A602}c:\\program files\\juniper\\netscreen-remote\\vpn.exe"= TCP:c:\program files\juniper\netscreen-remote\vpn.exe:VPN Connection Manager
"TCP Query User{CEEB3A62-CDF4-4504-B53F-3835B123E3D0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C650537A-44FA-48AD-A41C-1C9ED0554B24}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{A29BC170-8E4B-46A1-B11C-D6522440F47E}c:\\program files\\zattoo\\zattood.exe"= UDP:c:\program files\zattoo\zattood.exe:zattood
"UDP Query User{86C9F9AE-3480-4449-A746-C7C2827BC1DD}c:\\program files\\zattoo\\zattood.exe"= TCP:c:\program files\zattoo\zattood.exe:zattood
"TCP Query User{FDA04A50-B175-4B85-B3B0-F319FAA9F5F7}c:\\program files\\zattoo\\zattoo.exe"= UDP:c:\program files\zattoo\zattoo.exe:
"UDP Query User{51142281-D2E1-48F1-9DD5-CEEEB128C40E}c:\\program files\\zattoo\\zattoo.exe"= TCP:c:\program files\zattoo\zattoo.exe:
"TCP Query User{BD8924E9-7BF3-4A27-A811-538B9342B44E}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= UDP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"UDP Query User{72FB405B-45AE-4EDD-86A3-97900A05C206}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= TCP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"TCP Query User{A87DF5B8-D8C3-41AC-A968-0E08C26F9DDD}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= UDP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"UDP Query User{36344BC2-1F5C-4DFA-AF52-9ED57E4B25AF}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= TCP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"{4BB6B342-231A-4F6C-9327-AC09164A0E4D}"= UDP:3707:yoske
"{392E9D53-9942-4386-83FC-1D6CAEAFA101}"= UDP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{53210BC1-61FE-43E0-8AF0-F04CAADCE3FF}"= TCP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{568A3679-D1A4-4942-8989-5E20641B05EB}"= UDP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{FB4C6859-C658-4E22-B749-322296AE7524}"= TCP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{AC6780A0-033A-4C1C-8409-F39E3642E13A}"= UDP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{37C9D1EA-0A5E-4D33-9C4C-270C894EA425}"= TCP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{F153C857-A8CB-4908-A276-409BEF991ADB}"= UDP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager
"{F518BEBF-C4BB-4FA2-978F-CEC8DA7CF334}"= TCP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [2007-03-30 13696]
R1 gdwfpcd;G DATA WFP CD;c:\windows\System32\drivers\gdwfpcd32.sys [2009-02-06 39880]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\System32\drivers\IpSecDrv.sys [2008-10-06 138296]
R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [2007-04-27 5808]
R2 ASANYs_DatacolorASAService;Adaptive Server Anywhere - DatacolorASAService;c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe -hvASANYs_DatacolorASAService --> c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe -hvASANYs_DatacolorASAService [?]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2008-09-05 21504]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2008-09-05 21504]
R2 AVKProxy;G DATA AntiVirus Proxy;c:\program files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2009-02-06 689736]
R2 AVKService;AVK Service;c:\program files\G DATA AntiVirus\AVK\AVKService.exe [2009-02-06 407376]
R2 AVKWCtl;AntiVirus Monitor;c:\program files\G DATA AntiVirus\AVK\AVKWCtl.exe [2009-02-06 1095240]
R2 Crypto;Crypto;c:\windows\System32\drivers\Crypto.sys [2008-10-06 536634]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\System32\drivers\GDTdiIcpt.sys [2009-02-06 41928]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 221184]
R2 natific_m3k;Natific M3K;c:\program files\Natific\Natific M3K\NatificM3KService.exe [2009-01-16 20480]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007-10-19 540448]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2008-09-01 1489688]
R3 DniVapCo;Deterministic Networks CoWAN Miniport (Virtual);c:\windows\System32\drivers\vapco.sys [2008-10-01 27408]
R3 GDMnIcpt;GDMnIcpt;c:\windows\System32\drivers\MiniIcpt.sys [2009-02-06 47184]
R3 HookCentre;HookCentre;c:\windows\System32\drivers\HookCentre.sys [2009-02-06 32200]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\System32\drivers\scrswi.sys [2007-03-26 43904]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (#02);c:\windows\System32\drivers\SWNC8U02.sys [2007-03-12 102272]
R3 SWUMX02;HP hs2300 USB MUX Driver (#02);c:\windows\System32\drivers\swumx02.sys [2007-04-10 72576]
S2 ylxafcwu;System Installer;c:\windows\system32\svchost.exe -k netsvcs [2008-09-05 21504]
S3 DAMDrv;DAMDrv;c:\windows\System32\drivers\DAMDrv.sys [2007-04-23 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\System32\flcdlock.exe [2007-04-30 172131]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-12 33752]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
S4 Datacolor.DataSecurity;Datacolor DataSecurity Service;c:\program files\Datacolor\DataSecurityServiceSetup\Datacolor.DataSecurity.WindowsService.exe [2008-10-30 20480]
S4 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2007-01-05 18944]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ylxafcwu

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20401cb2-a337-11dd-a596-df351c8a7dce}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7457f28f-d1d3-11dd-b189-ec2de8747213}]
\shell\AutoRun\command - H:\LaunchU3.exe -a
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0\bin\jusched.exe

descriptionInfected? EmptyRe: Infected?6th February 2009, 3:26 pm

more_horiz
last part of the log


.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CH&c=74&bd=smb&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: sharepointhosting.ch\natific
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://natag002.natific.intra:4343/officescan/console/html/root/AtxEnc.cab
FF - ProfilePath - c:\users\MAKA\AppData\Roaming\Mozilla\Firefox\Profiles\44h6bks2.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\components\AvkWebFilterFF.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 15:47:43
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'lsass.exe'(724)
c:\windows\SbHpNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'Explorer.exe'(6100)
c:\program files\Hewlett-Packard\IAM\bin\ItClient.dll
c:\windows\system32\btmmhook.dll
c:\windows\ATL.DLL
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Juniper\NetScreen-Remote\IreIKE.exe
c:\windows\System32\AEADISRV.EXE
c:\program files\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\System32\conime.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Natific\Natific M3K\NatificColorTransmitterTrayApplication.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\System32\taskmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-02-06 15:56:45 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-02-06 14:56:38
ComboFix2.txt 2009-02-04 19:46:39

Vor Suchlauf: 40'163'471'360 bytes free
Nach Suchlauf: 40,162,189,312 bytes free

459 --- E O F --- 2009-01-07 19:45:37

descriptionInfected? EmptyRe: Infected?6th February 2009, 5:20 pm

more_horiz
Hello.
Press Start > Run, type in cmd and press enter.
When the command prompt opens, type in del c:\windows\System32\*.tmp and press enter.

Run this script with Combofix.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\System32\kqdqpgy.dll

NetSvcs::
ylxafcwu

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

DDS::
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://natag002.natific.intra:4343/officescan/console/html/root/AtxEnc.cab


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Infected? Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Last edited by Belahzur on 7th February 2009, 1:42 pm; edited 1 time in total

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Infected? DXwU4
Infected? VvYDg

descriptionInfected? EmptyRe: Infected?6th February 2009, 5:58 pm

more_horiz
I cant delete all the delete the temp files, not even in safe mood(I have admin rigths)...

strange

descriptionInfected? EmptyRe: Infected?6th February 2009, 6:06 pm

more_horiz
Okay, we'll use another tool on them, just do the CFScript for now.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Infected? DXwU4
Infected? VvYDg

descriptionInfected? EmptyRe: Infected?7th February 2009, 12:00 pm

more_horiz
Thank you, what tool do you mean?

descriptionInfected? EmptyRe: Infected?7th February 2009, 1:43 pm

more_horiz
This post:
http://www.geekpolice.net/virus-spyware-malware-removal-f11/infected-t6425.htm#39547

Copy all that is inside the text box into a notepad file, save it as CFScript.txt, and drag and drop onto Combofix.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Infected? DXwU4
Infected? VvYDg

descriptionInfected? EmptyRe: Infected?7th February 2009, 6:34 pm

more_horiz
First of all thank you for helping me.

ok I tried that, I can still not access the antivirus pages or delete the tmp files.

descriptionInfected? EmptyRe: Infected?7th February 2009, 6:42 pm

more_horiz
I need to see the new log please.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Infected? DXwU4
Infected? VvYDg

descriptionInfected? EmptyRe: Infected?6th July 2009, 3:12 am

more_horiz
Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

............................................................................................

Please be a GeekPolice fan on Facebook!

Infected? Lambo-11

Have we helped you? Help us! | Doctor by day, ninja by night.

descriptionInfected? EmptyRe: Infected?

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum