Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cryp_tap-2 - stubborn one this! Please help. [RESOLVED]

Started by englischdude , Apr 13 2008 02:43 AM

  • This topic is locked This topic is locked

#1
englischdude
Posted 13 April 2008 - 02:43 AM

englischdude

    Member

  • Member
  • PipPip
  • 10 posts
hi there,

woul.d really appreciate yoou help with a problem im having. trend keeps on running trying to remove an infection, when I open trend the löast infection seems to be "removing cryp_tap-2 from mnnlm.dll. have done a little research on the net, vundofix etc., but nothing seems to be helping, spybot, adaware, nothing.

here is the contents of my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:50, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\FZ6B37.EXE
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ltmoh\Ltmoh.exe
C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\CSOnlineView3\ovwinetd.exe
C:\Programme\Alcatel_PIMphony\aocphone.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drexel-weiss.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programme\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [6457fb8f] rundll32.exe "C:\WINDOWS\system32\dsdjxnyx.dll",b
O4 - HKLM\..\Run: [BM6764c813] Rundll32.exe "C:\WINDOWS\system32\boynetip.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PIMphony.lnk = ?
O4 - Global Startup: ovwinetd.lnk = C:\Programme\CSOnlineView3\ovwinetd.exe
O4 - Global Startup: PIMphony.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://fserver01.dr...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://fserver01.dr...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://fserver01.dr.../RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O17 - HKLM\Software\..\Telephony: DomainName = drexel-weiss.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Programme\Fortinet\FortiClient\scheduler.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8681 bytes


thank you all so much in advance for your support.

regards
englischdude
  • 0

Advertisements

#2
RatHat
Posted 13 April 2008 - 06:51 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Combofix.txt
  • The contents of Kaspersky.txt
  • The contents of DSS main.txt
  • The contents of DSS extra.txt
Note: You may need to split these into two posts.

Regards,
RatHat
  • 0

#3
englischdude
Posted 14 April 2008 - 04:18 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Redhat,

thank you so much for your assistance. I will post the results of the scans this evening and look forward to receiving your feedback.

with kind regards
englischdude
  • 0

#4
englischdude
Posted 14 April 2008 - 08:37 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear redhat,

wow, this is taking a while, so I will post the results of the combofix now and the rest when it is finished. just for info, I have run the combofix and I notice a difference. the trend virus scan seems to be much more stable now, not kicking in to remove malware every 5 mionutes. anyway, here are the combofix results, the rest I will post tomorrow:

ComboFix 08-04-12.7 - m.jones 2008-04-14 15:11:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.649 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\m.jones\Desktop\ComboFix.exe
* new recovery point generated

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programme\autorun.inf
C:\WINDOWS\BM6764c813.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apafoldq.dll
C:\WINDOWS\system32\cdypdhqn.ini
C:\WINDOWS\system32\jvlwjuya.dll
C:\WINDOWS\system32\mljghhi.dll
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2
C:\WINDOWS\system32\qdlofapa.ini
C:\WINDOWS\system32\ucwyhkea.dll
C:\WINDOWS\system32\unsqpqdo.dll
C:\WINDOWS\system32\vxrrxgvo.dll
C:\WINDOWS\system32\xynxjdsd.ini

.
((((((((((((((((((((((( Files generated from 2008-03-14 bis 2008-04-14 ))))))))))))))))))))))))))))))
.

2008-04-14 08:02 . 2008-04-14 13:43 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-14 07:46 . 2008-04-14 07:46 3,648 --a------ C:\WINDOWS\system32\tqndxiui.dll
2008-04-12 21:59 . 2008-04-12 21:59 3,648 --a------ C:\WINDOWS\system32\fogpmwub.dll
2008-04-11 08:13 . 2008-04-11 08:13 3,648 --a------ C:\WINDOWS\system32\drhunmhf.dll
2008-04-11 07:28 . 2008-04-11 07:28 23,564 --a------ C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe
2008-04-10 15:29 . 2008-04-10 18:09 <DIR> d-------- C:\Programme\Unlocker
2008-04-10 15:29 . 2008-04-10 15:29 <DIR> d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Desktopicon
2008-04-10 07:52 . 2008-04-10 07:52 3,648 --a------ C:\WINDOWS\system32\pagcxdbw.dll
2008-04-08 16:19 . 2008-04-10 18:09 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-04-08 16:19 . 2008-04-10 18:05 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-03-27 12:10 . 2008-03-27 12:10 673 --a------ C:\WINDOWS\system32\gebcd.dll
2008-03-27 11:10 . 2008-03-27 11:10 673 --a------ C:\WINDOWS\system32\jkhhg.dll
2008-03-27 10:08 . 2008-03-27 10:08 <DIR> d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\TuneUp Software
2008-03-27 08:40 . 2008-03-27 08:40 673 --a------ C:\WINDOWS\system32\mljgh.dll
2008-03-26 16:24 . 2008-03-26 16:24 673 --a------ C:\WINDOWS\system32\sstqn.dll
2008-03-26 09:24 . 2008-03-26 09:24 673 --a------ C:\WINDOWS\system32\mljjh.dll
2008-03-24 20:30 . 2008-03-24 20:30 <DIR> d-a------ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-03-22 17:32 . 2007-06-27 08:10 107,840 -ra------ C:\WINDOWS\system32\FTLang.dll
2008-03-22 17:32 . 2007-06-27 08:04 71,488 -ra------ C:\WINDOWS\system32\drivers\ftser2k.sys
2008-03-22 17:32 . 2007-06-27 08:06 47,432 -ra------ C:\WINDOWS\system32\ftserui2.dll
2008-03-22 17:31 . 2007-06-27 08:10 202,048 -ra------ C:\WINDOWS\system32\ftd2xx.dll
2008-03-22 17:31 . 2007-06-27 08:10 111,936 -ra------ C:\WINDOWS\system32\ftbusui.dll
2008-03-22 17:31 . 2007-06-27 08:05 53,184 -ra------ C:\WINDOWS\system32\drivers\ftdibus.sys
2008-03-21 17:56 . 2008-03-26 21:49 <DIR> d-------- C:\Downloads
2008-03-21 15:47 . 2008-04-01 16:57 10 --a------ C:\WINDOWS\popcinfo.dat
2008-03-21 15:42 . 2008-03-21 15:42 <DIR> d-------- C:\Programme\PopCap Games
2008-03-21 15:42 . 2008-03-21 15:41 724,992 --a------ C:\WINDOWS\iun6002.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 13:03 --------- d-----w C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Skype
2008-04-14 13:03 --------- d-----w C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Alcatel PIMphony
2008-04-14 06:48 --------- d-----w C:\Programme\Java
2008-04-14 06:05 --------- d-----w C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\skypePM
2008-04-13 08:30 --------- d-----w C:\Programme\Trend Micro
2008-04-11 08:01 --------- d-----w C:\Dokumente und Einstellungen\Administrator.DREXEL-WEISS\Anwendungsdaten\Alcatel PIMphony
2008-04-11 05:28 23,564 ----a-w C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe
2008-03-27 18:07 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-03-27 09:08 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-03-27 08:23 --------- d-----w C:\Programme\Microsoft SQL Server
2008-03-27 08:20 --------- d-----w C:\Programme\Microsoft.NET
2008-03-06 12:09 --------- d-----w C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\MyPhoneExplorer
2008-03-05 16:55 --------- d-----w C:\Programme\MSECache
2008-03-04 16:04 --------- d-----w C:\Programme\ACT
2008-02-19 16:41 --------- d-----w C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\ACT
2008-02-19 16:41 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ACT
2008-02-19 16:33 --------- d-----w C:\Programme\IE6
2008-02-19 16:33 --------- d-----w C:\Programme\Guide
2008-02-19 16:33 --------- d-----w C:\Programme\Dependencies
2008-02-19 16:33 --------- d-----w C:\Programme\bin
2008-02-19 16:33 --------- d-----w C:\Programme\ACTSTD
2008-02-19 16:32 --------- d-----w C:\Programme\ACT Link for Pocket PC
2008-02-19 16:32 --------- d-----w C:\Programme\ACT Link for Palm OS
2008-02-19 16:32 --------- d-----w C:\Programme\Acrobat
2008-02-18 07:58 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-02-18 07:57 --------- d-----w C:\Programme\Lavasoft
2008-02-15 11:42 --------- d-----w C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\U3
2007-12-05 08:23 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-01-25 12:46 14,239 ----a-w C:\Programme\readme.txt
2006-11-09 11:18 93 ----a-w C:\Programme\Setup.ini
2006-06-13 16:29 25,214 ----a-w C:\Programme\act.ico
2004-10-21 14:38 126,976 ----a-w C:\Programme\Setup.exe
2004-01-27 22:19 14,336 ----a-w C:\Programme\Autoplay.exe
.

(((((((((((((((((((((((((((( Autostart point of the registry ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty entries and legitime Standard entries will not be shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 00:16 401491]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 06:34 16143872 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2006-01-05 09:03 761946]
"PSUtility"="C:\AddOn\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 11:57 118784]
"LoadFUJ02E3"="C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-04-20 13:08 73728]
"IndicatorUtility"="C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 00:12 81920]
"LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 14:21 353792]
"LoadBtnHnd"="C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 14:20 61440]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 13:32 89541 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programme\ltmoh\Ltmoh.exe" [2005-05-18 15:57 188416]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 12:13 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 12:10 94208]
"IAAnotif"="C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30 139264]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 13:08 20480]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-16 14:06 114688]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 13:57 344064]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27 312320]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"UnlockerAssistant"="C:\Programme\Unlocker\UnlockerAssistant.exe" [ ]
"OfficeScanNT Monitor"="C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-04-27 02:41 399048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghhi]
mljghhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
PSUWNP.dll 2006-06-02 17:04 32768 C:\WINDOWS\system32\PSUWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\fserver01\deployHosts\deployHosts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Alcatel_PIMphony\\aocwiz.exe"=
"C:\\Programme\\Alcatel_PIMphony\\uaproc.exe"=
"%windir%\\system32\\abers.exe"=
"C:\\Programme\\Alcatel_PIMphony\\appdiag\\appdiag.exe"=
"C:\\Programme\\Alcatel_PIMphony\\aocphone.exe"=
"C:\\Programme\\CSOnlineView3\\ovwrpt3.exe"=
"C:\\Programme\\CSOnlineView3\\ovwinetd.exe"=
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Programme\\Microsoft ActiveSync\\WcesMgr.exe"=
"C:\\Programme\\Fortinet\\FortiClient\\ipsec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 Fortigen;Fortigen;C:\WINDOWS\system32\drivers\fortigen.sys [2007-06-21 13:19]
R1 FortiPFW;FortiPFW;C:\WINDOWS\system32\drivers\FortiPFW.sys [2007-06-21 13:19]
R2 Fortips;Fortips;C:\WINDOWS\system32\drivers\fortips.sys [2007-06-21 13:19]
R2 FortiRdr;FortiRdr;C:\WINDOWS\system32\drivers\FortiRdr.sys [2007-06-21 13:20]
R3 Fortidrv2;FortiNet Fortidrv Service;C:\WINDOWS\system32\DRIVERS\fortidrv.sys [2007-11-09 12:22]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;C:\WINDOWS\system32\DRIVERS\FUJ02E3.sys [2004-01-17 12:15]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 09:11]
R3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 10:51]
R3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 10:51]
R3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 10:51]
R3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s816mgmt.sys [2007-06-19 10:51]
R3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\WINDOWS\system32\DRIVERS\s816nd5.sys [2007-06-19 10:51]
R3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s816obex.sys [2007-06-19 10:51]
R3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\WINDOWS\system32\DRIVERS\s816unic.sys [2007-06-19 10:51]
S3 ft_vnic;Fortinet network virtual adapter;C:\WINDOWS\system32\DRIVERS\ftvnic.sys [2007-11-09 12:22]
S3 PPortJoystick;Parallel Port Joystick device driver;C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 09:11]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-01-19 11:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ad3d14-d479-11dc-a7f5-00c0a8ebe014}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 15:22:27
Windows 5.1.2600 Service Pack 2 NTFS

Scan hidden processes...

Scan hidden autostart entries...

Scan hidden files...

Scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\Programme\Trend Micro\OfficeScan Client\TmListen.exe
C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Temp\AV4C92.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\Programme\CSOnlineView3\ovwinetd.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-04-14 15:25:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 13:24:49
16 Verzeichnis(se), 62,133,858,304 Bytes frei
19 Verzeichnis(se), 61,800,976,384 Bytes frei
.
2008-04-14 13:17:26 --- E O F ---
  • 0

#5
englischdude
Posted 14 April 2008 - 09:29 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi redhat,

here are the rusults of the kaspersky and dss scnas. please note, that for these 2 I had the local realtime virus scanner running. I cant shut this down without an administrator password which I dont have. I did however have the realtime virus scanner shut down for the combofix scan:

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 14, 2008 5:20:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 703811
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
U:\

Scan Statistics:
Total number of scanned objects: 57064
Number of viruses found: 5
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:20:45

Infected Object Name / Virus Name / Last Action
C:\Data\ACT\Datenbank\duw.adb Object is locked skipped
C:\Data\ACT\Datenbank\duw.adx Object is locked skipped
C:\Data\ACT\Datenbank\duw.blb Object is locked skipped
C:\Data\ACT\Datenbank\duw.dbf Object is locked skipped
C:\Data\ACT\Datenbank\duw.ddb Object is locked skipped
C:\Data\ACT\Datenbank\duw.ddx Object is locked skipped
C:\Data\ACT\Datenbank\duw.edb Object is locked skipped
C:\Data\ACT\Datenbank\duw.edx Object is locked skipped
C:\Data\ACT\Datenbank\duw.gdb Object is locked skipped
C:\Data\ACT\Datenbank\duw.gdx Object is locked skipped
C:\Data\ACT\Datenbank\duw.hdb Object is locked skipped
C:\Data\ACT\Datenbank\duw.hdx Object is locked skipped
C:\Data\ACT\Datenbank\duw.lck Object is locked skipped
C:\Data\ACT\Datenbank\duw.mdx Object is locked skipped
C:\Data\ACT\Datenbank\duw.rel Object is locked skipped
C:\Data\ACT\Datenbank\duw.rex Object is locked skipped
C:\Data\ACT\Datenbank\duw.sdb Object is locked skipped
C:\Data\ACT\Datenbank\duw.sdx Object is locked skipped
C:\Data\ACT\Datenbank\duw.tdb Object is locked skipped
C:\Data\ACT\Datenbank\duw.tdx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Address Book\m_jones.wab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Address Book\m_jones.wab~ Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Internet Explorer Browser starten.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Nero StartSmart Essentials.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\[email protected][1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\[email protected][1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\m.jones@live[1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\m.jones@msn[1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\[email protected][2].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Desktop\Arbeitsplatz.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Desktop\Windows Media Player.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Bilder\Beispielbilder.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Bilder\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Musik\Beispielmusik.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Musik\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Kostenlose Hotmail.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Links anpassen.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Windows Media.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Windows.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\MSN.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Radiostationsübersicht.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\bl.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\crawlercfg.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\idx\segments Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\is2.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\SID.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\SII.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\ngen.exe.2c05686e.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\SL141.tmp.c0063f75.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\SL2E8.tmp.b026640c.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\SL87.tmp.e5b93eca.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\IconCache.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Postausgang.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Posteingang.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\10.0\WMSDKNS.DTD Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\10.0\WMSDKNS.XML Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\9.0\WMSDKNS.DTD Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\9.0\WMSDKNS.XML Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\26f4b.mst Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Arabic.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Czech.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Danish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Dutch.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\English.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Finnish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\French.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\German.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Greek.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Hebrew.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Hungarian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Italian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Japanese.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Korean.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Microsoft Office 2003 Setup(0001).txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Norwegian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\nro.log\log\nps.log.txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\nro.log\log\nsi.nrd.log.txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\offcln11.log Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Polish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Portuguese(Brazil).bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Portuguese.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Russian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\SimChin.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Spanish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\SWEDISH.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Thai.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\TradChin.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Turkish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\11[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\3C26D3885A70356B1B4D6BDE299F71[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\4E12B1B5B54669B89D49EF678E87FA[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\528E19AA57C59BD28F9241C1469F1[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\BA9D43AA1D26928512E51F6A029A5[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\banner35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\banner35[2].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\bg_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\bk_left[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\blank[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\CATMPE9F.HTM Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\ClientInstall[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\curv_left_buttom[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\dot[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\EF5DE58896B6616AC5313FAF96B8D[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\hpble[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\hptg[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\localization[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\localization[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\login-button_bk[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\msft[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\ofsn6Cs[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\RemoveCtrl[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\search[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\setup[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\SMB[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\WinNT[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\1376[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\1space[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\4A34571BABDD51E147C29479E8EF6[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\6CDE404B4BFEC334D023E5422081E0[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\A5D1F07A9CBF3F122189B88A5DA3B0[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\A61BD2452D6D9A32C7FCF6D1DDEA23[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\acType[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\bk_buttom[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\bullet_01[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\buttons2[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\CD4D53271DD3D4DE517AE4AB69D6[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\curv_left_top[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\de_msn_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\dotline[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\login-button_right[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\ovr18[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\px[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\ServerIni[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\setupini[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\s_code[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\trend-logo35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\trend-style[1].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\trend-style[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\video[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\WinNTChk[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\WL_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\0000000001_000000000000000121358[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\73EA3A497EB807310219A1C4D1E9E[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\8BE3AE3E63D7AC1E9A84572CB6BA7[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\9477A9F6CBE9465BBC30A4E1E22F3A[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\95F45C2A26812D15AE792CFEDDACBB[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\A3FA72F9A39D5A75DDF15D7E178E[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\banner_bk35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\blu[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\bullet[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\C895D8A1F5A99B2D7C4EBA1FA2710[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\CAG16XY5.HTM Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\curv_right_buttom[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\curv_right_top[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\dotline35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\FDCAAC85D66BE7CB4D71155977E9CC[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\ieminwidth[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\install[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\msnbf[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\NTSetup2[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\ofsn6Cm[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\rss[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\Special_diana_300x250[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\trend-logo35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\ushp[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\whichplatform[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\0000001781_000000000000000415985[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\1822A65793E41576B590E5B84EA8F0[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\26B1449C6E023D0EE4353A37EF856[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\312070BCE01CB4C36B8984D6858B1[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\32[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\39[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\4C35DB47D6F79564B4FDAC09BEFFA[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\6F571C1B7A9A5E11D8627F8F993424[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\7F53998CC48A5D9AAFC5AA14A4467[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\banner_bk35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\bk_right[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\bk_top[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\Bullet[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\bullet_02[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\C9528431989CDA8D7DB23478337FF[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\client[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\dap[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\glow_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\ie1[1].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\login-button_left[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\NTSetup1[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\NTSetup3[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\officescannt[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\ofsn6[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\pattern[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\pipe[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\History.IE5\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007082320070824\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Recent\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\Desktop (Verknüpfung erstellen).DeskLink Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\E-Mail-Empfänger.MAPIMail Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\Eigene Dateien.mydocs Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\ZIP-komprimierten Ordner.ZFSendToTarget Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Internet Explorer.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Outlook Express.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Autostart\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Adressbuch.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Editor.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabeaufforderung.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\Bildschirmlupe.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\Bildschirmtastatur.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\Hilfsprogramm-Manager.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Programmkompatibilitäts-Assistent.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Synchronisieren.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Unterhaltungsmedien\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Unterhaltungsmedien\Windows Media Player.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Windows XP-Tour.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Windows-Explorer.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Remoteunterstützung.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Windows Media Player.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\amipro.sam Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\excel.xls Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\excel4.xls Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\lotus.wk4 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\powerpnt.ppt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\presenta.shw Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\quattro.wb2 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\sndrec.wav Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\winword.doc Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\winword2.doc Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\wordpfct.wpd Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\wordpfct.wpg Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Microsoft\Outlook\Outlook~1.srs Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Microsoft\Vorlagen\Normal.dot Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe Infected: not-virus:Hoax.Win32.Renos.bfa skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\outlook.ost Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temp\ExchangePerflog_8484fa31f8947ca1cfcccd43.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temp\~DF5BFC.tmp Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temp\~DFC75F.tmp Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Fortinet\FortiClient\fwapp.db Object is locked skipped
C:\Programme\Fortinet\FortiClient\logs\FC_DBLog.ldb Object is locked skipped
C:\Programme\Fortinet\FortiClient\logs\FC_DBLog.mdb Object is locked skipped
C:\Programme\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.ilg Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljghhi.dll.vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018892.exe Infected: Trojan-Downloader.Win32.Small.tei skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kto skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iwa skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.tei skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar Infected: Trojan-Downloader.Win32.Small.tei skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018895.exe Infected: Trojan-Downloader.Win32.Small.iwa skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP151\A0023361.dll Object is locked skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP152\change.log Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4B75988E-9A82-4330-9785-356B7E89B25D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drhunmhf.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\fogpmwub.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pagcxdbw.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\tqndxiui.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\CTT1.tmp Object is locked skipped
C:\WINDOWS\Temp\JET4C4B.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#6
englischdude
Posted 14 April 2008 - 09:32 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Deckards Main Scan:

Deckard's System Scanner v20071014.68
Run by m.jones on 2008-04-14 17:22:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
52: 2008-04-14 15:22:57 UTC - RP153 - Deckard's System Scanner Restore Point
51: 2008-04-14 13:15:17 UTC - RP152 - Software Distribution Service 3.0
50: 2008-04-14 13:11:07 UTC - RP151 - ComboFix created restore point
49: 2008-04-14 06:44:27 UTC - RP150 - Java™ 6 Update 5 wird installiert
48: 2008-04-11 06:11:50 UTC - RP149 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-27 11:10:28 UTC - RP102 - Systemprüfpunkt


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as m.jones.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23, on 2008-04-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\UL2507.EXE
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\CSOnlineView3\ovwinetd.exe
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Dokumente und Einstellungen\m.jones\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\m.jones.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drexel-weiss.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programme\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PIMphony.lnk = ?
O4 - Global Startup: ovwinetd.lnk = C:\Programme\CSOnlineView3\ovwinetd.exe
O4 - Global Startup: PIMphony.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://fserver01.dr...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://fserver01.dr...stall/setup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://fserver01.dr.../RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O17 - HKLM\Software\..\Telephony: DomainName = drexel-weiss.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mljghhi - mljghhi.dll (file missing)
O20 - Winlogon Notify: PSUTY - C:\WINDOWS\SYSTEM32\PSUWNP.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Programme\Fortinet\FortiClient\scheduler.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8996 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R2 BtnHnd - c:\programme\fujitsu\btnhnd\btnhnd.sys <Not Verified; FUJITSU LIMITED; Button handler>
R2 TM_CFW (Common Firewall Driver) - c:\programme\trend micro\officescan client\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 PPJoyBus (Parallel Port Joystick Bus device driver) - c:\windows\system32\drivers\ppjoybus.sys <Not Verified; Deon van der Westhuysen; Parallel Port Joystick Bus Enumerator>

S3 catchme - c:\dokume~1\m472d~1.jon\lokale~1\temp\catchme.sys (file missing)
S3 PPortJoystick (Parallel Port Joystick device driver) - c:\windows\system32\drivers\pportjoy.sys <Not Verified; Deon van der Westhuysen; Parallel Port Joystick Driver>
S3 SNP2STD (USB2.0 PC Camera (SNP2STD)) - c:\windows\system32\drivers\snp2sxp.sys <Not Verified; ; USB2.0 PC Camera driver>
S3 vsbus (Virtual Serial Bus Enumerator) - c:\windows\system32\drivers\vsb.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Bus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 FA_Scheduler (Fortinet Service Scheduler) - c:\programme\fortinet\forticlient\scheduler.exe <Not Verified; Fortinet Inc.; FortiClient Scheduler>
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\programme\trend micro\officescan client\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Fortinet virtual adapter
Device ID: ROOT\NET\0000
Manufacturer: Fortinet
Name: Fortinet virtual adapter
PNP Device ID: ROOT\NET\0000
Service: ft_vnic


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 17:22:30 0 d-------- U:\Deckard
2008-04-14 15:37:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 15:37:44 0 d-------- C:\WINDOWS\LastGood
2008-04-14 15:10:31 68096 --a------ C:\WINDOWS\zip.exe
2008-04-14 15:10:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-14 15:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-14 15:10:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-14 15:10:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-14 15:10:31 98816 --a------ C:\WINDOWS\sed.exe
2008-04-14 15:10:31 80412 --a------ C:\WINDOWS\grep.exe
2008-04-14 15:10:31 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-14 08:02:42 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-14 07:46:15 3648 --a------ C:\WINDOWS\system32\tqndxiui.dll
2008-04-12 21:59:17 3648 --a------ C:\WINDOWS\system32\fogpmwub.dll
2008-04-11 08:13:05 3648 --a------ C:\WINDOWS\system32\drhunmhf.dll
2008-04-11 07:28:09 23564 --a------ C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe
2008-04-10 07:52:42 3648 --a------ C:\WINDOWS\system32\pagcxdbw.dll
2008-03-27 12:10:13 673 --a------ C:\WINDOWS\system32\gebcd.dll
2008-03-27 12:03:35 0 d-------- U:\Misc
2008-03-27 11:10:08 673 --a------ C:\WINDOWS\system32\jkhhg.dll
2008-03-27 09:42:28 0 d-------- C:\WINDOWS\pss
2008-03-27 08:40:31 673 --a------ C:\WINDOWS\system32\mljgh.dll
2008-03-26 16:24:01 673 --a------ C:\WINDOWS\system32\sstqn.dll
2008-03-26 09:24:18 673 --a------ C:\WINDOWS\system32\mljjh.dll
2008-03-21 15:47:48 10 --a------ C:\WINDOWS\popcinfo.dat
2008-03-21 15:42:47 0 d-------- C:\Programme\PopCap Games
2008-03-21 15:42:29 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Find3M Report ---------------------------------------------------------------

2008-04-14 15:38:06 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Skype
2008-04-14 15:38:06 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Alcatel PIMphony
2008-04-14 15:17:08 425692 --a------ C:\WINDOWS\system32\perfh007.dat
2008-04-14 15:17:08 78320 --a------ C:\WINDOWS\system32\perfc007.dat
2008-04-14 08:48:02 0 d-------- C:\Programme\Java
2008-04-14 08:05:20 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\skypePM
2008-04-13 10:30:13 0 d-------- C:\Programme\Trend Micro
2008-04-11 08:15:04 0 d-------- C:\Programme\Gemeinsame Dateien
2008-04-10 15:29:44 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Desktopicon
2008-03-27 20:07:54 0 d--h----- C:\Programme\InstallShield Installation Information
2008-03-27 11:08:03 0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-03-27 10:23:52 0 d-------- C:\Programme\Microsoft SQL Server
2008-03-27 10:20:14 0 d-------- C:\Programme\Microsoft.NET
2008-03-27 10:08:14 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\TuneUp Software
2008-03-27 09:33:23 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Adobe
2008-03-10 12:06:45 1994 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-10 12:06:45 88 -r-hs---- C:\WINDOWS\system32\BE1587375B.sys
2008-03-06 14:09:28 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\MyPhoneExplorer
2008-03-05 18:55:13 0 d-------- C:\Programme\MSECache
2008-03-04 18:04:57 0 d-------- C:\Programme\ACT
2008-02-19 18:41:33 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\ACT
2008-02-19 18:33:39 0 d-------- C:\Programme\IE6
2008-02-19 18:33:38 0 d-------- C:\Programme\Guide
2008-02-19 18:33:38 0 d-------- C:\Programme\Dependencies
2008-02-19 18:33:23 0 d-------- C:\Programme\bin
2008-02-19 18:33:22 0 d-------- C:\Programme\ACTSTD
2008-02-19 18:32:41 0 d-------- C:\Programme\ACT Link for Pocket PC
2008-02-19 18:32:37 0 d-------- C:\Programme\ACT Link for Palm OS
2008-02-19 18:32:32 0 d-------- C:\Programme\Acrobat
2008-02-18 09:57:45 0 d-------- C:\Programme\Lavasoft
2008-02-15 13:42:40 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\U3


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 06:34 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2006-01-05 09:03]
"PSUtility"="C:\AddOn\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 11:57]
"LoadFUJ02E3"="C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-04-20 13:08]
"IndicatorUtility"="C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 00:12]
"LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 14:21]
"LoadBtnHnd"="C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 14:20]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 13:32 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programme\ltmoh\Ltmoh.exe" [2005-05-18 15:57]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 12:13]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 12:10]
"IAAnotif"="C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 06:24]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 13:08]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-16 14:06]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 13:57]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16]
"UnlockerAssistant"="C:\Programme\Unlocker\UnlockerAssistant.exe" []
"OfficeScanNT Monitor"="C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-04-27 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 00:16]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2008-02-01 18:22]

C:\Dokumente und Einstellungen\m.jones\Startmen\Programme\Autostart\
PIMphony.lnk - C:\Programme\Alcatel_PIMphony\aocphone.exe [2007-05-16 09:11:24]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
ovwinetd.lnk - C:\Programme\CSOnlineView3\ovwinetd.exe [2007-08-27 08:23:46]
PIMphony.lnk - C:\WINDOWS\Installer\{831ADA8C-C73B-4915-AF8D-83D22BD58AA8}\aocphone.exe_831ADA8CC73B4915AF8D83D22BD58AA8.exe [2007-08-27 08:31:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghhi]
mljghhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
PSUWNP.dll 2006-06-02 17:04 32768 C:\WINDOWS\system32\PSUWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\fserver01\deployHosts\deployHosts.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ad3d14-d479-11dc-a7f5-00c0a8ebe014}]
AutoRun\command- E:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

192.168.69.1 fserver01.drexel-weiss.local
192.168.69.6 lindrex.drexel-weiss.local


-- End of Deckard's System Scanner: finished at 2008-04-14 17:24:19 ------------









And Deckards Extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: German

CPU 0: Intel® Core™2 CPU T5600 @ 1.83GHz
CPU 1: Intel® Core™2 CPU T5600 @ 1.83GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1013.92 MiB / 380.23 MiB
Pagefile Memory (total/avail): 2440.13 MiB / 1974.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.79 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 58.54 GiB free.
D: is CDROM (No Media)
U: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST980811AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installierbares Dateisystem - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Trend Micro Client-Server Security Agent Firewall v7.6.1143 (TrendFirewall) Disabled
FW: FortiClient Personal Firewall v3.0.457.0 (Fortinet Inc.) Disabled
AV: Trend Micro Client/Server Security Agent Virenschutz v7.6.1143 (TrendAntiVirus)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Alcatel_PIMphony\\aocwiz.exe"="C:\\Programme\\Alcatel_PIMphony\\aocwiz.exe:*:enabled:Alcatel PIMphony (aocwiz.exe)"
"C:\\Programme\\Alcatel_PIMphony\\aoconfig.exe"="C:\\Programme\\Alcatel_PIMphony\\aoconfig.exe:*:enabled:Alcatel PIMphony (aoconfig.exe)"
"C:\\Programme\\Alcatel_PIMphony\\uaproc.exe"="C:\\Programme\\Alcatel_PIMphony\\uaproc.exe:*:enabled:Alcatel PIMphony (uaproc.exe)"
"%windir%\\system32\\abers.exe"="%windir%\\system32\\abers.exe:*:enabled:Alcatel PIMphony (abers.exe)"
"C:\\Programme\\Alcatel_PIMphony\\appdiag\\appdiag.exe"="C:\\Programme\\Alcatel_PIMphony\\appdiag\\appdiag.exe:*:enabled:Alcatel PIMphony (appdiag.exe)"
"C:\\Programme\\Alcatel_PIMphony\\aocphone.exe"="C:\\Programme\\Alcatel_PIMphony\\aocphone.exe:*:enabled:Alcatel PIMphony (aocphone.exe)"
"C:\\Programme\\Bonjour\\mDNSResponder.exe"="C:\\Programme\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Programme\\Fortinet\\FortiClient\\FortiProxy.exe"="C:\\Programme\\Fortinet\\FortiClient\\FortiProxy.exe:*:Enabled:FortiProxy"
"C:\\Programme\\Fortinet\\FortiClient\\FCMgr.exe"="C:\\Programme\\Fortinet\\FortiClient\\FCMgr.exe:*:Enabled:FortiClientManager"
"C:\\Programme\\Fortinet\\FortiClient\\ipsec.exe"="C:\\Programme\\Fortinet\\FortiClient\\ipsec.exe:*:Enabled:FortiClient VPN Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Alcatel_PIMphony\\aocwiz.exe"="C:\\Programme\\Alcatel_PIMphony\\aocwiz.exe:*:enabled:Alcatel PIMphony (aocwiz.exe)"
"C:\\Programme\\Alcatel_PIMphony\\uaproc.exe"="C:\\Programme\\Alcatel_PIMphony\\uaproc.exe:*:enabled:Alcatel PIMphony (uaproc.exe)"
"%windir%\\system32\\abers.exe"="%windir%\\system32\\abers.exe:*:enabled:Alcatel PIMphony (abers.exe)"
"C:\\Programme\\Alcatel_PIMphony\\appdiag\\appdiag.exe"="C:\\Programme\\Alcatel_PIMphony\\appdiag\\appdiag.exe:*:enabled:Alcatel PIMphony (appdiag.exe)"
"C:\\Programme\\Alcatel_PIMphony\\aocphone.exe"="C:\\Programme\\Alcatel_PIMphony\\aocphone.exe:*:enabled:Alcatel PIMphony (aocphone.exe)"
"C:\\Programme\\CSOnlineView3\\ovwrpt3.exe"="C:\\Programme\\CSOnlineView3\\ovwrpt3.exe:*:Enabled:CS OnlineView Reporter"
"C:\\Programme\\CSOnlineView3\\ovwinetd.exe"="C:\\Programme\\CSOnlineView3\\ovwinetd.exe:*:Enabled:TCP-IP Druckserver für Windows"
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Programme\\Microsoft ActiveSync\\WcesMgr.exe"="C:\\Programme\\Microsoft ActiveSync\\WcesMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Programme\\Fortinet\\FortiClient\\ipsec.exe"="C:\\Programme\\Fortinet\\FortiClient\\ipsec.exe:*:Enabled:FortiClient VPN Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Dokumente und Einstellungen\All Users
APPDATA=C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten
CLASSPATH=.;C:\Programme\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Programme\Gemeinsame Dateien
COMPUTERNAME=NBMARKTENTWKLG
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\fserver01\userhome$\m.jones
LOGONSERVER=\\FSERVER01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Programme\QuickTime\QTSystem;C:\Programme\Gemeinsame Dateien\GIS\Tools;C:\Programme\Gemeinsame Dateien\Autodesk Shared;C:\Programme\Gemeinsame Dateien\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Programme
PROMPT=$P$G
QTJAVA=C:\Programme\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOKUME~1\M472D~1.JON\LOKALE~1\Temp
TMP=C:\DOKUME~1\M472D~1.JON\LOKALE~1\Temp
USERDNSDOMAIN=DREXEL-WEISS.LOCAL
USERDOMAIN=DREXEL-WEISS
USERNAME=m.jones
USERPROFILE=C:\Dokumente und Einstellungen\m.jones
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

c.drexel (new local, net ready)
m.jones (admin)
Administrator.DREXEL-WEISS (admin)
Christof Drexel (admin)
(new local)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUn0407.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8}
--> MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee --> C:\PROGRA~1\ACDSYS~1\ACDSee\UNWISE.EXE C:\PROGRA~1\ACDSYS~1\ACDSee\INSTALL.LOG
ACT! --> C:\WINDOWS\IsUninstAct.exe -f"C:\Programme\ACT\Uninst6.isu" -c"C:\Programme\ACT\UNINSTAL.DLL"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0 --> C:\Programme\Gemeinsame Dateien\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Programme\Gemeinsame Dateien\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agere Systems HDA Modem --> agrsmdel
Alcatel PIMphony 6.2.1620 --> MsiExec.exe /I{831ADA8C-C73B-4915-AF8D-83D22BD58AA8}
Alcatel TAPI Server 6.2.1620 --> MsiExec.exe /X{E2A165F5-936F-4C05-A1EE-0D1A62851110}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
ClearView --> MsiExec.exe /I{5C6B94E5-01FB-4BED-A285-0E82CEE27627}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CS OnlineView 3 --> C:\WINDOWS\unin0407.exe -fC:\Programme\CSOnlineView3\DeIsL1.isu -cC:\Programme\CSOnlineView3\_ISREG32.DLL
Ernst Englisch 08.2002 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2508D980-B59F-11D6-8333-00C04F43E392}\setup.exe" -uninst
FortiClient --> MsiExec.exe /I{C2FAE67B-9C91-4C88-91C6-37E4D5F50FE9}
FreePDF XP (Remove only) --> C:\Programme\FreePDF_XP\fpsetup.exe /r
Fujitsu Hotkey Utility --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{792FBB04-5C13-47A1-9CD5-369A52BD47AA}\setup.exe"
Fujitsu System Extension Utility --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{12FDAA4D-A9DF-4057-A420-A056E36B4610}\setup.exe"
GPL Ghostscript 8.60 --> C:\Programme\gs\uninstgs.exe "C:\Programme\gs\gs8.60\uninstal.txt"
GPL Ghostscript Fonts --> C:\Programme\gs\uninstgs.exe "C:\Programme\gs\fonts\uninstal.txt"
HijackThis 2.0.2 --> "C:\Programme\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix für Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB921337) --> "C:\WINDOWS\$NtUninstallKB921337$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB923232) --> "C:\WINDOWS\$NtUninstallKB923232$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB935448) --> "C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\Setup.exe" -l0407 -INTELUNINST
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lifebook Application Panel --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{271274D2-92C6-4EEC-A0AD-9DA5272AD5C9}\setup.exe"
Marco Polo Mobile Navigator 2 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{5F65ECEE-EB1D-4C85-8D8C-9C7CE2DBB1D6}\SETUP.EXE" -uninst
Microsoft ActiveSync 3.7 --> "C:\WINDOWS\ISUN0407.EXE" -f"C:\Programme\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Programme\Microsoft ActiveSync\ceuninst.dll"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0407-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft WSE 2.0 SP3 Runtime --> MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
Mozilla Firefox (2.0.0.12) --> C:\Programme\Mozilla Firefox\uninstall\helper.exe
MyPhoneExplorer --> C:\Programme\MyPhoneExplorer\uninstall.exe
Nero OEM --> C:\Programme\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroMediaPlayer --> C:\WINDOWS\UNNMP.exe /UNINSTALL
NeroVision Express --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Power Saving Utility --> C:\Programme\Gemeinsame Dateien\InstallShield\Driver\8\Intel 32\IDriver.exe /M{79821CAD-999C-443D-B420-96F914C84E27}
PowerDVD --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RedMon - Redirection Port Monitor --> C:\WINDOWS\system32\unredmon.exe
Sicherheitsupdate für Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB900725) -->
Sicherheitsupdate für Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB917344) -->
Sicherheitsupdate für Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918899) -->
Sicherheitsupdate für Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924496) -->
Sicherheitsupdate für Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Programme\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Trend Micro Client/Server Security Agent --> "C:\Programme\Trend Micro\OfficeScan Client\ntrmv.exe"
UltimateZip 2.7 --> "C:\Programme\UltimateZip 2.7\unins000.exe"
Update für Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update für Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update für Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update für Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update für Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update für Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update für Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update für Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update für Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update für Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update für Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update für Windows XP (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
USB2.0 PC Camera (SN9C201&202) --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\Setup.exe" -l0x9
Volo View Express --> MsiExec.exe /I{1ECD6EC8-7BB2-4CD5-A384-BAA371BC4D21}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type93 / Error
Event Submitted/Written: 04/14/2008 05:17:54 PM
Event ID/Source: 1030 / Userenv
Event Description:
Die Abfrage der Liste der Gruppenrichtlinienobjekte ist fehlgeschlagen. Bisher wurde eine Fehlermeldung dieser Art im Richtlinienmodul protokolliert.

Event Record #/Type92 / Error
Event Submitted/Written: 04/14/2008 04:09:31 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Stillstehende Anwendung OUTLOOK.EXE, Version 11.0.8169.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.

Event Record #/Type91 / Error
Event Submitted/Written: 04/14/2008 03:28:51 PM
Event ID/Source: 1030 / Userenv
Event Description:
Die Abfrage der Liste der Gruppenrichtlinienobjekte ist fehlgeschlagen. Bisher wurde eine Fehlermeldung dieser Art im Richtlinienmodul protokolliert.

Event Record #/Type87 / Error
Event Submitted/Written: 04/14/2008 03:22:03 PM
Event ID/Source: 1054 / Userenv
Event Description:
Der Domänencontrollername für das Computernetzwerk konnte nicht ermittelt werden. (Die angegebene Domäne ist nicht vorhanden oder es konnte keine Verbindung hergestellt werden. ). Die Verarbeitung der Gruppenrichtlinie wurde abgebrochen.

Event Record #/Type86 / Error
Event Submitted/Written: 04/14/2008 03:21:15 PM
Event ID/Source: 1101 / .NET Runtime Optimization Service
Event Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Failed to compile: Act.Data, Version=9.0.557.0, Culture=neutral, PublicKeyToken=ebf6b2ff4d0a08aa, processorArchitecture=MSIL . Error code = 0x80070002



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type361 / Warning
Event Submitted/Written: 04/14/2008 05:17:54 PM
Event ID/Source: 8193 / LSASRV
Event Description:
Das Sicherheitssystem konnte keine sichere Verbindung mit dem Server ldap/fserver01.drexel-weiss.local/[email protected] herstellen. Es war kein Authentifizierungsprotokoll verfügbar.

Event Record #/Type348 / Warning
Event Submitted/Written: 04/14/2008 03:28:51 PM
Event ID/Source: 8193 / LSASRV
Event Description:
Das Sicherheitssystem konnte keine sichere Verbindung mit dem Server ldap/fserver01.drexel-weiss.local/[email protected] herstellen. Es war kein Authentifizierungsprotokoll verfügbar.

Event Record #/Type344 / Warning
Event Submitted/Written: 04/14/2008 03:28:19 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Der Computer konnte die Netzwerkadresse, die durch den DHCP-Server für die
Netzwerkkarte mit der Netzwerkadresse 00174242BF08 zugeteilt wurde, nicht erneuern. Der
folgende Fehler ist aufgetreten:
%%1223.
Es wird weiterhin im Hintergrund versucht, eine Adresse vom
Netzwerkadressserver (DHCP) zu erhalten.

Event Record #/Type296 / Error
Event Submitted/Written: 04/14/2008 03:13:52 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
Es steht kein Domänencontroller für die Domäne DREXEL-WEISS aus folgendem Grund zur
Verfügung:
%%1311.

Stellen Sie sicher, dass der Computer mit dem Netzwerk verbunden ist, und
versuchen Sie es erneut. Wenden Sie sich an den Domänenadministrator, wenn
das Problem weiterhin besteht.

Event Record #/Type295 / Warning
Event Submitted/Written: 04/14/2008 03:13:47 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Der Computer konnte die Netzwerkadresse, die durch den DHCP-Server für die
Netzwerkkarte mit der Netzwerkadresse 00174242BF08 zugeteilt wurde, nicht erneuern. Der
folgende Fehler ist aufgetreten:
%%1223.
Es wird weiterhin im Hintergrund versucht, eine Adresse vom
Netzwerkadressserver (DHCP) zu erhalten.



-- End of Deckard's System Scanner: finished at 2008-04-14 17:24:19 ------------





so, I hope all this makes sense! Look forward to hearing from you redhat.

regards
englischdude
  • 0

#7
RatHat
Posted 14 April 2008 - 10:54 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
It all makes sense! So lets get back to removing some more of the crap.


Please uninstall the following programs:

Java™ 6 Update 2
Java™ 6 Update 3

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
      mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as Jotti.txt
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drhunmhf.dll
C:\WINDOWS\system32\fogpmwub.dll
C:\WINDOWS\system32\pagcxdbw.dll
C:\WINDOWS\system32\tqndxiui.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\popcinfo.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghhi]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Jotti.txt
  • The contents of Combofix.txt
  • The contents of the MBAM log

Also let me know how your computer is performing now.

Regards,
RatHat
  • 0

#8
englischdude
Posted 15 April 2008 - 03:42 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi redhat,

here are the results of Mbam:

Malwarebytes' Anti-Malware 1.11
Database version: 630

Scan type: Quick Scan
Objects scanned: 34916
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AdvancedCleaner Free (Rogue.Advanced.Cleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sstqn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gebcd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mljgh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mljjh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkhhg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Programme\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.





here are the results of Lotti:

File: lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2VmZmZm
XzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe
Status:
INFECTED/MALWARE
MD5: ae3d459c782423f45f14a3c48272afe9
Packers detected:
CRYPTFF.B
Bit9 reports: File not found
Scanner results
Scan taken on 15 Apr 2008 09:01:45 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Peed.Gen
ClamAV
Found nothing
CPsecure
Found Malware.W32.Renos.bfa
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-virus:Hoax.Win32.Renos.bfa
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found not-virus:Hoax.Win32.Renos.bfa
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


please note, that although I followed your instructions for the combofix, I was not asked to restart and no log was generated.

All in all, the computer seems to be running alot faster, and the trend virus scanner is not constantly working to "remove malware". what I have noticed however, is that since running the first combofix, my microsoft outlook has a habit of crashing when I want to reply to messages. if I then force closure of this program and restart again it works. can it be that I must reinstall office?

looking forward to your next feedback!

regards
englischdude
  • 0

#9
RatHat
Posted 15 April 2008 - 06:40 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi englischdud

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe
C:\WINDOWS\system32\drhunmhf.dll
C:\WINDOWS\system32\fogpmwub.dll
C:\WINDOWS\system32\pagcxdbw.dll
C:\WINDOWS\system32\tqndxiui.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\popcinfo.dat


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now let's run another Kaspersky scan:

Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Combofix wont reboot your computer if it doesn't need to, and will save the results to your C: drive as Combofix.txt

Regarding Outlook, it may be worthwhile reinstalling it after we have made sure that you have no further malware in your system.

Regards,
RatHat
  • 0

#10
englischdude
Posted 15 April 2008 - 08:45 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear redhat,

here are the results of the OTM:

File/Folder C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V not found.
File/Folder mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\drhunmhf.dll
C:\WINDOWS\system32\drhunmhf.dll NOT unregistered.
C:\WINDOWS\system32\drhunmhf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fogpmwub.dll
C:\WINDOWS\system32\fogpmwub.dll NOT unregistered.
C:\WINDOWS\system32\fogpmwub.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pagcxdbw.dll
C:\WINDOWS\system32\pagcxdbw.dll NOT unregistered.
C:\WINDOWS\system32\pagcxdbw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tqndxiui.dll
C:\WINDOWS\system32\tqndxiui.dll NOT unregistered.
C:\WINDOWS\system32\tqndxiui.dll moved successfully.
File/Folder C:\WINDOWS\system32\gebcd.dll not found.
File/Folder C:\WINDOWS\system32\jkhhg.dll not found.
File/Folder C:\WINDOWS\system32\mljgh.dll not found.
File/Folder C:\WINDOWS\system32\sstqn.dll not found.
File/Folder C:\WINDOWS\system32\mljjh.dll not found.
C:\WINDOWS\popcinfo.dat moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04152008_145223


and here the results of the second Kapersky scan:



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 4:38:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 706835
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
U:\

Scan Statistics:
Total number of scanned objects: 56557
Number of viruses found: 5
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:11:40

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Address Book\m_jones.wab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Address Book\m_jones.wab~ Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Internet Explorer Browser starten.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Nero StartSmart Essentials.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Anwendungsdaten\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\[email protected][1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\[email protected][1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\m.jones@live[1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\m.jones@msn[1].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Cookies\[email protected][2].txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Desktop\Arbeitsplatz.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Desktop\Windows Media Player.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Bilder\Beispielbilder.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Bilder\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Musik\Beispielmusik.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Eigene Dateien\Eigene Musik\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Kostenlose Hotmail.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Links anpassen.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Windows Media.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Links\Windows.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\MSN.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Favoriten\Radiostationsübersicht.url Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\bl.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\crawlercfg.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\idx\segments Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\is2.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\SID.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Ahead\Nero Home\SII.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\ngen.exe.2c05686e.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\SL141.tmp.c0063f75.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\SL2E8.tmp.b026640c.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\SL87.tmp.e5b93eca.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\IconCache.db Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Postausgang.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Identities\{C2C22F13-A92A-4EE3-8A04-41244C780378}\Microsoft\Outlook Express\Posteingang.dbx Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\10.0\WMSDKNS.DTD Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\10.0\WMSDKNS.XML Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\9.0\WMSDKNS.DTD Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows Media\9.0\WMSDKNS.XML Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\26f4b.mst Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Arabic.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Czech.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Danish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Dutch.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\English.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Finnish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\French.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\German.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Greek.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Hebrew.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Hungarian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Italian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Japanese.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Korean.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Microsoft Office 2003 Setup(0001).txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Norwegian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\nro.log\log\nps.log.txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\nro.log\log\nsi.nrd.log.txt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\offcln11.log Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Polish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Portuguese(Brazil).bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Portuguese.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Russian.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\SimChin.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Spanish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\SWEDISH.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Thai.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\TradChin.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temp\Turkish.bin Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\11[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\3C26D3885A70356B1B4D6BDE299F71[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\4E12B1B5B54669B89D49EF678E87FA[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\528E19AA57C59BD28F9241C1469F1[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\BA9D43AA1D26928512E51F6A029A5[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\banner35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\banner35[2].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\bg_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\bk_left[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\blank[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\CATMPE9F.HTM Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\ClientInstall[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\curv_left_buttom[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\dot[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\EF5DE58896B6616AC5313FAF96B8D[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\hpble[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\hptg[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\localization[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\localization[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\login-button_bk[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\msft[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\ofsn6Cs[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\RemoveCtrl[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\search[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\setup[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\SMB[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\41F6HF1H\WinNT[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\1376[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\1space[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\4A34571BABDD51E147C29479E8EF6[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\6CDE404B4BFEC334D023E5422081E0[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\A5D1F07A9CBF3F122189B88A5DA3B0[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\A61BD2452D6D9A32C7FCF6D1DDEA23[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\acType[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\bk_buttom[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\bullet_01[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\buttons2[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\CD4D53271DD3D4DE517AE4AB69D6[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\curv_left_top[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\de_msn_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\dotline[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\login-button_right[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\ovr18[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\px[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\ServerIni[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\setupini[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\s_code[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\trend-logo35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\trend-style[1].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\trend-style[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\video[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\WinNTChk[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\5Z0RB7WH\WL_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\0000000001_000000000000000121358[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\73EA3A497EB807310219A1C4D1E9E[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\8BE3AE3E63D7AC1E9A84572CB6BA7[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\9477A9F6CBE9465BBC30A4E1E22F3A[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\95F45C2A26812D15AE792CFEDDACBB[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\A3FA72F9A39D5A75DDF15D7E178E[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\banner_bk35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\blu[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\bullet[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\C895D8A1F5A99B2D7C4EBA1FA2710[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\CAG16XY5.HTM Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\curv_right_buttom[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\curv_right_top[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\dotline35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\FDCAAC85D66BE7CB4D71155977E9CC[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\ieminwidth[1].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\install[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\msnbf[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\NTSetup2[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\ofsn6Cm[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\rss[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\Special_diana_300x250[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\trend-logo35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\ushp[2].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ARPIW1OE\whichplatform[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\0000001781_000000000000000415985[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\1822A65793E41576B590E5B84EA8F0[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\26B1449C6E023D0EE4353A37EF856[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\312070BCE01CB4C36B8984D6858B1[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\32[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\39[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\4C35DB47D6F79564B4FDAC09BEFFA[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\6F571C1B7A9A5E11D8627F8F993424[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\7F53998CC48A5D9AAFC5AA14A4467[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\banner_bk35[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\bk_right[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\bk_top[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\Bullet[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\bullet_02[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\C9528431989CDA8D7DB23478337FF[1].jpg Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\client[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\dap[2].js Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\glow_b[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\ie1[1].css Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\login-button_left[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\NTSetup1[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\NTSetup3[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\officescannt[1].htm Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\ofsn6[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\pattern[1].cab Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BV737Q61\pipe[1].gif Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\History.IE5\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007082320070824\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Recent\Desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\Desktop (Verknüpfung erstellen).DeskLink Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\E-Mail-Empfänger.MAPIMail Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\Eigene Dateien.mydocs Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\SendTo\ZIP-komprimierten Ordner.ZFSendToTarget Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Internet Explorer.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Outlook Express.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Autostart\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Adressbuch.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Editor.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabeaufforderung.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\Bildschirmlupe.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\Bildschirmtastatur.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Eingabehilfen\Hilfsprogramm-Manager.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Programmkompatibilitäts-Assistent.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Synchronisieren.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Unterhaltungsmedien\desktop.ini Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Unterhaltungsmedien\Windows Media Player.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Windows XP-Tour.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Programme\Zubehör\Windows-Explorer.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Remoteunterstützung.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Startmenü\Windows Media Player.lnk Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\amipro.sam Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\excel.xls Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\excel4.xls Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\lotus.wk4 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\powerpnt.ppt Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\presenta.shw Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\quattro.wb2 Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\sndrec.wav Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\winword.doc Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\winword2.doc Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\wordpfct.wpd Object is locked skipped
C:\Dokumente und Einstellungen\Christof.Drexel\Vorlagen\wordpfct.wpg Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe Infected: not-virus:Hoax.Win32.Renos.bfa skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Anwendungsdaten\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temp\~DFBD4E.tmp Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008041520080416\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\m.jones\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programme\Fortinet\FortiClient\fwapp.db Object is locked skipped
C:\Programme\Fortinet\FortiClient\logs\FC_DBLog.ldb Object is locked skipped
C:\Programme\Fortinet\FortiClient\logs\FC_DBLog.mdb Object is locked skipped
C:\Programme\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.ilg Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljghhi.dll.vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018892.exe Infected: Trojan-Downloader.Win32.Small.tei skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kto skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iwa skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.tei skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe/data.rar Infected: Trojan-Downloader.Win32.Small.tei skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018893.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP130\A0018895.exe Infected: Trojan-Downloader.Win32.Small.iwa skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP151\A0023361.dll Object is locked skipped
C:\System Volume Information\_restore{1A80B0DD-D8FE-425E-ADB0-A6C330120B05}\RP155\change.log Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\CTT4.tmp Object is locked skipped
C:\WINDOWS\Temp\JET46BD.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\04152008_145223\WINDOWS\system32\drhunmhf.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\_OTMoveIt\MovedFiles\04152008_145223\WINDOWS\system32\fogpmwub.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\_OTMoveIt\MovedFiles\04152008_145223\WINDOWS\system32\pagcxdbw.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\_OTMoveIt\MovedFiles\04152008_145223\WINDOWS\system32\tqndxiui.dll Infected: Trojan.Win32.KillAV.rf skipped

Scan process completed.




what do you think? the kapersky still found some objects. could it be that the quarantined objects were found and need deleting??

kind regards
englischdude
  • 0

Advertisements

#11
RatHat
Posted 15 April 2008 - 09:13 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Only thing that is still showing is the file with the ridiculous long name, so I want you to delete in manually.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\Dokumente und Einstellungen\m.jones\lkd2VuNV9tYV9rdzFfbWE1ZGVz_cGRh_bm1fX2QyMzYxZTYwZmEzNjExZGM5NDNhZjY4MTEzY2V
mZmZmXzhmMzc0MDgyZmU1NDRmNDFhNzQ1OGM1ZWYzYzQ1N2Yy_.exe

After that, Reboot, post me a fresh DSS log, and let me know how your computer is performing now.
  • 0

#12
englischdude
Posted 16 April 2008 - 12:31 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear redhat,

here is the latest dss log, after staring up in safe mode, deleting the file and then emptying the trash:

Deckard's System Scanner v20071014.68
Run by m.jones on 2008-04-16 08:23:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as m.jones.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:24, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\RR941C.EXE
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\CSOnlineView3\ovwinetd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Alcatel_PIMphony\aocphone.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Dokumente und Einstellungen\m.jones\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MJONES~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drexel-weiss.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programme\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PIMphony.lnk = ?
O4 - Global Startup: ovwinetd.lnk = C:\Programme\CSOnlineView3\ovwinetd.exe
O4 - Global Startup: PIMphony.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://fserver01.dr...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://fserver01.dr...stall/setup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://fserver01.dr.../RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O17 - HKLM\Software\..\Telephony: DomainName = drexel-weiss.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mljghhi - mljghhi.dll (file missing)
O20 - Winlogon Notify: PSUTY - C:\WINDOWS\SYSTEM32\PSUWNP.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Programme\Fortinet\FortiClient\scheduler.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 9118 bytes

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-15 11:28:54 0 d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-04-14 17:22:30 0 d-------- U:\Deckard
2008-04-14 15:37:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 15:10:31 68096 --a------ C:\WINDOWS\zip.exe
2008-04-14 15:10:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-14 15:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-14 15:10:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-14 15:10:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-14 15:10:31 98816 --a------ C:\WINDOWS\sed.exe
2008-04-14 15:10:31 80412 --a------ C:\WINDOWS\grep.exe
2008-04-14 15:10:31 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-14 08:02:42 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-27 12:03:35 0 d-------- U:\Misc
2008-03-27 09:42:28 0 d-------- C:\WINDOWS\pss
2008-03-21 15:42:47 0 d-------- C:\Programme\PopCap Games
2008-03-21 15:42:29 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Find3M Report ---------------------------------------------------------------

2008-04-16 08:21:09 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Alcatel PIMphony
2008-04-16 08:20:36 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Skype
2008-04-16 08:06:37 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\skypePM
2008-04-15 11:29:02 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Malwarebytes
2008-04-15 08:13:48 0 d-------- C:\Programme\Java
2008-04-14 15:17:08 425692 --a------ C:\WINDOWS\system32\perfh007.dat
2008-04-14 15:17:08 78320 --a------ C:\WINDOWS\system32\perfc007.dat
2008-04-13 10:30:13 0 d-------- C:\Programme\Trend Micro
2008-04-11 08:15:04 0 d-------- C:\Programme\Gemeinsame Dateien
2008-04-10 15:29:44 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Desktopicon
2008-03-27 20:07:54 0 d--h----- C:\Programme\InstallShield Installation Information
2008-03-27 11:08:03 0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-03-27 10:23:52 0 d-------- C:\Programme\Microsoft SQL Server
2008-03-27 10:20:14 0 d-------- C:\Programme\Microsoft.NET
2008-03-27 10:08:14 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\TuneUp Software
2008-03-27 09:33:23 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Adobe
2008-03-10 12:06:45 1994 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-10 12:06:45 88 -r-hs---- C:\WINDOWS\system32\BE1587375B.sys
2008-03-06 14:09:28 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\MyPhoneExplorer
2008-03-05 18:55:13 0 d-------- C:\Programme\MSECache
2008-03-04 18:04:57 0 d-------- C:\Programme\ACT
2008-02-19 18:41:33 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\ACT
2008-02-19 18:33:39 0 d-------- C:\Programme\IE6
2008-02-19 18:33:38 0 d-------- C:\Programme\Guide
2008-02-19 18:33:38 0 d-------- C:\Programme\Dependencies
2008-02-19 18:33:23 0 d-------- C:\Programme\bin
2008-02-19 18:33:22 0 d-------- C:\Programme\ACTSTD
2008-02-19 18:32:41 0 d-------- C:\Programme\ACT Link for Pocket PC
2008-02-19 18:32:37 0 d-------- C:\Programme\ACT Link for Palm OS
2008-02-19 18:32:32 0 d-------- C:\Programme\Acrobat
2008-02-18 09:57:45 0 d-------- C:\Programme\Lavasoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 06:34 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2006-01-05 09:03]
"PSUtility"="C:\AddOn\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 11:57]
"LoadFUJ02E3"="C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-04-20 13:08]
"IndicatorUtility"="C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 00:12]
"LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 14:21]
"LoadBtnHnd"="C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 14:20]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 13:32 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programme\ltmoh\Ltmoh.exe" [2005-05-18 15:57]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 12:13]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 12:10]
"IAAnotif"="C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 06:24]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 13:08]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-16 14:06]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 13:57]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16]
"UnlockerAssistant"="C:\Programme\Unlocker\UnlockerAssistant.exe" []
"OfficeScanNT Monitor"="C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-04-27 02:41]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 00:16]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2008-02-01 18:22]

C:\Dokumente und Einstellungen\m.jones\Startmen\Programme\Autostart\
PIMphony.lnk - C:\Programme\Alcatel_PIMphony\aocphone.exe [2007-05-16 09:11:24]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
ovwinetd.lnk - C:\Programme\CSOnlineView3\ovwinetd.exe [2007-08-27 08:23:46]
PIMphony.lnk - C:\WINDOWS\Installer\{831ADA8C-C73B-4915-AF8D-83D22BD58AA8}\aocphone.exe_831ADA8CC73B4915AF8D83D22BD58AA8.exe [2007-08-27 08:31:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghhi]
mljghhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
PSUWNP.dll 2006-06-02 17:04 32768 C:\WINDOWS\system32\PSUWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\fserver01\deployHosts\deployHosts.cmd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ad3d14-d479-11dc-a7f5-00c0a8ebe014}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-04-16 08:24:23 ------------



how are things looking now? is it necessary now to dump some of the trash that has been generated along the way, the quarantined folders etc?

everything seems to be working tip top, except for office. I will try to do a repair of the office installation today, if that does not work then ill just reinstall. please let me know if there is anything else which should be done.

id also like to take this opportunity of thanking you once again for you time, interest and enthusiasm. what a wonderful community!

BRAVO!
  • 0

#13
RatHat
Posted 16 April 2008 - 06:58 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
There's a file thats bugging me, so I would like you to upload it to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\BE1587375B.sys
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as Jotti.txt
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I need you to run a small registry script to clean up some entries. Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljghhi]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.

After that, Reboot.

Post me one more DSS log, and also the results of the Jotti scan, then if all is OK, I will help you get rid of all the quarantine folders and backups that have been made.
  • 0

#14
englischdude
Posted 16 April 2008 - 07:31 AM

englischdude

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi redhat,

here is the new dss log:

Deckard's System Scanner v20071014.68
Run by m.jones on 2008-04-16 15:27:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as m.jones.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Fortinet\FortiClient\scheduler.exe
C:\Programme\Fortinet\FortiClient\FCDBLog.exe
C:\Programme\Fortinet\FortiClient\fortifw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\VF4144.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Fortinet\FortiClient\FortiTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\CSOnlineView3\ovwinetd.exe
C:\Programme\Alcatel_PIMphony\aocphone.exe
C:\Dokumente und Einstellungen\m.jones\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MJONES~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drexel-weiss.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PSUtility] C:\AddOn\Fujitsu\PSUtility\TrayManager.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programme\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PIMphony.lnk = ?
O4 - Global Startup: ovwinetd.lnk = C:\Programme\CSOnlineView3\ovwinetd.exe
O4 - Global Startup: PIMphony.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://fserver01.dr...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://fserver01.dr...stall/setup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://fserver01.dr.../RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O17 - HKLM\Software\..\Telephony: DomainName = drexel-weiss.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drexel-weiss.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: PSUTY - C:\WINDOWS\SYSTEM32\PSUWNP.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Programme\Fortinet\FortiClient\scheduler.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Client/Server Security Agent Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8953 bytes

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-15 11:28:54 0 d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-04-14 17:22:30 0 d-------- U:\Deckard
2008-04-14 15:37:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 15:10:31 68096 --a------ C:\WINDOWS\zip.exe
2008-04-14 15:10:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-14 15:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-14 15:10:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-14 15:10:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-14 15:10:31 98816 --a------ C:\WINDOWS\sed.exe
2008-04-14 15:10:31 80412 --a------ C:\WINDOWS\grep.exe
2008-04-14 15:10:31 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-14 08:02:42 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-27 12:03:35 0 d-------- U:\Misc
2008-03-27 09:42:28 0 d-------- C:\WINDOWS\pss
2008-03-21 15:42:47 0 d-------- C:\Programme\PopCap Games
2008-03-21 15:42:29 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Find3M Report ---------------------------------------------------------------

2008-04-16 15:26:44 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Alcatel PIMphony
2008-04-16 15:26:30 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Skype
2008-04-16 15:26:20 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\skypePM
2008-04-15 11:29:02 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Malwarebytes
2008-04-15 08:13:48 0 d-------- C:\Programme\Java
2008-04-14 15:17:08 425692 --a------ C:\WINDOWS\system32\perfh007.dat
2008-04-14 15:17:08 78320 --a------ C:\WINDOWS\system32\perfc007.dat
2008-04-13 10:30:13 0 d-------- C:\Programme\Trend Micro
2008-04-11 08:15:04 0 d-------- C:\Programme\Gemeinsame Dateien
2008-04-10 15:29:44 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Desktopicon
2008-03-27 20:07:54 0 d--h----- C:\Programme\InstallShield Installation Information
2008-03-27 11:08:03 0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-03-27 10:23:52 0 d-------- C:\Programme\Microsoft SQL Server
2008-03-27 10:20:14 0 d-------- C:\Programme\Microsoft.NET
2008-03-27 10:08:14 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\TuneUp Software
2008-03-27 09:33:23 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\Adobe
2008-03-10 12:06:45 1994 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-10 12:06:45 88 -r-hs---- C:\WINDOWS\system32\BE1587375B.sys
2008-03-06 14:09:28 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\MyPhoneExplorer
2008-03-05 18:55:13 0 d-------- C:\Programme\MSECache
2008-03-04 18:04:57 0 d-------- C:\Programme\ACT
2008-02-19 18:41:33 0 d-------- C:\Dokumente und Einstellungen\m.jones\Anwendungsdaten\ACT
2008-02-19 18:33:39 0 d-------- C:\Programme\IE6
2008-02-19 18:33:38 0 d-------- C:\Programme\Guide
2008-02-19 18:33:38 0 d-------- C:\Programme\Dependencies
2008-02-19 18:33:23 0 d-------- C:\Programme\bin
2008-02-19 18:33:22 0 d-------- C:\Programme\ACTSTD
2008-02-19 18:32:41 0 d-------- C:\Programme\ACT Link for Pocket PC
2008-02-19 18:32:37 0 d-------- C:\Programme\ACT Link for Palm OS
2008-02-19 18:32:32 0 d-------- C:\Programme\Acrobat
2008-02-18 09:57:45 0 d-------- C:\Programme\Lavasoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 06:34 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2006-01-05 09:03]
"PSUtility"="C:\AddOn\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 11:57]
"LoadFUJ02E3"="C:\Programme\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-04-20 13:08]
"IndicatorUtility"="C:\AddOn\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 00:12]
"LoadFujitsuQuickTouch"="C:\AddOn\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 14:21]
"LoadBtnHnd"="C:\Programme\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 14:20]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 13:32 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programme\ltmoh\Ltmoh.exe" [2005-05-18 15:57]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-06 12:13]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-06 12:10]
"IAAnotif"="C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 06:24]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 13:08]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-16 14:06]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 13:57]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16]
"UnlockerAssistant"="C:\Programme\Unlocker\UnlockerAssistant.exe" []
"OfficeScanNT Monitor"="C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-04-27 02:41]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 00:16]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2008-02-01 18:22]

C:\Dokumente und Einstellungen\m.jones\Startmen\Programme\Autostart\
PIMphony.lnk - C:\Programme\Alcatel_PIMphony\aocphone.exe [2007-05-16 09:11:24]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
ovwinetd.lnk - C:\Programme\CSOnlineView3\ovwinetd.exe [2007-08-27 08:23:46]
PIMphony.lnk - C:\WINDOWS\Installer\{831ADA8C-C73B-4915-AF8D-83D22BD58AA8}\aocphone.exe_831ADA8CC73B4915AF8D83D22BD58AA8.exe [2007-08-27 08:31:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
PSUWNP.dll 2006-06-02 17:04 32768 C:\WINDOWS\system32\PSUWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\fserver01\deployHosts\deployHosts.cmd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ad3d14-d479-11dc-a7f5-00c0a8ebe014}]
AutoRun\command- E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-04-16 15:27:57 ------------


and here is the new Jotti log you require:

Service load:
0% 100%
File: BE1587375B.sys
Status:
OK
MD5: e5e612262c494a6bb5666a2e2954b6ab
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 16 Apr 2008 13:18:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing




kind regards
englischdude
  • 0

#15
RatHat
Posted 16 April 2008 - 07:46 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
English dud,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK! Well done, your log is clean again! :)

The first thing we need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP