Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected - Google search redirected, some sites unaccesible, Desktop-i


  • This topic is locked This topic is locked

#1
madschnun

madschnun

    New Member

  • Member
  • Pip
  • 9 posts
Hello out there,

First of all, this is my first time on the geekstogo-forum, so i want to say hi to every one.

I got my wife's laptop infected, so help is highly appreciated.

Running XP SP2, should be uptodate with the Security Patches

Symptons i found yet:
  • Google search results are redirected
  • some sites, like geekstogo, are unaccesible
  • Background image changed to "Warning Spyware detected" - cannot be changed

Found some Threads regarding this problem but they all were 2006 or younger.

Posting a Hijack log will be difficult, for i cannot access this site - I'm on my PC - so any suggeting how to cirumvent that are also welcome.

So, please help me, I'm in dire need...

Jan

P.S. I'm not a native English speaker, so please ignore any strange sounding sentences

Edited by madschnun, 26 August 2008 - 02:46 AM.

  • 0

Advertisements


#2
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
scanned the laptop again, found:

C:\window\system32\blphc31pj0ej0c.scr
Win32: Trojan-gen (Other)

emailed me the hijack log, could'vd figured that one out earlier:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:00, on 26.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TPSMain] "C:\WINDOWS\system32\TPSMain.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.XXXXX...perSetupSP1.cab
O23 - Service: Atheros-Konfigurationsdienst (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Programme\MATCO\DirmsService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Programme\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 5763 bytes

Edited by madschnun, 26 August 2008 - 02:51 AM.

  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay - your system may be a spambot, so lets stop it


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\sysproc64
    C:\Windows\system32\oembios.dat 
    C:\Windows\system32\oembios.bin
    C:\WINDOWS\system32\oembios.exe
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and OTMoveit report.
  • 0

#4
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello Essexboy,

the MoveIt-Report:
File/Folder C:\Windows\sysproc64 not found.
C:\Windows\system32\oembios.dat moved successfully.
C:\Windows\system32\oembios.bin moved successfully.
File move failed. C:\Windows\system32\oembios.exe scheduled to be moved on reboot.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09012008_082919

Files moved on Reboot...
File move failed. C:\Windows\system32\oembios.exe scheduled to be moved on reboot.

the exe-file is not removed after reboot, the dat and bin also reappear.

when i run Combobox, it tells me that it detected rootkit activity and that it has to reboot, after the reboot, it's all back to the infected state and there is no log. also, combobox doesn't open a shell. it just runs in the background before the alert.

the f2 oembios line is not removed from hijack.log, it also reappears dirrectly after í remove it with hijack.

greetings,
Jan
  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK so it does not want to go eh. Methinks we should change that. First off I will need to find what is driving it

Download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • Place a tick in the Scan all Users box
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

  • 0

#6
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Her you go, I hope you find the little devil...

OTViewIt logfile created on: 01.09.2008 21:09:07 - Run 1
OTViewIt by OldTimer - Version 1.0.1.7 Folder = C:\Dokumente und Einstellungen\Saturn\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

446,17 Mb Total Physical Memory | 149,60 Mb Available Physical Memory | 33,53% Memory free
1,03 Gb Paging File | 0,72 Gb Available in Paging File | 69,62% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,53 Gb Total Space | 18,42 Gb Free Space | 24,72% Space Free | Partition Type: NTFS
Drive D: | 1,30 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SONIASLAPTOP
Current User Name: Saturn
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

===== Processes - Non-Microsoft Only =====

[07.19.2008 04:25 PM | 00,016,056 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
[07.19.2008 04:38 PM | 00,147,640 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashServ.exe
[07.08.2005 12:13 AM | 00,036,864 | ---- | M] () - C:\WINDOWS\system32\acs.exe
[10.15.2004 12:28 AM | 00,098,394 | ---- | M] (Synaptics, Inc.) - C:\Programme\Synaptics\SynTP\SynTPLpr.exe
[10.15.2004 12:26 AM | 00,688,218 | ---- | M] (Synaptics, Inc.) - C:\Programme\Synaptics\SynTP\SynTPEnh.exe
[07.19.2008 04:38 PM | 00,078,008 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashDisp.exe
[09.06.2007 01:28 PM | 00,110,592 | ---- | M] (Apple, Inc.) - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[10.15.2005 03:29 PM | 00,088,203 | ---- | M] (Agere Systems) - C:\WINDOWS\agrsmmsg.exe
[08.05.2005 10:05 PM | 00,344,064 | ---- | M] (ATI Technologies, Inc.) - C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
[01.18.2005 01:38 AM | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
[09.15.2006 07:05 AM | 00,348,160 | ---- | M] (Juniper Networks) - C:\Programme\Juniper Networks\Common Files\dsNcService.exe
[08.03.2005 05:15 PM | 00,040,960 | ---- | M] (TOSHIBA Corporation) - C:\WINDOWS\system32\TPSBattM.exe
[08.10.2005 11:15 AM | 00,035,328 | ---- | M] (TOSHIBA Corp.) - C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
[07.19.2008 04:38 PM | 00,250,040 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
[07.23.2008 04:25 PM | 00,348,344 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashWebSv.exe

===== Win32 Services - Non-Microsoft Only =====

(ACS) Atheros-Konfigurationsdienst [Auto | Running]
[07.08.2005 12:13 AM | 00,036,864 | ---- | M] () - C:\WINDOWS\system32\acs.exe

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[09.06.2007 01:28 PM | 00,110,592 | ---- | M] (Apple, Inc.) - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(aswUpdSv) avast! iAVS4 Control Service [Auto | Running]
[07.19.2008 04:25 PM | 00,016,056 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe

(avast! Antivirus) avast! Antivirus [Auto | Running]
[07.19.2008 04:38 PM | 00,147,640 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashServ.exe

(avast! Mail Scanner) avast! Mail Scanner [On_Demand | Running]
[07.19.2008 04:38 PM | 00,250,040 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe

(avast! Web Scanner) avast! Web Scanner [On_Demand | Running]
[07.23.2008 04:25 PM | 00,348,344 | ---- | M] (ALWIL Software) - C:\Programme\Alwil Software\Avast4\ashWebSv.exe

(CFSvcs) ConfigFree Service [Auto | Running]
[01.18.2005 01:38 AM | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe

(DirMS_Defragmentation) DirMS_Defragmentation [On_Demand | Stopped]
[11.27.2006 07:48 AM | 00,245,760 | ---- | M] () - C:\Programme\MATCO\DirmsService.exe

(dsNcService) Juniper Network Connect Service [Auto | Running]
[09.15.2006 07:05 AM | 00,348,160 | ---- | M] (Juniper Networks) - C:\Programme\Juniper Networks\Common Files\dsNcService.exe

(HealthMonitor) HealthMonitor [Disabled | Stopped]
[04.27.2006 11:46 AM | 00,024,576 | ---- | M] (Vittorio Pavesi) - C:\Programme\HealthMonitor\HealthMonitor.exe

(TAPPSRV) TOSHIBA Application Service [Auto | Running]
[08.10.2005 11:15 AM | 00,035,328 | ---- | M] (TOSHIBA Corp.) - C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

===== Driver Services - Non-Microsoft Only =====

(Aavmker4) avast! Asynchronous Virus Monitor [System | Running]
[07.19.2008 04:32 PM | 00,026,944 | ---- | M] (ALWIL Software) - C:\WINDOWS\System32\drivers\aavmker4.sys

(AgereSoftModem) TOSHIBA V92 Software Modem [On_Demand | Running]
[11.15.2005 06:00 PM | 01,122,656 | ---- | M] (Agere Systems) - C:\WINDOWS\system32\drivers\AGRSM.sys

(AR5211) Atheros Wireless Network Adapter Service [On_Demand | Running]
[09.12.2005 08:08 PM | 00,468,736 | ---- | M] (Atheros Communications, Inc.) - C:\WINDOWS\system32\drivers\ar5211.sys

(aswFsBlk) aswFsBlk [Auto | Running]
[07.19.2008 04:37 PM | 00,020,560 | ---- | M] (ALWIL Software) - C:\WINDOWS\system32\drivers\aswFsBlk.sys

(aswMon2) avast! Standard Shield Support [Auto | Running]
[07.19.2008 04:37 PM | 00,094,416 | ---- | M] (ALWIL Software) - C:\WINDOWS\System32\drivers\aswmon2.sys

(aswRdr) aswRdr [On_Demand | Running]
[07.19.2008 04:33 PM | 00,023,152 | ---- | M] (ALWIL Software) - C:\WINDOWS\System32\drivers\aswRdr.sys

(aswSP) avast! Self Protection [System | Running]
[07.19.2008 04:35 PM | 00,078,416 | ---- | M] (ALWIL Software) - C:\WINDOWS\System32\drivers\aswSP.sys

(aswTdi) avast! Network Shield Support [System | Running]
[07.19.2008 04:32 PM | 00,042,912 | ---- | M] (ALWIL Software) - C:\WINDOWS\System32\drivers\aswTdi.sys

(catchme) catchme [On_Demand | Stopped]
File not found - C:\DOKUME~1\Saturn\LOKALE~1\Temp\catchme.sys

(CVirtA) Cisco Systems VPN Adapter [On_Demand | Stopped]
[05.01.2003 01:26 PM | 00,005,220 | R--- | M] (Cisco Systems, Inc.) - C:\WINDOWS\system32\drivers\CVirtA.sys

(DAdderFltr) DeathAdder Mouse [On_Demand | Stopped]
[11.14.2006 04:29 PM | 00,022,144 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) - C:\WINDOWS\system32\drivers\dadder.sys

(dsNcAdpt) Juniper Network Connect Adapter [On_Demand | Running]
[09.15.2006 07:05 AM | 00,023,552 | ---- | M] (Juniper Networks) - C:\WINDOWS\system32\drivers\dsNcAdpt.sys

(dtscsi) dtscsi [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\Drivers\dtscsi.sys

(FreeOTFE) FreeOTFE [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFE.sys

(FreeOTFECypherAES_Gladman) FreeOTFECypherAES_Gladman [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherAES_Gladman.sys

(FreeOTFECypherAES_ltc) FreeOTFECypherAES_ltc [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherAES_ltc.sys

(FreeOTFECypherBlowfish) FreeOTFECypherBlowfish [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherBlowfish.sys

(FreeOTFECypherCAST5) FreeOTFECypherCAST5 [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherCAST5.sys

(FreeOTFECypherCAST6_Gladman) FreeOTFECypherCAST6_Gladman [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherCAST6_Gladman.sys

(FreeOTFECypherDES) FreeOTFECypherDES [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherDES.sys

(FreeOTFECypherNull) FreeOTFECypherNull [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherNull.sys

(FreeOTFECypherRC6_Gladman) FreeOTFECypherRC6_Gladman [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherRC6_Gladman.sys

(FreeOTFECypherRC6_ltc) FreeOTFECypherRC6_ltc [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherRC6_ltc.sys

(FreeOTFECypherSerpent_Gladman) FreeOTFECypherSerpent_Gladman [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherSerpent_Gladman.sys

(FreeOTFECypherTwofish_Gladman) FreeOTFECypherTwofish_Gladman [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherTwofish_Gladman.sys

(FreeOTFECypherTwofish_HifnCS) FreeOTFECypherTwofish_HifnCS [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherTwofish_HifnCS.sys

(FreeOTFECypherTwofish_ltc) FreeOTFECypherTwofish_ltc [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherTwofish_ltc.sys

(FreeOTFECypherXOR) FreeOTFECypherXOR [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFECypherXOR.sys

(FreeOTFEHashMD) FreeOTFEHashMD [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFEHashMD.sys

(FreeOTFEHashNull) FreeOTFEHashNull [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFEHashNull.sys

(FreeOTFEHashRIPEMD) FreeOTFEHashRIPEMD [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFEHashRIPEMD.sys

(FreeOTFEHashSHA) FreeOTFEHashSHA [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFEHashSHA.sys

(FreeOTFEHashTiger) FreeOTFEHashTiger [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFEHashTiger.sys

(FreeOTFEHashWhirlpool) FreeOTFEHashWhirlpool [On_Demand | Stopped]
File not found - F:\FreeOTFE\FreeOTFEHashWhirlpool.sys

(Netdevio) TOSHIBA Network Device Usermode I/O Protocol [Auto | Running]
[01.29.2003 11:35 PM | 00,012,032 | ---- | M] (TOSHIBA Corporation.) - C:\WINDOWS\system32\drivers\Netdevio.sys

(PNDIS5) PNDIS5 NDIS Protocol Driver [On_Demand | Stopped]
File not found - D:\PNDIS5.SYS

(RTL8023xp) Realtek 10/100/1000 NIC Family all in one NDIS XP Driver [On_Demand | Stopped]
[03.04.2005 08:10 PM | 00,074,496 | ---- | M] (Realtek Semiconductor Corporation ) - C:\WINDOWS\system32\drivers\Rtlnicxp.sys

(rtl8139) NT-Treiber für Realtek RTL8139(A/B/C)-basierten PCI-Fast Ethernet-Adapter [On_Demand | Stopped]
[08.03.2004 11:31 PM | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) - C:\WINDOWS\system32\drivers\RTL8139.sys

(sptd) sptd [Boot | Running]
[09.13.2007 09:05 PM | 00,685,816 | ---- | M] () - C:\WINDOWS\system32\drivers\sptd.sys

(SYMIDSCO) SYMIDSCO [On_Demand | Stopped]
File not found - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SymcData\idsdefs\20060807.097\symidsco.sys

(SynTP) Synaptics TouchPad Driver [On_Demand | Running]
[10.15.2004 12:14 AM | 00,185,728 | ---- | M] (Synaptics, Inc.) - C:\WINDOWS\system32\drivers\SynTP.sys

(TVALD) Toshiba Mobile PC Service [On_Demand | Running]
[10.20.2005 03:03 PM | 00,006,144 | ---- | M] (Toshiba Corporation) - C:\WINDOWS\system32\drivers\NBSMI.sys

(Tvs) TOSHIBA Virtual Sound with SRS technologies [On_Demand | Running]
[11.30.2005 12:01 PM | 00,043,392 | ---- | M] (TOSHIBA Corporation) - C:\WINDOWS\system32\drivers\Tvs.sys

========== Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG" = "C:\WINDOWS\AGRSMMSG.exe" [10.15.2005 03:29 PM | 00,088,203 | ---- | M] (Agere Systems)
"ATIPTA" = C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE [08.05.2005 10:05 PM | 00,344,064 | ---- | M] (ATI Technologies, Inc.)
"avast!" = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [07.19.2008 04:38 PM | 00,078,008 | ---- | M] (ALWIL Software)
"RTHDCPL" = RTHDCPL.EXE [11.10.2005 08:14 PM | 15,473,664 | ---- | M] (Realtek Semiconductor Corp.)
"SynTPEnh" = C:\Programme\Synaptics\SynTP\SynTPEnh.exe [10.15.2004 12:26 AM | 00,688,218 | ---- | M] (Synaptics, Inc.)
"SynTPLpr" = C:\Programme\Synaptics\SynTP\SynTPLpr.exe [10.15.2004 12:28 AM | 00,098,394 | ---- | M] (Synaptics, Inc.)
"TPSMain" = "C:\WINDOWS\system32\TPSMain.exe" [08.03.2005 05:16 PM | 00,266,240 | ---- | M] (TOSHIBA Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Key does not exist or could not be opened.
"run" = Reg Error: Key does not exist or could not be opened.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

========== Startup Folders ==========

[All Users Startup Folder - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart]

[Saturn Startup Folder - C:\Dokumente und Einstellungen\Saturn\Startmenü\Programme\Autostart]

========== BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [12.18.2006 05:16 AM | 00,059,032 | ---- | M] (Adobe Systems Incorporated) C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [06.10.2008 04:27 AM | 00,509,328 | ---- | M] (Sun Microsystems, Inc.) C:\Programme\Java\jre1.6.0_07\bin\ssv.dll

========== Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

"{C4069E3A-68F1-403E-B40E-20066696354B}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

========== AppInit_Dlls ==========

========== HKLM Security Providers ==========

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [06.13.2007 03:21 PM | 01,036,288 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\SYSTEM32\Userinit.exe" - [08.04.2004 03:00 PM | 00,025,088 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe
"C:\WINDOWS\system32\oembios.exe" - [08.04.2004 03:00 PM | 00,136,704 | R--- | M] () C:\WINDOWS\system32\oembios.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [08.04.2004 03:00 PM | 00,515,072 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [10.25.2007 06:42 PM | 08,501,248 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [08.04.2004 03:00 PM | 00,303,104 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

========== User's Winlogon Settings ==========

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DllName" = C:\WINDOWS\system32\ati2evxx.dll [08.04.2005 07:04 AM | 00,046,080 | ---- | M] (ATI Technologies Inc.)

========== Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
Unable to open key or key not present!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage" = 1
"NoDispScrSavPage" = 1
"disableregistrytools" = 0

========== Lsa Authentication Packages ==========

========== Lsa Security Packages ==========

========== Desktop Components ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "Die derzeitige Homepage"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

========== Safeboot Options ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

========== Disabled MsConfig Items ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"ose" = 3
"O&O Defrag" = 2
"iPod Service" = 3
"HealthMonitor" = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Alcmtr]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = C:\WINDOWS\Alcmtr.exe [05.04.2005 03:43 AM | 00,069,632 | ---- | M] (Realtek Semiconductor Corp.)
"hkey" = HKLM
"command" = C:\WINDOWS\Alcmtr.exe [05.04.2005 03:43 AM | 00,069,632 | ---- | M] (Realtek Semiconductor Corp.)
"inimapping" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PadTouch]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = PadExe
"hkey" = HKLM
"command" = C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe [08.30.2005 01:34 PM | 01,077,328 | ---- | M] (TOSHIBA)
"inimapping" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini" = 0
"win.ini" = 0
"bootini" = 0
"services" = 2
"startup" = 2

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[12.05.2005 04:45 PM | 00,000,000 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b43f858-fae3-11da-8ffb-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{13cb22b3-4f41-11dd-923d-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{255f6129-0db4-11db-9026-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3762d97a-f789-11da-8fec-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{78d40111-0302-11dc-91d7-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7ba26306-4bc8-11db-90ae-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{994ed6a9-f476-11da-8fde-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c09ffc4-4f1c-11dd-923c-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa940a54-14e7-11dd-921a-00a0d13ddbd3}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa940a55-14e7-11dd-921a-00a0d13ddbd3}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa940a56-14e7-11dd-921a-00a0d13ddbd3}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa940a57-14e7-11dd-921a-00a0d13ddbd3}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba4c10b6-f332-11da-8fdb-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb379e65-eca4-11da-8fcb-806d6172696f}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3d200b8-5229-11dd-923e-0016e324ee5e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc2277f8-22bc-11db-9046-0016e324ee5e}\Shell]
"" = None

========== DNS Name Servers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{251F8888-C33A-42CD-801E-32846FA2D6A1}]
Servers: | Description: 1394-Netzwerkadapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{4CF82B47-C2C9-4B67-9BA6-F42C72C43656}]
Servers: | Description:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{594D937A-E2A3-424F-96F8-B80E240D74A4}]
Servers: | Description: Atheros AR5005G Wireless Network Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{5F73167E-47BC-4DBA-B5B7-0E21230D1A35}]
Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{97A7DF20-7957-4B6E-9D5B-C5338650C65D}]
Servers: | Description:

========== Hosts File ==========

HOSTS File = (845 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 microsoft.com



========== Files/Folders - Created Within 30 days ==========

[08.25.2008 10:15 AM | ---D | C] - C:\!KillBox
[09.01.2008 08:29 AM | ---D | C] - C:\_OTMoveIt
[22 C:\WINDOWS\System32\*.tmp files]
[08.24.2008 11:46 PM | 00,625,208 | ---- | C] () - C:\WINDOWS\System32\phc31pj0ej0c.bmp
[08.24.2008 11:46 PM | -HSD | C] - C:\WINDOWS\System32\sysproc64
[08.17.2008 03:35 PM | ---D | C] - C:\Dokumente und Einstellungen\All Users\Dokumente\sun
[08.17.2008 09:30 PM | ---D | C] - C:\Dokumente und Einstellungen\Saturn\Eigene Dateien\My Saved Games
[08.25.2008 08:17 AM | 00,099,262 | ---- | C] () - C:\Dokumente und Einstellungen\Saturn\Desktop\SmitfraudFix.zip
[08.25.2008 10:06 AM | 00,001,544 | ---- | C] () - C:\Dokumente und Einstellungen\Saturn\Desktop\HijackThis.lnk
[08.25.2008 10:07 AM | 00,092,672 | ---- | C] (Option^Explicit Software [email protected]) - C:\Dokumente und Einstellungen\Saturn\Desktop\KillBox.exe
[08.25.2008 10:07 AM | 00,186,946 | ---- | C] (Business Information Solutions) - C:\Dokumente und Einstellungen\Saturn\Desktop\AntiPuper.exe
[08.25.2008 10:07 AM | 01,147,911 | ---- | C] (McAfee Inc.) - C:\Dokumente und Einstellungen\Saturn\Desktop\stinger3.exe
[08.25.2008 10:51 AM | 00,000,024 | ---- | C] () - C:\Dokumente und Einstellungen\Saturn\Desktop\stinger3.opt
[09.01.2008 08:17 AM | 02,840,693 | R--- | C] () - C:\Dokumente und Einstellungen\Saturn\Desktop\ComboFix.exe
[08.17.2008 01:54 PM | ---D | C] - C:\Programme\DOSBox-0.72
[08.17.2008 03:48 PM | ---D | C] - C:\Programme\OpenOffice.org 2.4
[08.24.2008 03:48 PM | ---D | C] - C:\Programme\VS Revo Group
[08.24.2008 08:49 PM | ---D | C] - C:\Programme\MATCO
[08.25.2008 10:06 AM | ---D | C] - C:\Programme\HijackThis

========== Files - Modified Within 30 days ==========

[09.01.2008 09:49 AM | 46,791,4752 | -HS- | M] () - C:\hiberfil.sys
[22 C:\WINDOWS\System32\*.tmp files]
[08.25.2008 01:23 AM | 00,205,248 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[08.25.2008 07:59 AM | 00,625,208 | ---- | M] () - C:\WINDOWS\System32\phc31pj0ej0c.bmp
[09.01.2008 08:11 AM | 00,001,158 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[1 C:\WINDOWS\*.tmp files]
[08.15.2008 07:41 PM | 00,001,374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[09.01.2008 09:50 AM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08.13.2008 08:28 AM | 00,134,656 | ---- | M] () - C:\Dokumente und Einstellungen\Saturn\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[08.24.2008 11:45 PM | 00,030,560 | ---- | M] () - C:\Dokumente und Einstellungen\Saturn\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
[08.25.2008 11:09 AM | 01,574,570 | -H-- | M] () - C:\Dokumente und Einstellungen\Saturn\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[08.17.2008 06:00 PM | 00,002,121 | ---- | M] () - C:\Dokumente und Einstellungen\Saturn\Desktop\iTunes.lnk
[08.25.2008 08:17 AM | 00,099,262 | ---- | M] () - C:\Dokumente und Einstellungen\Saturn\Desktop\SmitfraudFix.zip
[08.25.2008 10:06 AM | 00,001,544 | ---- | M] () - C:\Dokumente und Einstellungen\Saturn\Desktop\HijackThis.lnk
[08.25.2008 10:51 AM | 00,000,024 | ---- | M] () - C:\Dokumente und Einstellungen\Saturn\Desktop\stinger3.opt
[08.25.2008 10:53 AM | 00,092,672 | ---- | M] (Option^Explicit Software [email protected]) - C:\Dokumente und Einstellungen\Saturn\Desktop\KillBox.exe
[08.25.2008 10:54 AM | 00,186,946 | ---- | M] (Business Information Solutions) - C:\Dokumente und Einstellungen\Saturn\Desktop\AntiPuper.exe
[08.25.2008 11:00 AM | 01,147,911 | ---- | M] (McAfee Inc.) - C:\Dokumente und Einstellungen\Saturn\Desktop\stinger3.exe
[09.01.2008 08:54 AM | 02,840,693 | R--- | M] () - C:\Dokumente und Einstellungen\Saturn\Desktop\ComboFix.exe

< End of report >

OTViewIt Extras logfile created on: 01.09.2008 21:09:07 - Run 1
OTViewIt by OldTimer - Version 1.0.1.7 Folder = C:\Dokumente und Einstellungen\Saturn\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

446,17 Mb Total Physical Memory | 149,60 Mb Available Physical Memory | 33,53% Memory free
1,03 Gb Paging File | 0,72 Gb Available in Paging File | 69,62% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,53 Gb Total Space | 18,42 Gb Free Space | 24,72% Space Free | Partition Type: NTFS
Drive D: | 1,30 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[08.04.2004 03:00 PM | 00,142,848 | ---- | M] (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[10.10.2006 02:44 PM | 00,557,568 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[08.04.2004 03:00 PM | 00,142,848 | ---- | M] (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[10.10.2006 02:44 PM | 00,557,568 | ---- | M] (Microsoft Corporation)

"C:\Programme\FileZilla\FileZilla.exe" = C:\Programme\FileZilla\FileZilla.exe:*:Enabled:FileZilla
File not found

"C:\Programme\Macromedia\Dreamweaver MX\Dreamweaver.exe" = C:\Programme\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX
File not found

"C:\Programme\Soulseek\slsk.exe" = C:\Programme\Soulseek\slsk.exe:*:Enabled:SoulSeek
[04.18.2005 12:08 AM | 03,112,960 | ---- | M] ()

"C:\Programme\Last.fm\LastFM.exe" = C:\Programme\Last.fm\LastFM.exe:*:Enabled:LastFM
[05.28.2008 04:13 PM | 01,138,688 | ---- | M] (Last.fm)

"C:\Programme\Mozilla Firefox\firefox.exe" = C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
[07.03.2008 04:25 AM | 00,307,712 | ---- | M] (Mozilla Corporation)

"C:\Programme\Macromedia\FreeHand MX\FreeHand MX.exe" = C:\Programme\Macromedia\FreeHand MX\FreeHand MX.exe:*:Enabled:FreeHand MX
[02.03.2003 12:46 AM | 06,901,760 | ---- | M] ()

"C:\Programme\Opera\Opera.exe" = C:\Programme\Opera\Opera.exe:*:Enabled:Opera Internet Browser
[06.11.2008 08:16 PM | 00,098,816 | ---- | M] (Opera Software)

"C:\Programme\JAlbum 6.5\JAlbumWin.exe" = C:\Programme\JAlbum 6.5\JAlbumWin.exe:*:Enabled:JAlbumWin
[09.28.2006 02:34 PM | 21,112,832 | ---- | M] ()

"C:\Programme\Macromedia\Flash MX\Flash.exe" = C:\Programme\Macromedia\Flash MX\Flash.exe:*:Enabled:Flash 6.0 r25
[03.07.2002 09:30 PM | 12,173,312 | ---- | M] (Macromedia, Inc.)

"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console
[08.04.2004 03:00 PM | 00,143,360 | ---- | M] (Microsoft Corporation)

"C:\Programme\Joost\xulrunner\tvprunner.exe" = C:\Programme\Joost\xulrunner\tvprunner.exe:*:Enabled:tvprunner
File not found

"C:\WINDOWS\system32\ElectricSheep.scr" = C:\WINDOWS\system32\ElectricSheep.scr:*:Enabled:ElectricSheep
File not found

"C:\Programme\Internet Explorer\iexplore.exe" = C:\Programme\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
[06.23.2008 11:20 AM | 00,625,664 | ---- | M] (Microsoft Corporation)

"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary
[06.10.2008 01:21 AM | 00,135,168 | ---- | M] (Sun Microsystems, Inc.)

"D:\Setup.exe" = D:\Setup.exe:*:Enabled:Setup
File not found

"C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes
[06.02.2008 11:13 AM | 20,638,504 | ---- | M] (Apple Inc.)

"C:\WINDOWS\system32\drivers\svchost.exe" = C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost
File not found

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = comfile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.html [@ = FirefoxHTML] - [07.03.2008 04:25 AM | 00,307,712 | ---- | M] (Mozilla Corporation) - C:\Programme\Mozilla Firefox\firefox.exe
.js [@ = Reg Error: Value does not exist or could not be read.] - File not found - Reg Error: Key does not exist or could not be opened.
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" /S

========== Winsock2 Catalogs ==========

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


========== HKEY_CURRENT_USER Protocol Defaults ==========


========== Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]

========== Protocol Filters ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Systemsteuerung
"{10236EC6-5F49-4DD7-B1F2-AC4BE23B0442}_is1" = FastCrawl Version 1.03
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2500_series" = Canon iP2500 series
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{311F799A-FCE9-4D9E-B5D2-CBB8859B40BB}" = Microsoft XNA Framework Redistributable 1.0 Refresh
"{3154B949-F183-4C31-9693-1F97DB3CF68C}_is1" = SEPY ActionScript Editor
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}" = Macromedia Flash MX
"{3EB6332B-AF02-457C-A31C-835458C5B48B}" = TOSHIBA Benutzerhandbücher
"{43721D86-16D1-46BF-8353-37CD82333BC3}" = OpenOffice.org 2.4
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{4B1FA220-DF45-47E0-A3B5-F2576C801489}" = "WPF/E" (codename) Community Technology Preview (Dec 2006)
"{56F6A91D-46D4-4919-ABE6-55BD17DEB039}" = SweetMovieLife 1.0E
"{5D96E2B1-D9AC-46E0-9073-425C5F63E338}" = Touch and Launch
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zoom-Dienstprogramm
"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
"{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility
"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility
"{7472B5B4-3FB7-446F-BC78-6BBA506EC473}" = Opera 9.50
"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = MacromediaDreamweaver MX
"{8B4AE751-7055-4518-87B0-E148A8D50D0A}" = Macromedia FreeHand MX
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{91057632-CA70-413C-B628-2D3CDBBB906B}" = Macromedia Flash Player 8 Plugin
"{91A10407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office OneNote 2003
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9F70BF98-003C-491D-81FC-FF9792206AF0}" = iTunes
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{AC76BA86-7AD7-1031-7B44-A70900000002}" = Adobe Reader 7.0.9 - Deutsch
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D1014B9B-5704-4B27-B581-1C19B72528D1}" = Panasonic DVC USB Driver
"{E07C71A6-1576-4F7F-8856-B1C439E669AC}" = MotionDV STUDIO 5.6E LE for DV
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{EB1B8449-CD8F-485B-ADB6-02FBCFE180D3}" = DeathAdder™ Mouse
"{EC1F15E1-F3CC-46EE-B7A5-849A08ED60DC}}_is1" = PantsOff 2.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F81B7B81-6458-4A38-A261-BC163E16EB8B}" = DirMS-S
"7-Zip" = 7-Zip 4.42
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AFPL Ghostscript 8.54" = AFPL Ghostscript 8.54
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"All ATI Software" = ATI - Software Uninstall Utility
"Aspell German Dictionary_is1" = Aspell German Dictionary-0.50-2
"AstroWorld 2003 Millennium" = AstroWorld 2003 Millennium
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"BLOCKSUM_is1" = Uninstall BLOCKSUM
"Canon iP2500 series Benutzerregistrierung" = Canon iP2500 series Benutzerregistrierung
"CCleaner" = CCleaner (remove only)
"CCS64 V3.1" = CCS64 V3.1
"CDisplay_is1" = CDisplay 1.8
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"dBpowerAMP WMA V9.1 Codec" = dBpowerAMP WMA V9.1 Codec
"dm Fotowelt" = dm Fotowelt
"EPSON Printer and Utilities" = EPSON-Drucker-Software
"FileZilla Client" = FileZilla Client 3.0.2.1
"Flickr Uploadr" = Flickr Uploadr 2.5.0.15
"Foxit Reader" = Foxit Reader
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.10.13 rev a (nur entfernen)
"HealthMonitor" = HealthMonitor 3.1
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InfraRecorder" = InfraRecorder
"InstallShield_{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"InstallShield_{D1014B9B-5704-4B27-B581-1C19B72528D1}" = Panasonic DVC USB Driver
"iScrobbler" = iScrobbler
"JAlbum_0" = JAlbum 6.5
"Juniper Network Connect 5.3.0" = Juniper Networks Network Connect 5.3.0
"KB873333" = Windows XP-Hotfix - KB873333
"KB873339" = Windows XP-Hotfix - KB873339
"KB884018" = Windows XP-Hotfix - KB884018
"KB885250" = Windows XP-Hotfix - KB885250
"KB885835" = Windows XP-Hotfix - KB885835
"KB885836" = Windows XP-Hotfix - KB885836
"KB885855" = Windows XP-Hotfix - KB885855
"KB886185" = Windows XP-Hotfix - KB886185
"KB887472" = Windows XP-Hotfix - KB887472
"KB887742" = Windows XP-Hotfix - KB887742
"KB888111WXPSP2" = High Definition Audio Driver Package - KB888111
"KB888113" = Windows XP-Hotfix - KB888113
"KB888302" = Windows XP-Hotfix - KB888302
"KB889673" = Windows XP-Hotfix - KB889673
"KB890046" = Sicherheitsupdate für Windows XP (KB890046)
"KB890175" = Windows XP-Hotfix - KB890175
"KB890859" = Windows XP-Hotfix - KB890859
"KB891781" = Windows XP-Hotfix - KB891781
"KB893056" = Windows XP-Hotfix - KB893056
"KB893066" = Sicherheitsupdate für Windows XP (KB893066)
"KB893357" = Hotfix für Windows XP (KB893357)
"KB893756" = Sicherheitsupdate für Windows XP (KB893756)
"KB893803v2" = Windows Installer 3.1 (KB893803)
"KB894391" = Update für Windows XP (KB894391)
"KB894871" = Hotfix für Windows XP (KB894871)
"KB895200" = Windows XP-Hotfix - KB895200
"KB896358" = Sicherheitsupdate für Windows XP (KB896358)
"KB896422" = Sicherheitsupdate für Windows XP (KB896422)
"KB896423" = Sicherheitsupdate für Windows XP (KB896423)
"KB896424" = Sicherheitsupdate für Windows XP (KB896424)
"KB896428" = Sicherheitsupdate für Windows XP (KB896428)
"KB896688" = Sicherheitsupdate für Windows XP (KB896688)
"KB898458" = Sicherheitsupdate für Step by Step Interactive Training (KB898458)
"KB898461" = Update für Windows XP (KB898461)
"KB899587" = Sicherheitsupdate für Windows XP (KB899587)
"KB899589" = Sicherheitsupdate für Windows XP (KB899589)
"KB899591" = Sicherheitsupdate für Windows XP (KB899591)
"KB900485" = Update für Windows XP (KB900485)
"KB900725" = Sicherheitsupdate für Windows XP (KB900725)
"KB901017" = Sicherheitsupdate für Windows XP (KB901017)
"KB901214" = Sicherheitsupdate für Windows XP (KB901214)
"KB902400" = Sicherheitsupdate für Windows XP (KB902400)
"KB904706" = Sicherheitsupdate für Windows XP (KB904706)
"KB904942" = Update für Windows XP (KB904942)
"KB905414" = Sicherheitsupdate für Windows XP (KB905414)
"KB905749" = Sicherheitsupdate für Windows XP (KB905749)
"KB908519" = Sicherheitsupdate für Windows XP (KB908519)
"KB908531" = Update für Windows XP (KB908531)
"KB910437" = Update für Windows XP (KB910437)
"KB911280" = Sicherheitsupdate für Windows XP (KB911280)
"KB911562" = Sicherheitsupdate für Windows XP (KB911562)
"KB911564" = Sicherheitsupdate für Windows Media Player (KB911564)
"KB911565" = Sicherheitsupdate für Windows Media Player 10 (KB911565)
"KB911567" = Sicherheitsupdate für Windows XP (KB911567)
"KB911927" = Sicherheitsupdate für Windows XP (KB911927)
"KB912812" = Sicherheitsupdate für Windows XP (KB912812)
"KB912919" = Sicherheitsupdate für Windows XP (KB912919)
"KB913446" = Sicherheitsupdate für Windows XP (KB913446)
"KB913580" = Sicherheitsupdate für Windows XP (KB913580)
"KB914388" = Sicherheitsupdate für Windows XP (KB914388)
"KB914389" = Sicherheitsupdate für Windows XP (KB914389)
"KB914440" = Hotfix für Windows XP (KB914440)
"KB915865" = Hotfix für Windows XP (KB915865)
"KB916281" = Sicherheitsupdate für Windows XP (KB916281)
"KB916595" = Update für Windows XP (KB916595)
"KB917159" = Sicherheitsupdate für Windows XP (KB917159)
"KB917344" = Sicherheitsupdate für Windows XP (KB917344)
"KB917422" = Sicherheitsupdate für Windows XP (KB917422)
"KB917953" = Sicherheitsupdate für Windows XP (KB917953)
"KB918118" = Sicherheitsupdate für Windows XP (KB918118)
"KB918439" = Sicherheitsupdate für Windows XP (KB918439)
"KB919007" = Sicherheitsupdate für Windows XP (KB919007)
"KB920213" = Sicherheitsupdate für Windows XP (KB920213)
"KB920214" = Sicherheitsupdate für Windows XP (KB920214)
"KB920670" = Sicherheitsupdate für Windows XP (KB920670)
"KB920683" = Sicherheitsupdate für Windows XP (KB920683)
"KB920685" = Sicherheitsupdate für Windows XP (KB920685)
"KB920872" = Update für Windows XP (KB920872)
"KB921398" = Sicherheitsupdate für Windows XP (KB921398)
"KB921503" = Sicherheitsupdate für Windows XP (KB921503)
"KB921883" = Sicherheitsupdate für Windows XP (KB921883)
"KB922582" = Update für Windows XP (KB922582)
"KB922616" = Sicherheitsupdate für Windows XP (KB922616)
"KB922819" = Sicherheitsupdate für Windows XP (KB922819)
"KB923191" = Sicherheitsupdate für Windows XP (KB923191)
"KB923414" = Sicherheitsupdate für Windows XP (KB923414)
"KB923694" = Sicherheitsupdate für Windows XP (KB923694)
"KB923723" = Sicherheitsupdate für Step by Step Interactive Training (KB923723)
"KB923980" = Sicherheitsupdate für Windows XP (KB923980)
"KB924191" = Sicherheitsupdate für Windows XP (KB924191)
"KB924270" = Sicherheitsupdate für Windows XP (KB924270)
"KB924496" = Sicherheitsupdate für Windows XP (KB924496)
"KB924667" = Sicherheitsupdate für Windows XP (KB924667)
"KB925398_WMP64" = Sicherheitsupdate für Windows Media Player 6.4 (KB925398)
"KB925902" = Sicherheitsupdate für Windows XP (KB925902)
"KB926239" = Hotfix for Windows XP (KB926239)
"KB926255" = Sicherheitsupdate für Windows XP (KB926255)
"KB926436" = Sicherheitsupdate für Windows XP (KB926436)
"KB927779" = Sicherheitsupdate für Windows XP (KB927779)
"KB927802" = Sicherheitsupdate für Windows XP (KB927802)
"KB927891" = Update für Windows XP (KB927891)
"KB928090-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB928090)
"KB928255" = Sicherheitsupdate für Windows XP (KB928255)
"KB928843" = Sicherheitsupdate für Windows XP (KB928843)
"KB929123" = Sicherheitsupdate für Windows XP (KB929123)
"KB929338" = Update für Windows XP (KB929338)
"KB929399" = Hotfix for Windows Media Format 11 SDK (KB929399)
"KB929969" = Sicherheitsupdate für Windows Internet Explorer 7 (KB929969)
"KB930178" = Sicherheitsupdate für Windows XP (KB930178)
"KB930916" = Update für Windows XP (KB930916)
"KB931261" = Sicherheitsupdate für Windows XP (KB931261)
"KB931768-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB931768)
"KB931784" = Sicherheitsupdate für Windows XP (KB931784)
"KB931836" = Update für Windows XP (KB931836)
"KB932168" = Sicherheitsupdate für Windows XP (KB932168)
"KB932823-v3" = Update für Windows XP (KB932823-v3)
"KB933360" = Update für Windows XP (KB933360)
"KB933566-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB933566)
"KB933729" = Sicherheitsupdate für Windows XP (KB933729)
"KB935448" = Hotfix für Windows XP (KB935448)
"KB935839" = Sicherheitsupdate für Windows XP (KB935839)
"KB935840" = Sicherheitsupdate für Windows XP (KB935840)
"KB936021" = Sicherheitsupdate für Windows XP (KB936021)
"KB936357" = Update für Windows XP (KB936357)
"KB936782_WMP11" = Sicherheitsupdate für Windows Media Player 11 (KB936782)
"KB937143-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB937143)
"KB938127-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB938127)
"KB938828" = Update für Windows XP (KB938828)
"KB938829" = Sicherheitsupdate für Windows XP (KB938829)
"KB939653-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB939653)
"KB939683" = Hotfix für Windows Media Player 11 (KB939683)
"KB941202" = Sicherheitsupdate für Windows XP (KB941202)
"KB941568" = Sicherheitsupdate für Windows XP (KB941568)
"KB941569" = Sicherheitsupdate für Windows XP (KB941569)
"KB941644" = Sicherheitsupdate für Windows XP (KB941644)
"KB941693" = Sicherheitsupdate für Windows XP (KB941693)
"KB942615-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB942615)
"KB942763" = Update für Windows XP (KB942763)
"KB943055" = Sicherheitsupdate für Windows XP (KB943055)
"KB943460" = Sicherheitsupdate für Windows XP (KB943460)
"KB943485" = Sicherheitsupdate für Windows XP (KB943485)
"KB944533-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB944533)
"KB944653" = Sicherheitsupdate für Windows XP (KB944653)
"KB945553" = Sicherheitsupdate für Windows XP (KB945553)
"KB946026" = Sicherheitsupdate für Windows XP (KB946026)
"KB947864-IE7" = Hotfix für Windows Internet Explorer 7 (KB947864)
"KB948590" = Sicherheitsupdate für Windows XP (KB948590)
"KB948881" = Sicherheitsupdate für Windows XP (KB948881)
"KB950749" = Sicherheitsupdate für Windows XP (KB950749)
"KB950759-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB950759)
"KB950760" = Sicherheitsupdate für Windows XP (KB950760)
"KB950762" = Sicherheitsupdate für Windows XP (KB950762)
"KB950974" = Sicherheitsupdate für Windows XP (KB950974)
"KB951066" = Sicherheitsupdate für Windows XP (KB951066)
"KB951072-v2" = Update für Windows XP (KB951072-v2)
"KB951376" = Sicherheitsupdate für Windows XP (KB951376)
"KB951376-v2" = Sicherheitsupdate für Windows XP (KB951376-v2)
"KB951698" = Sicherheitsupdate für Windows XP (KB951698)
"KB951748" = Sicherheitsupdate für Windows XP (KB951748)
"KB952287" = Hotfix für Windows XP (KB952287)
"KB952954" = Sicherheitsupdate für Windows XP (KB952954)
"KB953838-IE7" = Sicherheitsupdate für Windows Internet Explorer 7 (KB953838)
"KB953839" = Sicherheitsupdate für Windows XP (KB953839)
"Knytt_is1" = Knytt 1.0.1
"LastFM_is1" = Last.fm 1.5.1.30182
"M928366" = Microsoft .NET Framework 1.1 Hotfix (KB928366)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.1)" = Mozilla Firefox (3.0.1)
"Mozilla Thunderbird (2.0.0.16)" = Mozilla Thunderbird (2.0.0.16)
"MrRobot_is1" = MrRobot 1.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSConfig CleanUp_is1" = MSConfig CleanUp 1.2
"MultipleIEs_is1" = MultipleIEs
"MusicBrainz Picard" = MusicBrainz Picard 0.7.2
"MUSTEK 1200 CU PLUS v1.2" = MUSTEK 1200 CU PLUS v1.2
"New Star Soccer 3" = New Star Soccer 3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notepad++" = Notepad++
"PC-Diagnose-Tool" = TOSHIBA PC-Diagnose-Tool
"Picasa2" = Picasa 2
"Power Saver" = TOSHIBA Power Saver
"Pure Sudoku_is1" = Pure Sudoku 1.11
"RealPlayer 6.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.71
"RocketDock_is1" = RocketDock 1.3.5
"RPG Maker 2000 1.05" = RPG Maker 2000 1.05
"RTP for RM2K (Png, Wav, Midi, Fonts)" = RTP for RM2K (Png, Wav, Midi, Fonts)
"SciTE Source Code Editor_is1" = SciTE 1.57
"SE|PY ActionScript Editor" = SE|PY ActionScript Editor 1.5.3.6
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Soulseek" = SoulSeek Client 156c
"SShockDeinstallKey" = System Shock2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SysJewel_is1" = SysJewel 1.1, Build 100
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"tvbrowser" = TV-Browser 2.6
"VLC media player" = VideoLAN VLC media player 0.8.5
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"What's Running_is1" = What's Running 2.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XnView_is1" = XnView 1.82.4
"xp-AntiSpy" = xp-AntiSpy 3.95-2
"xplorer2l" = xplorer² lite

========== HKEY_CURRENT_USER Uninstall List ==========


========== Last 10 Event Log Errors ==========


[ Antivirus Events ]
Error - 19.10.2007 21:06:08 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://ubuntu.interg...esktop-i386.iso failed,
00000084.

Error - 19.10.2007 21:57:49 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://debian.nctu.e...esktop-i386.iso failed,
00000084.

Error - 20.10.2007 18:45:16 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://files.aehunte...ernate-i386.iso
failed, 00000084.

Error - 20.10.2007 18:50:15 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://core2.joejaxx...ernate-i386.iso
failed, 00000084.

Error - 20.10.2007 21:43:58 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://cdimage.ubunt...ernate-i386.iso
failed, 00000084.

Error - 20.10.2007 21:56:03 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://cdimage.ubunt...ernate-i386.iso
failed, 00000084.

Error - 08.08.2008 18:12:29 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.cyrillus....20.swf?nologo=1 failed,
0000A413.

Error - 08.08.2008 18:12:29 - Computer Name = SONIASLAPTOP - User Name = User SID not found - Source = avast!
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets get the big guy on it and then run another analysis programme to get the residue

FIRST
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

DO NOT REBOOT

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Folders to delete:
C:\WINDOWS\System32\sysproc64

Files to replace with dummy:
C:\WINDOWS\system32\oembios.exe

Files to delete:
C:\WINDOWS\System32\phc31pj0ej0c.bmp
C:\Windows\system32\oembios.dat
C:\Windows\system32\oembios.bin

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

THEN

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio button for Drivers Non-Microsoft
  • Check the Radio button for Rootkit search
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Logs required : Avenger and attach the OTScanit log
  • 0

#8
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello Essexboy,

after Avernger.exe rebooted, I had to reenter my activationcode for XP, which I did and now I feel terribly stupid for that.

Here are the logs

Hijack:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:00, on 01.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Alwil Software\Avast4\setup\avast.setup
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TPSMain] "C:\WINDOWS\system32\TPSMain.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.krone...perSetupSP1.cab
O23 - Service: Atheros-Konfigurationsdienst (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Programme\MATCO\DirmsService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Programme\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 5700 bytes

Avenger:





L o g f i l e o f T h e A v e n g e r V e r s i o n 2 . 0 , ( c ) b y S w a n d o g 4 6

h t t p : / / s w a n d o g 4 6 . g e e k s t o g o . c o m



P l a t f o r m : W i n d o w s X P



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e o p e n e d s u c c e s s f u l l y .

S c r i p t f i l e r e a d s u c c e s s f u l l y .



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :



R o o t k i t s c a n a c t i v e .



H i d d e n d r i v e r " t d s s s e r v " f o u n d !

I m a g e P a t h : \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \ T D S S s e r v . s y s

S t a r t T y p e : 1 ( S y s t e m )



R o o t k i t s c a n c o m p l e t e d .



F o l d e r " C : \ W I N D O W S \ S y s t e m 3 2 \ s y s p r o c 6 4 " d e l e t e d s u c c e s s f u l l y .

F i l e " C : \ W I N D O W S \ s y s t e m 3 2 \ o e m b i o s . e x e " r e p l a c e d w i t h d u m m y s u c c e s s f u l l y .

F i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ p h c 3 1 p j 0 e j 0 c . b m p " d e l e t e d s u c c e s s f u l l y .

F i l e " C : \ W i n d o w s \ s y s t e m 3 2 \ o e m b i o s . d a t " d e l e t e d s u c c e s s f u l l y .

F i l e " C : \ W i n d o w s \ s y s t e m 3 2 \ o e m b i o s . b i n " d e l e t e d s u c c e s s f u l l y .



C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .

Attached Files


  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK Avenger found the driver so now lets kill it and try combofix again

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Drivers to delete:
tdssserv

Files to delete:
C:\windows\system32\TDSSserv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

ON COMPLETION

Run Combofix again
  • 0

#10
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:44:40, on 01.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Programme\HijackThis\HijackThis.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TPSMain] "C:\WINDOWS\system32\TPSMain.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.krone...perSetupSP1.cab
O23 - Service: Atheros-Konfigurationsdienst (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Programme\MATCO\DirmsService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Programme\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 5596 bytes

L o g f i l e o f T h e A v e n g e r V e r s i o n 2 . 0 , ( c ) b y S w a n d o g 4 6

h t t p : / / s w a n d o g 4 6 . g e e k s t o g o . c o m



P l a t f o r m : W i n d o w s X P



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e o p e n e d s u c c e s s f u l l y .

S c r i p t f i l e r e a d s u c c e s s f u l l y .



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :



R o o t k i t s c a n a c t i v e .



H i d d e n d r i v e r " t d s s s e r v " f o u n d !

I m a g e P a t h : \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \ T D S S s e r v . s y s

S t a r t T y p e : 4 ( D i s a b l e d )



R o o t k i t s c a n c o m p l e t e d .



D r i v e r " t d s s s e r v " d e l e t e d s u c c e s s f u l l y .



E r r o r : f i l e " C : \ w i n d o w s \ s y s t e m 3 2 \ T D S S s e r v . s y s " n o t f o u n d !

D e l e t i o n o f f i l e " C : \ w i n d o w s \ s y s t e m 3 2 \ T D S S s e r v . s y s " f a i l e d !

S t a t u s : 0 x c 0 0 0 0 0 3 4 ( S T A T U S _ O B J E C T _ N A M E _ N O T _ F O U N D )

- - > t h e o b j e c t d o e s n o t e x i s t





C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .

combofix:
ComboFix 08-08-30.03 - Saturn 2008-09-01 23:48:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.135 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Saturn\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\sysproc64
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\sysproc64\sysproc32.sys
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\sysproc64
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\sysproc64\sysproc32.sys
C:\WINDOWS\system32\_000000_.tmp.dll
C:\WINDOWS\system32\oembios.exe
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((( Dateien erstellt von 2008-08-01 bis 2008-09-01 ))))))))))))))))))))))))))))))
.

2008-09-01 22:58 . 2008-09-01 22:58 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-01 08:29 . 2008-09-01 08:29 <DIR> d-------- C:\_OTMoveIt
2008-09-01 08:13 . 2008-09-01 08:16 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll
2008-08-25 10:15 . 2008-08-25 10:15 <DIR> d-------- C:\!KillBox
2008-08-25 01:25 . 2008-08-25 01:25 <DIR> d-------- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Juniper Networks
2008-08-24 20:49 . 2008-08-24 20:49 <DIR> d-------- C:\Programme\MATCO
2008-08-24 15:48 . 2008-08-24 15:48 <DIR> d-------- C:\Programme\VS Revo Group
2008-08-17 15:48 . 2008-08-17 15:49 <DIR> d-------- C:\Programme\OpenOffice.org 2.4
2008-08-17 15:39 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-17 13:54 . 2008-08-17 14:02 <DIR> d-------- C:\Programme\DOSBox-0.72
2008-08-14 09:04 . 2008-05-01 16:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 21:45 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-08-24 18:28 --------- d-----w C:\Programme\Macromedia
2008-08-24 18:20 --------- d-----w C:\Programme\Opera
2008-08-24 18:15 --------- d-----w C:\Programme\Gemeinsame Dateien\Macromedia
2008-08-24 18:12 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-08-24 14:54 --------- d-----w C:\Programme\Google
2008-08-24 14:49 --------- d-----w C:\Dokumente und Einstellungen\Saturn\Anwendungsdaten\Azureus
2008-08-24 14:19 --------- d-----w C:\Programme\Bradbury
2008-08-24 14:10 --------- d-----w C:\Dokumente und Einstellungen\Saturn\Anwendungsdaten\FileZilla
2008-08-24 13:47 --------- d-----w C:\Programme\Java
2008-08-19 13:39 --------- d-----w C:\Dokumente und Einstellungen\Saturn\Anwendungsdaten\OpenOffice.org2
2008-08-17 13:47 --------- d-----w C:\Programme\OpenOffice.org 2.3
2008-07-07 20:16 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 20:31 --------- d-----w C:\Programme\Gemeinsame Dateien\AstroWorld Shared
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:14 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2006-05-06 16:42 7,260,160 ----a-w C:\Programme\mozilla firefox\plugins\libvlc.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-15 00:28 98394]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-15 00:26 688218]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"TPSMain"="C:\WINDOWS\system32\TPSMain.exe" [2005-08-03 17:16 266240]
"AGRSMMSG"="C:\WINDOWS\AGRSMMSG.exe" [2005-10-15 15:29 88203]
"ATIPTA"="C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-05 22:05 344064]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 20:14 15473664 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 13:34 1077328 C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-04 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"O&O Defrag"=2 (0x2)
"iPod Service"=3 (0x3)
"HealthMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe"
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Soulseek\\slsk.exe"=
"C:\\Programme\\Last.fm\\LastFM.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Macromedia\\FreeHand MX\\FreeHand MX.exe"=
"C:\\Programme\\Opera\\Opera.exe"=
"C:\\Programme\\JAlbum 6.5\\JAlbumWin.exe"=
"C:\\Programme\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-15 07:05]
S3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [2006-11-14 16:29]
S3 FreeOTFE;FreeOTFE;F:\FreeOTFE\FreeOTFE.sys []
S3 FreeOTFECypherAES_Gladman;FreeOTFECypherAES_Gladman;F:\FreeOTFE\FreeOTFECypherAES_Gladman.sys []
S3 FreeOTFECypherAES_ltc;FreeOTFECypherAES_ltc;F:\FreeOTFE\FreeOTFECypherAES_ltc.sys []
S3 FreeOTFECypherBlowfish;FreeOTFECypherBlowfish;F:\FreeOTFE\FreeOTFECypherBlowfish.sys []
S3 FreeOTFECypherCAST5;FreeOTFECypherCAST5;F:\FreeOTFE\FreeOTFECypherCAST5.sys []
S3 FreeOTFECypherCAST6_Gladman;FreeOTFECypherCAST6_Gladman;F:\FreeOTFE\FreeOTFECypherCAST6_Gladman.sys []
S3 FreeOTFECypherDES;FreeOTFECypherDES;F:\FreeOTFE\FreeOTFECypherDES.sys []
S3 FreeOTFECypherNull;FreeOTFECypherNull;F:\FreeOTFE\FreeOTFECypherNull.sys []
S3 FreeOTFECypherRC6_Gladman;FreeOTFECypherRC6_Gladman;F:\FreeOTFE\FreeOTFECypherRC6_Gladman.sys []
S3 FreeOTFECypherRC6_ltc;FreeOTFECypherRC6_ltc;F:\FreeOTFE\FreeOTFECypherRC6_ltc.sys []
S3 FreeOTFECypherSerpent_Gladman;FreeOTFECypherSerpent_Gladman;F:\FreeOTFE\FreeOTFECypherSerpent_Gladman.sys []
S3 FreeOTFECypherTwofish_Gladman;FreeOTFECypherTwofish_Gladman;F:\FreeOTFE\FreeOTFECypherTwofish_Gladman.sys []
S3 FreeOTFECypherTwofish_HifnCS;FreeOTFECypherTwofish_HifnCS;F:\FreeOTFE\FreeOTFECypherTwofish_HifnCS.sys []
S3 FreeOTFECypherTwofish_ltc;FreeOTFECypherTwofish_ltc;F:\FreeOTFE\FreeOTFECypherTwofish_ltc.sys []
S3 FreeOTFECypherXOR;FreeOTFECypherXOR;F:\FreeOTFE\FreeOTFECypherXOR.sys []
S3 FreeOTFEHashMD;FreeOTFEHashMD;F:\FreeOTFE\FreeOTFEHashMD.sys []
S3 FreeOTFEHashNull;FreeOTFEHashNull;F:\FreeOTFE\FreeOTFEHashNull.sys []
S3 FreeOTFEHashRIPEMD;FreeOTFEHashRIPEMD;F:\FreeOTFE\FreeOTFEHashRIPEMD.sys []
S3 FreeOTFEHashSHA;FreeOTFEHashSHA;F:\FreeOTFE\FreeOTFEHashSHA.sys []
S3 FreeOTFEHashTiger;FreeOTFEHashTiger;F:\FreeOTFE\FreeOTFEHashTiger.sys []
S3 FreeOTFEHashWhirlpool;FreeOTFEHashWhirlpool;F:\FreeOTFE\FreeOTFEHashWhirlpool.sys []
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS []
S3 S6U12AScanner;MUSTEK 1200 CU PLUS Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]
S4 HealthMonitor;HealthMonitor;C:\Programme\HealthMonitor\HealthMonitor.exe [2006-04-27 11:46]

*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-06-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2006-05-26 C:\WINDOWS\Tasks\Registrierungserinnerung 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2006-05-26 C:\WINDOWS\Tasks\Registrierungserinnerung 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2006-05-26 C:\WINDOWS\Tasks\Registrierungserinnerung 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Saturn\Anwendungsdaten\Mozilla\Firefox\Profiles\d8rgchpl.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/
FF -: plugin - C:\Programme\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Programme\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npvlc.dll
FF -: plugin - C:\Programme\Opera\program\plugins\npdivx32.dll
FF -: plugin - C:\Programme\WPFe\npag.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 23:51:16
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-01 23:55:06
ComboFix-quarantined-files.txt 2008-09-01 21:55:00

Pre-Run: 17 Verzeichnis(se), 19,705,790,464 Bytes frei
Post-Run: 20 Verzeichnis(se), 19,697,467,392 Bytes frei

173 --- E O F --- 2008-08-15 17:41:48
  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
And so die all who mess with the geeks :)

OK it is now a tidying up exercise

  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\tdssserf.dll
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now for the orphans

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#12
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
This looks promising, is this it?

DllUnregisterServer procedure not found in C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssserf.dll NOT unregistered.
C:\WINDOWS\system32\tdssserf.dll moved successfully.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09022008_000657


Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1103
Windows 5.1.2600 Service Pack 2

00:13:57 02.09.2008
mbam-log-09-02-2008 (00-13-57).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 38816
Laufzeit: 4 minute(s), 8 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
All I can say is subject to no further problems .....

Now the best part of the day ----- Your log now appears clean :)

A good workman allways cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
You are now done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#14
madschnun

madschnun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you Essexboy, thank you very much,

Paypal is on its way

bye,
Jan
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP