Jump to content

PC Crash 2. Try


Recommended Posts

  • Replies 129
  • Created
  • Last Reply

Top Posters In This Topic

Hello Bert24 and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

For future reference, please include the logs as posts rather than as attachments; it makes them easier for me to read that way ;).

-------------

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure Advanced Mode is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck Resident TeaTimer and OK any prompts

You can re-enable TeaTimer once your system is clean.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • C:\ComboFix.txt
  • TDSSKiller log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

Hello Bert24 and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

For future reference, please include the logs as posts rather than as attachments; it makes them easier for me to read that way ;).

-------------

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure Advanced Mode is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck Resident TeaTimer and OK any prompts

You can re-enable TeaTimer once your system is clean.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • C:\ComboFix.txt
  • TDSSKiller log
  • Security Check checkup.txt

How is your computer running now?

Hello D-Fred-Brown,

thank you very much for your support.

Here are the logs and also attached.

011/06/28 11:45:11.0859 5256 TDSS rootkit removing tool 2.5.6.0 Jun 27 2011 15:22:52

2011/06/28 11:45:13.0265 5256 ================================================================================

2011/06/28 11:45:13.0265 5256 SystemInfo:

2011/06/28 11:45:13.0265 5256

2011/06/28 11:45:13.0265 5256 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/28 11:45:13.0265 5256 Product type: Workstation

2011/06/28 11:45:13.0265 5256 ComputerName: BERNHARD-9D2F54

2011/06/28 11:45:13.0265 5256 UserName: svjaksch

2011/06/28 11:45:13.0265 5256 Windows directory: C:\WINDOWS

2011/06/28 11:45:13.0265 5256 System windows directory: C:\WINDOWS

2011/06/28 11:45:13.0265 5256 Processor architecture: Intel x86

2011/06/28 11:45:13.0265 5256 Number of processors: 2

2011/06/28 11:45:13.0265 5256 Page size: 0x1000

2011/06/28 11:45:13.0265 5256 Boot type: Normal boot

2011/06/28 11:45:13.0265 5256 ================================================================================

2011/06/28 11:45:20.0015 5256 Initialize success

2011/06/28 11:45:37.0453 1056 ================================================================================

2011/06/28 11:45:37.0453 1056 Scan started

2011/06/28 11:45:37.0453 1056 Mode: Manual;

2011/06/28 11:45:37.0453 1056 ================================================================================

2011/06/28 11:45:46.0515 1056 MBR (0x1B8) (7490e13dc489e4e704d2115976665d5e) \Device\Harddisk0\DR0

2011/06/28 11:45:46.0578 1056 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR2

2011/06/28 11:45:48.0531 1056 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk2\DR4

2011/06/28 11:45:48.0625 1056 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR5

2011/06/28 11:45:48.0718 1056 Boot (0x1200) (a8db68bbb4e74c20ef2269338a7ffae1) \Device\Harddisk1\DR2\Partition0

2011/06/28 11:45:48.0750 1056 Boot (0x1200) (8863a84297d9c4202a3a8f15f7eb766d) \Device\Harddisk2\DR4\Partition0

2011/06/28 11:45:48.0781 1056 Boot (0x1200) (458bb86a955a3db77cab95ef4b1cdd28) \Device\Harddisk3\DR5\Partition0

2011/06/28 11:45:48.0796 1056 ================================================================================

2011/06/28 11:45:48.0796 1056 Scan finished

2011/06/28 11:45:48.0796 1056 ================================================================================

2011/06/28 11:45:48.0828 4320 Detected object count: 0

2011/06/28 11:45:48.0828 4320 Actual detected object count: 0

Yours sincerely

Bert

TDSSKiller.2.5.6.0_28.06.2011_11.45.11_log.zip

Link to post
Share on other sites

Hello D-Fred-Brown,

thank you very much for your support.

Here are the logs and also attached.

011/06/28 11:45:11.0859 5256 TDSS rootkit removing tool 2.5.6.0 Jun 27 2011 15:22:52

2011/06/28 11:45:13.0265 5256 ================================================================================

2011/06/28 11:45:13.0265 5256 SystemInfo:

2011/06/28 11:45:13.0265 5256

2011/06/28 11:45:13.0265 5256 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/28 11:45:13.0265 5256 Product type: Workstation

2011/06/28 11:45:13.0265 5256 ComputerName: BERNHARD-9D2F54

2011/06/28 11:45:13.0265 5256 UserName: svjaksch

2011/06/28 11:45:13.0265 5256 Windows directory: C:\WINDOWS

2011/06/28 11:45:13.0265 5256 System windows directory: C:\WINDOWS

2011/06/28 11:45:13.0265 5256 Processor architecture: Intel x86

2011/06/28 11:45:13.0265 5256 Number of processors: 2

2011/06/28 11:45:13.0265 5256 Page size: 0x1000

2011/06/28 11:45:13.0265 5256 Boot type: Normal boot

2011/06/28 11:45:13.0265 5256 ================================================================================

2011/06/28 11:45:20.0015 5256 Initialize success

2011/06/28 11:45:37.0453 1056 ================================================================================

2011/06/28 11:45:37.0453 1056 Scan started

2011/06/28 11:45:37.0453 1056 Mode: Manual;

2011/06/28 11:45:37.0453 1056 ================================================================================

2011/06/28 11:45:46.0515 1056 MBR (0x1B8) (7490e13dc489e4e704d2115976665d5e) \Device\Harddisk0\DR0

2011/06/28 11:45:46.0578 1056 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR2

2011/06/28 11:45:48.0531 1056 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk2\DR4

2011/06/28 11:45:48.0625 1056 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR5

2011/06/28 11:45:48.0718 1056 Boot (0x1200) (a8db68bbb4e74c20ef2269338a7ffae1) \Device\Harddisk1\DR2\Partition0

2011/06/28 11:45:48.0750 1056 Boot (0x1200) (8863a84297d9c4202a3a8f15f7eb766d) \Device\Harddisk2\DR4\Partition0

2011/06/28 11:45:48.0781 1056 Boot (0x1200) (458bb86a955a3db77cab95ef4b1cdd28) \Device\Harddisk3\DR5\Partition0

2011/06/28 11:45:48.0796 1056 ================================================================================

2011/06/28 11:45:48.0796 1056 Scan finished

2011/06/28 11:45:48.0796 1056 ================================================================================

2011/06/28 11:45:48.0828 4320 Detected object count: 0

2011/06/28 11:45:48.0828 4320 Actual detected object count: 0

Yours sincerely

Bert

Hello,

after cleaning with combifix, the system stopped(freased), and must do a cold start.

I started Windows in save mode and while scanning my System again with spybot it crashed down.

Please have look on the logs.

How can I activate the debug-modus ?

Thank you for the support.

Bert

Link to post
Share on other sites

Hi, please select the post-10-126012383895.gif button from now on when posting (instead of Reply). It makes it easier for me to read that way. :)

I started Windows in save mode and while scanning my System again with spybot it crashed down.

Don't worry about Spybot for now - leave it disabled as it might cause big conflicts with some of the programs I ask you to use ;)

:excl:** ComboFix might have created a log. Please look to see if a C:\ComboFix.txt was created. If it was, please post it here for me to see before we move on to anything else.

Link to post
Share on other sites

Please include the logs as posts rather than as attachments. It makes them easier for me to read that way. :)

Can you give me some more insight as to what the problem you're encountering (after running ComboFix) is? Has it gotten worse, does it still occur? etc.

Please let me know. ;)

--------

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file/s for analysis: You will only be able to have one file scanned at a time.

c:\dokumente und einstellungen\svjaksch\Desktop\Virus Removal Tool\setup_9.0.0.722_23.06.2011_14-59\startup.exe

Then click Submit. Allow the file to be scanned, and then please copy/paste the results here for me to see.

If Jotti is busy, please go to http://www.virustotal.com,

--------

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::

c:\windows\system32\drivers\15689902.sys

c:\windows\system32\drivers\15689901.sys

c:\windows\system32\drivers\75279688.sys

c:\dokumente und einstellungen\Bernhard\.swt

c:\programme\pinst35.exe

Driver::

15689901

15689902

75279688

Dirlook::

c:\dokumente und einstellungen\svjaksch\Lokale Einstellungen\Anwendungsdaten\Help

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how your computer is running now ;).

Link to post
Share on other sites

Hello Fred,

here is the result of the scan with jotti:

-------------------------------------------------------------------------------------------

Jottis Malwarescanner

Diese Datei wurde bereits geprüft. Die Ergebnisse des letzten Scans sind unten zu sehen.

Dateiname: startup.exe

Status:

Scan abgeschlossen. 0 von 20 Scannern haben Malware gemeldet.

Untersucht am: Do 23 Jun 2011 11:40:12 (CET) Ergebnis-Link

Dateigröße: 72208 Bytes

Dateityp: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: 64fc2310ec8dee43cd01ca610d4ebc24

SHA1: 4d52ed5bab05d0f6cd646db1167b6ebb2688ec1a

----------------------------------------------------------------------------------------------

The second part is following.

Bernie

Link to post
Share on other sites

Hello Fred,

Combofix has created a now log:

----------------------------------------------

ComboFix 11-06-27.04 - svjaksch 29.06.2011 20:25:04.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2047.1218 [GMT 2:00]

ausgeführt von:: c:\dokumente und einstellungen\svjaksch\Desktop\ComboFix.exe

Benutzte Befehlsschalter :: c:\dokumente und einstellungen\svjaksch\Desktop\CFScript.txt

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: F-Secure Anti-Virus 2006 6.10 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

FILE ::

"c:\dokumente und einstellungen\Bernhard\.swt"

"c:\programme\pinst35.exe"

"c:\windows\system32\drivers\15689901.sys"

"c:\windows\system32\drivers\15689902.sys"

"c:\windows\system32\drivers\75279688.sys"

.

.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\dokumente und einstellungen\Bernhard\WINDOWS

c:\programme\pinst35.exe

c:\windows\system32\drivers\15689901.sys

c:\windows\system32\drivers\15689902.sys

.

.

((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_15689901

-------\Legacy_15689902

-------\Legacy_75279688

-------\Service_15689901

-------\Service_15689902

.

.

((((((((((((((((((((((( Dateien erstellt von 2011-05-28 bis 2011-06-29 ))))))))))))))))))))))))))))))

.

.

2011-06-26 13:04 . 2011-06-26 13:04 2106216 ----a-w- c:\programme\Mozilla Firefox\D3DCompiler_43.dll

2011-06-26 13:04 . 2011-06-26 13:04 1998168 ----a-w- c:\programme\Mozilla Firefox\d3dx9_43.dll

2011-06-24 19:41 . 2011-06-24 19:41 711728 ----a-w- c:\windows\is-EQMPM.exe

2011-06-24 16:34 . 2011-06-24 16:34 -------- d-----w- c:\dokumente und einstellungen\svjaksch\Lokale Einstellungen\Anwendungsdaten\Help

2011-06-24 08:59 . 2011-06-24 08:59 -------- d-----w- c:\dokumente und einstellungen\svjaksch\Anwendungsdaten\Canneverbe Limited

2011-06-24 08:59 . 2011-06-24 08:59 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Canneverbe Limited

2011-06-24 08:58 . 2011-06-24 08:58 -------- d-----w- c:\programme\CDBurnerXP

2011-06-24 08:58 . 2009-11-12 12:48 5504 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2011-06-24 08:21 . 2010-05-07 10:37 150200 ----a-w- c:\programme\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2011-06-24 08:21 . 2010-05-07 10:37 109240 ----a-w- c:\programme\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll

2011-06-24 08:21 . 2011-06-24 08:40 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-06-24 08:21 . 2011-06-24 08:40 115369 ----a-w- c:\windows\system32\drivers\klin.dat

2011-06-23 17:31 . 2011-06-23 18:07 88375296 ----a-w- c:\dokumente und einstellungen\All Users\kavkis.msi

2011-06-22 17:36 . 2011-06-22 17:36 -------- d-----w- c:\dokumente und einstellungen\svjaksch\Anwendungsdaten\Malwarebytes

2011-06-22 17:36 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-22 17:36 . 2011-06-22 17:36 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes

2011-06-22 17:36 . 2011-06-24 19:43 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware

2011-06-22 17:36 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-20 13:07 . 2011-06-20 13:07 -------- d-----w- c:\dokumente und einstellungen\Bernhard\.swt

2011-06-16 05:36 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-09 06:14 . 2011-06-25 18:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-07 10:35 . 2011-06-07 10:35 103864 ----a-w- c:\programme\Mozilla Firefox\plugins\nppdf32.dll

2011-06-07 10:35 . 2011-06-07 10:35 103864 ----a-w- c:\programme\Internet Explorer\Plugins\nppdf32.dll

2011-06-03 11:39 . 2011-06-03 11:39 -------- d-----w- c:\dokumente und einstellungen\Bernhard\appdata

.

.

.

(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-29 11:50 . 2007-04-13 09:57 736 ----a-w- c:\windows\RMTEMP~.EXE

2011-05-02 15:31 . 2007-03-30 12:32 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-03 23:57 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2006-12-13 10:34 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:05 . 2006-12-13 10:39 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:05 . 2006-12-13 10:38 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:05 . 2006-12-13 10:38 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2006-12-13 10:38 385024 ----a-w- c:\windows\system32\html.iec

2011-04-24 18:21 . 2010-08-03 07:49 1629 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xml4B.tmp

2011-04-24 18:21 . 2010-08-03 07:49 13687 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xml4A.tmp

2011-04-24 18:21 . 2010-08-03 07:49 7973 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\xml49.tmp

2011-04-21 13:37 . 2004-08-03 22:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-06-26 13:04 . 2011-04-01 09:04 142296 ----a-w- c:\programme\mozilla firefox\components\browsercomps.dll

2011-02-10 08:51 . 2011-02-10 08:51 119808 ----a-w- c:\programme\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\dokumente und einstellungen\svjaksch\Lokale Einstellungen\Anwendungsdaten\Help ----

.

.

.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Car Finder"="c:\programme\MedienTeam66\Auto Schnäppchen Finder\Auto_Schnaeppchen_Finder.exe" [2008-03-11 2344424]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"mspwr"="c:\windows\system32\PuXpMan.exe" [2004-06-12 102400]

"ISUSPM Startup"="c:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]

"DNS7reminder"="c:\programme\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]

"ISUSScheduler"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"Google Desktop Search"="c:\programme\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-10 30192]

"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-05-26 413696]

"Adobe ARM"="c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"NeroFilterCheck"="c:\programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"AVP"="c:\programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-05-07 344736]

"Malwarebytes' Anti-Malware"="c:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\dokumente und einstellungen\svjaksch\Startmen\Programme\Autostart\

setup_9.0.0.722_23.06.2011_14-59.lnk - c:\dokumente und einstellungen\svjaksch\Desktop\Virus Removal Tool\setup_9.0.0.722_23.06.2011_14-59\startup.exe [2011-6-23 72208]

.

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\

PhraseExpress.lnk - c:\programme\PhraseExpress\phraseexpress.exe [2008-12-25 3727464]

SDASSIST.LNK - c:\sdii\D\D\EXE.W95\SDASSIST.exe [2007-4-13 208896]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Acrobat - Schnellstart.lnk]

path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Acrobat - Schnellstart.lnk

backup=c:\windows\pss\Adobe Acrobat - Schnellstart.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AudaUpdate.lnk]

path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\AudaUpdate.lnk

backup=c:\windows\pss\AudaUpdate.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]

path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Windows Search.lnk]

path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Bernhard^Startmenü^Programme^Autostart^Stoic Joker's T-Clock 32.lnk]

path=c:\dokumente und einstellungen\Bernhard\Startmenü\Programme\Autostart\Stoic Joker's T-Clock 32.lnk

backup=c:\windows\pss\Stoic Joker's T-Clock 32.lnkStartup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^svjaksch^Startmenü^Programme^Autostart^Samsung Auto Backup Guage.lnk]

path=c:\dokumente und einstellungen\svjaksch\Startmenü\Programme\Autostart\Samsung Auto Backup Guage.lnk

backup=c:\windows\pss\Samsung Auto Backup Guage.lnkStartup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^svjaksch^Startmenü^Programme^Autostart^Samsung Auto Backup Real-Time Daemon.lnk]

path=c:\dokumente und einstellungen\svjaksch\Startmenü\Programme\Autostart\Samsung Auto Backup Real-Time Daemon.lnk

backup=c:\windows\pss\Samsung Auto Backup Real-Time Daemon.lnkStartup

.

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^svjaksch^Startmenü^Programme^Autostart^Samsung Auto Backup Scheduler.lnk]

path=c:\dokumente und einstellungen\svjaksch\Startmenü\Programme\Autostart\Samsung Auto Backup Scheduler.lnk

backup=c:\windows\pss\Samsung Auto Backup Scheduler.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]

2004-12-14 00:12 483328 ----a-w- c:\programme\Adobe\Acrobat 7.0\Distillr\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\programme\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]

2010-05-04 15:05 311296 ----a-r- c:\programme\ATI\ATICustomerCare\ATICustomerCare.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-04-03 16:50 1603152 ----a-w- c:\programme\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-05-14 16:01 644696 ----a-w- c:\programme\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Car Finder]

2008-03-11 17:57 2344424 ----a-w- c:\programme\MedienTeam66\Auto Schnäppchen Finder\Auto_Schnaeppchen_Finder.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

2008-01-31 10:56 58728 ----a-w- c:\programme\Gemeinsame Dateien\Symantec Shared\CCAPP.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 05:52 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]

2004-01-14 01:10 409600 ----a-w- c:\programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 15:15 81920 ----a-w- c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 05:52 1695232 ------w- c:\programme\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 14:40 155648 ----a-w- c:\programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]

2007-04-10 10:01 1537640 ----a-w- c:\programme\Norton Ghost\Agent\GhostTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 16:18 413696 ----a-w- c:\programme\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2006-09-12 08:58 16264192 ------r- c:\windows\RTHDCPL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartSync - ScheduleSync]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedItUpEX]

2009-05-20 23:15 2274816 ----a-w- c:\programme\SpeedItUpFree\SpeedItUp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

2006-10-25 08:03 210472 ----a-w- c:\programme\Gemeinsame Dateien\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2010-09-10 20:14 98304 ----a-w- c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 09:44 248552 ----a-w- c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-03-31 12:47 68856 ----a-w- c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]

2008-04-14 05:52 144384 ----a-w- c:\windows\system32\mobsync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Programme\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\SDII\\D\\D\\EXE.W95\\SID.exe"=

"c:\\Programme\\The All-Seeing Eye\\eye.exe"=

"c:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=

"c:\\Programme\\SEGA\\SEGA Rally\\SEGA Rally.exe"=

"c:\\Programme\\SEGA\\SEGA Rally\\SEGA Rally_SSE1.exe"=

"c:\\Programme\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Programme\\Xfire\\xfire.exe"=

"c:\\Programme\\FFManager\\jre\\bin\\javaw.exe"=

"c:\\Programme\\LogMeIn Rescue Calling Card\\CallingCard.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Dokumente und Einstellungen\\All Users\\Anwendungsdaten\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\German\\setup.exe"=

"c:\\Programme\\Maxima-5.11.0\\wxMaxima\\wxMaxima.exe"=

"c:\\Programme\\PhraseExpress\\phraseexpress.exe"=

"c:\programme\Microsoft ActiveSync\rapimgr.exe"= c:\programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\programme\Microsoft ActiveSync\wcescomm.exe"= c:\programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\programme\Microsoft ActiveSync\WCESMgr.exe"= c:\programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"\\\\Bernhard-9d2f54\\C\\Centura\\SQLBase\\dbnt25sv.exe"=

"\\\\Bernhard-9d2f54\\C\\CombiPlus\\SQLBase\\dbnt10sv.exe"=

"c:\\CombiPlus\\SQLBase\\dbnt10sv.exe"=

"c:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\RpcAgentSrv.exe"=

"c:\\Programme\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Games\\CallofDuty\\CoDMP.exe"=

"c:\\Programme\\Google\\Google Earth\\client\\googleearth.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundRouterRequest"= 1 (0x1)

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [21.04.2009 09:44 38448]

R1 mdf15;mdf15;c:\programme\Clarus\Samsung SecretZone\mdf15.sys [29.12.2009 20:29 12800]

R1 mvd20;mvd20;c:\programme\Clarus\Samsung SecretZone\mvd20.sys [29.12.2009 20:29 43008]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\programme\Firebird\Firebird_2_5\bin\fbguard.exe -s DefaultInstance --> c:\programme\Firebird\Firebird_2_5\bin\fbguard.exe -s DefaultInstance [?]

R2 Gupta SQLBase Server1;Gupta SQLBase Server1;c:\combiplus\SQLBase\dbnt10sv.exe [18.08.2003 13:00 1089536]

R2 MBAMService;MBAMService;c:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [22.06.2011 19:36 366640]

R2 MSR Service;Virtual Disk Service Manager;c:\programme\Clarus\Samsung SecretZone\MSSvc.exe [29.12.2009 20:29 102400]

R2 SCANDEV;SCANDEV;c:\windows\system32\drivers\Scandev.SYS [08.05.2007 21:28 133972]

R2 SD2MUX32;SD2MUX32;c:\sdii\TRANSBAS\sd2mux32.exe [13.04.2007 09:52 401408]

R3 AVMCOWAN;AVMCOWAN;c:\windows\system32\drivers\avmcowan.sys [24.11.2005 01:00 53632]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\programme\Firebird\Firebird_2_5\bin\fbserver.exe -s DefaultInstance --> c:\programme\Firebird\Firebird_2_5\bin\fbserver.exe -s DefaultInstance [?]

R3 fpcibase;FRITZ!Card PCI;c:\windows\system32\drivers\fpcibase.sys [30.05.2007 19:01 537600]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14.09.2009 14:42 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02.11.2009 20:27 19472]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [22.06.2011 19:36 22712]

R3 NETFRITZ;AVM FRITZ!web PPP over ISDN;c:\windows\system32\drivers\Netfritz.sys [09.06.2007 22:24 334640]

S1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [19.04.2007 19:13 21632]

S1 atitray;atitray;\??\c:\programme\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys --> c:\programme\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys [?]

S1 kl2;Kl2;c:\windows\system32\drivers\kl2.sys [07.05.2010 00:19 132184]

S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [11.01.2010 10:20 135664]

S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys --> c:\windows\system32\drivers\pstrip.sys [?]

S3 AVMWAN;AVM NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmwan.sys [08.05.2007 20:38 37568]

S3 DFSTR2K;SIMPLETECH based USB Mass Storage Driver;c:\windows\system32\drivers\DfStor2K.sys [23.04.2007 14:56 37972]

S3 DT T-Sinus 130data®;DT T-Sinus 130data® Service for T-Sinus 130data;c:\windows\system32\drivers\dtusbxp.sys [19.04.2009 14:25 87552]

S3 dtwmnic5;DeTeWe OpenCom 36lan;c:\windows\system32\DRIVERS\dtwmnic5.sys --> c:\windows\system32\DRIVERS\dtwmnic5.sys [?]

S3 FXPCBASE;AVM FRITZ!X PC v2.0/v3.0 (WinXP/2000);c:\windows\system32\drivers\fxpcbase.sys [27.02.2003 01:00 523248]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\programme\Google\Google Desktop Search\GoogleDesktop.exe [10.02.2011 10:51 30192]

S3 gupdatem;Google Update-Dienst (gupdatem);c:\programme\Google\Update\GoogleUpdate.exe [11.01.2010 10:20 135664]

S3 OHEHNWBFQYHA;OHEHNWBFQYHA;c:\dokume~1\Bernhard\LOKALE~1\Temp\OHEHNWBFQYHA.exe --> c:\dokume~1\Bernhard\LOKALE~1\Temp\OHEHNWBFQYHA.exe [?]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programme\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe [03.08.2010 09:44 93848]

S3 siusbmod;siusbmod;c:\windows\system32\drivers\siusbmod.sys [13.04.2007 08:53 27008]

S3 SkLaggProtocol;Marvell Link Aggregation Protocol (LAGG) Support;c:\windows\system32\DRIVERS\yk51lagg.sys --> c:\windows\system32\DRIVERS\yk51lagg.sys [?]

S3 SkVlanProtocol;Marvell Virtual LAN (VLAN) Support;c:\windows\system32\drivers\skvlan.sys [17.05.2006 01:15 19328]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [24.06.2004 03:54 23552]

S3 ulisa;DeTeWe ISDN-Adapter (USB);c:\windows\system32\Drivers\ulisa.sys --> c:\windows\system32\Drivers\ulisa.sys [?]

S3 USBSAMP;SimpleTech Link based USB Mass Storage Driver;c:\windows\system32\drivers\OnStor2K.SYS [01.04.2007 13:34 26724]

S3 utk0otc2;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utk0otc2.sys --> c:\windows\system32\Drivers\utk0otc2.sys [?]

.

Inhalt des "geplante Tasks" Ordners

.

2011-06-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

2011-06-29 c:\windows\Tasks\Google Software Updater.job

- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-31 08:35]

.

2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\programme\Google\Update\GoogleUpdate.exe [2010-01-11 08:20]

.

2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\programme\Google\Update\GoogleUpdate.exe [2010-01-11 08:20]

.

2010-05-10 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job

- c:\programme\Nuance\NaturallySpeaking10\Program\schedmgr.exe [2009-03-19 11:38]

.

2011-06-28 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job

- c:\programme\Nuance\NaturallySpeaking10\Program\schedmgr.exe [2009-03-19 11:38]

.

2009-04-21 c:\windows\Tasks\Paragon Archive name arc_210409075306812.job

- c:\programme\Paragon Software\Paragon Drive Backup 2007\Program\scripts.exe [2009-04-21 18:06]

.

2011-06-29 c:\windows\Tasks\User_Feed_Synchronization-{926380F7-63BA-4F09-8BC1-6F23DA5E18D1}.job

- c:\windows\system32\msfeedssync.exe [2006-12-13 02:31]

.

.

------- Zusätzlicher Suchlauf -------

.

IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Auswahl in Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Auswahl in vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: In Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: In vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000

IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

TCP: Interfaces\{30DF8F49-4498-499F-A499-7353E9AC188A}: NameServer = 192.168.2.1

TCP: Interfaces\{4E82A543-379E-47F1-8BC5-4E1203DF108D}: NameServer = 192.168.120.252,192.168.120.253

TCP: Interfaces\{B03E5F9B-2178-4820-B6F9-AE12F3B1C5D4}: NameServer = 192.168.2.1

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - ProfilePath - c:\dokumente und einstellungen\svjaksch\Anwendungsdaten\Mozilla\Firefox\Profiles\vsu4z1th.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-29 20:39

Windows 5.1.2600 Service Pack 3 NTFS

.

Scanne versteckte Prozesse...

.

Scanne versteckte Autostarteinträge...

.

Scanne versteckte Dateien...

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

.

CreateFile("\\.\PHYSICALDRIVE0"): Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

.

**************************************************************************

.

--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

.

- - - - - - - > 'winlogon.exe'(1548)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

- - - - - - - > 'explorer.exe'(1484)

c:\programme\Windows Desktop Search\deskbar.dll

c:\programme\Windows Desktop Search\de-de\dbres.dll.mui

c:\programme\Windows Desktop Search\dbres.dll

c:\programme\Windows Desktop Search\wordwheel.dll

c:\programme\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Weitere laufende Prozesse ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

c:\programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe

c:\windows\system32\Ati2evxx.exe

c:\programme\FRITZ!DSL\IGDCTRL.EXE

c:\programme\Gemeinsame Dateien\AVM\de_serv.exe

c:\programme\Firebird\Firebird_2_5\bin\fbguard.exe

c:\windows\System32\GEARSec.exe

c:\programme\Java\jre6\bin\jqs.exe

c:\programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

c:\programme\CDBurnerXP\NMSAccessU.exe

c:\programme\Norton Ghost\Agent\VProSvc.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\programme\Firebird\Firebird_2_5\bin\fbserver.exe

c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

c:\programme\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\sdii\D\D\EXE.W95\sid.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Zeit der Fertigstellung: 2011-06-29 20:46:16 - PC wurde neu gestartet

ComboFix-quarantined-files.txt 2011-06-29 18:46

ComboFix2.txt 2011-06-28 10:25

.

Vor Suchlauf: 42 Verzeichnis(se), 84.523.880.448 Bytes frei

Nach Suchlauf: 44 Verzeichnis(se), 84.349.169.664 Bytes frei

.

- - End Of File - - 58709657C87F29E059241F7AC74D2516

------------------------------------------------------------------------------

Thank s for your next advice !

Bernie

Link to post
Share on other sites

How is your computer running now? Please let me know :).

-------

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file/s for analysis: You will only be able to have one file scanned at a time.

c:\windows\is-EQMPM.exe

c:\sdii\D\D\EXE.W95\sid.exe

Then click Submit. Allow the file to be scanned, and then please copy/paste the results here for me to see.

If Jotti is busy, please go to http://www.virustotal.com,

Link to post
Share on other sites

Hi D-Fred,

here is the result of the jotti scans:

---------------------------------------------------

Jottis Malwarescanner

Diese Datei wurde bereits geprüft. Die Ergebnisse des letzten Scans sind unten zu sehen.

Dateiname: is-FGN91.exe

Status:

Scan abgeschlossen. 0 von 20 Scannern haben Malware gemeldet.

Untersucht am: Do 2 Jun 2011 22:59:11 (CET) Ergebnis-Link

Ergänzende Informationen

Dateigröße: 711728 Bytes

Dateityp: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: c8de25fefb17627e2237b320ccf30ee1

SHA1: 1eb76f645e9a74e9e45b33fdf4793c889c5a6744

----------------------------------------------------------------------------------------------------

Second file:

Jottis Malwarescanner

Dateiname: sid.exe

Status:

Scan abgeschlossen. 0 von 20 Scannern haben Malware gemeldet.

Untersucht am: Do 30 Jun 2011 08:25:43 (CET) Ergebnis-Link

Ergänzende Informationen

Dateigröße: 3952691 Bytes

Dateityp: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: 9019a3a810a81320f8c1dbbaa06c2b96

SHA1: 89b45ace67e74e3beb2cc1b12fbcaa92cc0d513d

---------------------------------------------------------------------------------------------------------------------

Now I try another scan with Spybot an will report to you.

Bernie

Link to post
Share on other sites

Your logs are looking better! Let's runs some more scans to confirm you're clean ;):

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

-------

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

Link to post
Share on other sites

Hi Fred,

the pc shut down while scanning with the online scanner:

Here a notice of eset:

----------------------------------------------------

ESET detected another Antivirus software:

Vendor Product

Checkpoint Zonealarm

----------------------------------------------------

Now I m trying Bitdefender and will report you.

Bernie

Link to post
Share on other sites

Hi D-Fred,

here is the bitdefender log:

--------------------------------------------------------------------------------

QuickScan Beta 32-bit v0.9.9.96

-------------------------------

Scan date: Thu Jun 30 10:10:00 2011

Machine ID: EDB4B1C0

No infection found.

-------------------

Processes

---------

(unsigned) Firebird SQL Server 3472 C:\Programme\Firebird\Firebird_2_5\bin\fbserver.exe

(unsigned) Gupta SQLBase 3652 C:\CombiPlus\SQLBase\dbnt10sv.exe

(unsigned) Microsoft Development Environment 2912 C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

(unsigned) SilverDATII Automatischer Sicherungs- D 3420 C:\SDII\D\D\EXE.W95\sid.exe

(verified) gearsec 3516 C:\WINDOWS\system32\gearsec.exe

(verified) ATI External Event Utility for Windows 1804 C:\WINDOWS\system32\ati2evxx.exe

(verified) ATI External Event Utility for Windows 1236 C:\WINDOWS\system32\ati2evxx.exe

(verified) AVM FRITZ! 3360 C:\Programme\Gemeinsame Dateien\AVM\De_serv.exe

(verified) AVM IGD Service 764 C:\Programme\FRITZ!DSL\IGDCTRL.EXE

(verified) Betriebssystem Microsoft® Windows® 1876 C:\WINDOWS\explorer.exe

(verified) Betriebssystem Microsoft® Windows® 1600 C:\WINDOWS\system32\services.exe

(verified) Betriebssystem Microsoft® Windows® 1464 C:\WINDOWS\system32\smss.exe

(verified) Betriebssystem Microsoft® Windows® 2260 C:\WINDOWS\system32\taskmgr.exe

(verified) Betriebssystem Microsoft® Windows® 1552 C:\WINDOWS\system32\winlogon.exe

(verified) Client and Host Security Platform 1100 C:\Programme\Gemeinsame Dateien\Symantec Shared\CCEVTMGR.EXE

(verified) Client and Host Security Platform 1160 C:\Programme\Gemeinsame Dateien\Symantec Shared\CCSETMGR.EXE

(verified) Firebird SQL Server 3480 C:\Programme\Firebird\Firebird_2_5\bin\fbguard.exe

(verified) Google Desktop 448 C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe

(verified) Google Desktop 1180 C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe

(verified) InstallShield Update Service 432 C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

(verified) Java Platform SE 6 U21 3908 C:\Programme\Java\jre6\bin\jqs.exe

(verified) Kaspersky Anti-Virus 908 C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

(verified) Kaspersky Anti-Virus 1564 C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

(verified) Kaspersky Anti-Virus 1764 C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe

(verified) Malwarebytes' Anti-Malware 800 C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe

(verified) Malwarebytes' Anti-Malware 3968 C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe

(verified) Microsoft ActiveSync 952 C:\Programme\Microsoft ActiveSync\wcescomm.exe

(verified) Microsoft ActiveSync 2800 C:\PROGRA~1\MI3AA1~1\rapimgr.exe

(verified) Microsoft® Windows® Operating System 3896 C:\WINDOWS\system32\alg.exe

(verified) Microsoft® Windows® Operating System 1520 C:\WINDOWS\system32\csrss.exe

(verified) Microsoft® Windows® Operating System 2460 C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System 1612 C:\WINDOWS\system32\lsass.exe

(verified) Microsoft® Windows® Operating System 3352 C:\WINDOWS\system32\searchfilterhost.exe

(verified) Microsoft® Windows® Operating System 1276 C:\WINDOWS\system32\searchindexer.exe

(verified) Microsoft® Windows® Operating System 3264 C:\WINDOWS\system32\searchprotocolhost.exe

(verified) Microsoft® Windows® Operating System 1504 C:\WINDOWS\system32\spoolsv.exe

(verified) Microsoft® Windows® Operating System 3196 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 508 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 968 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 476 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1832 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1924 C:\WINDOWS\system32\svchost.exe

(verified) MSSvc.exe 3980 C:\Programme\Clarus\Samsung SecretZone\MSSvc.exe

(verified) NMSAccessU.exe 3172 C:\Programme\CDBurnerXP\NMSAccessU.exe

(verified) Norton Ghost 3428 C:\Programme\Norton Ghost\Agent\VProSvc.exe

(verified) NsWrtMon Application 336 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

(verified) NsWrtProc Application 360 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

(verified) PnkBstrA.exe 740 C:\WINDOWS\system32\PnkBstrA.exe

(verified) PnkBstrB.exe 392 C:\WINDOWS\system32\PnkBstrB.exe

(verified) PwrUpManager 348 C:\WINDOWS\system32\puxpman.exe

(verified) Symantec Core Component 3220 C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe

(verified) Transbase/CD Database System 540 C:\SDII\TRANSBAS\sd2mux32.exe

(verified) Windows® Internet Explorer 3164 C:\Programme\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 1228 C:\Programme\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 3296 C:\Programme\Internet Explorer\iexplore.exe

Network activity

----------------

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.81

Process avp.exe (908) connected on port 80 (HTTP) --> 74.125.77.101

Process avp.exe (908) connected on port 80 (HTTP) --> 74.125.79.102

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.64

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.81

Process avp.exe (908) connected on port 80 (HTTP) --> 66.220.153.30

Process avp.exe (908) connected on port 443 (HTTP over SSL) --> 209.85.148.96

Process avp.exe (908) connected on port 80 (HTTP) --> 209.85.148.96

Process avp.exe (908) connected on port 80 (HTTP) --> 66.235.142.2

Process avp.exe (908) connected on port 80 (HTTP) --> 74.125.39.155

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.64

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.81

Process avp.exe (908) connected on port 443 (HTTP over SSL) --> 74.125.77.95

Process avp.exe (908) connected on port 80 (HTTP) --> 66.235.142.2

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.64

Process avp.exe (908) connected on port 80 (HTTP) --> 74.125.39.155

Process avp.exe (908) connected on port 80 (HTTP) --> 74.125.77.101

Process avp.exe (908) connected on port 443 (HTTP over SSL) --> 209.85.148.96

Process avp.exe (908) connected on port 80 (HTTP) --> 69.171.242.39

Process avp.exe (908) connected on port 80 (HTTP) --> 69.171.242.11

Process avp.exe (908) connected on port 443 (HTTP over SSL) --> 74.125.77.95

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.64

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.64

Process avp.exe (908) connected on port 80 (HTTP) --> 195.145.147.64

Process avp.exe (908) connected on port 80 (HTTP) --> 209.85.148.96

Process sd2mux32.exe (540) listens on ports: 2034, 2035

Process IGDCTRL.EXE (764) listens on ports: 49001

Process avp.exe (908) listens on ports: 1110, 19780

Process svchost.exe (1832) listens on ports: 3389 (Terminal Server)

Process svchost.exe (1924) listens on ports: 135 (RPC)

Process sid.exe (3420) listens on ports: 49163

Process fbserver.exe (3472) listens on ports: 3050 (Interbase DB)

Process dbnt10sv.exe (3652) listens on ports: 2155

Autoruns and critical files

---------------------------

(verified) Adobe Acrobat C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe

(verified) Adobe Reader and Acrobat Manager C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe

(verified) Apple Software Update C:\Programme\Apple Software Update\SoftwareUpdate.exe

(verified) ATI External Event Utility for Windows C:\WINDOWS\system32\ati2evxx.dll

(verified) Auto_Schnaeppchen_Finder C:\Programme\MedienTeam66\Auto Schnäppchen Finder\Auto_Schnaeppchen_Finder.exe

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\BROWSEUI.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\CRYPT32.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\cscdll.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\System32\logon.scr

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\logonui.exe

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\sclgntfy.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\SHELL32.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\stobject.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\upnpui.dll

(verified) Betriebssystem Microsoft® Windows® c:\windows\system32\userinit.exe

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\WlNotify.dll

(verified) DAT SilverDAT II SdAssist C:\SDII\D\D\EXE.W95\SDASSIST.exe

(verified) Dragon NaturallySpeaking C:\Programme\Nuance\NaturallySpeaking10\Program\schedmgr.exe

(verified) Google Desktop C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe

(verified) Google Update C:\Programme\Google\Update\GoogleUpdate.exe

(verified) Google Updater C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

(verified) InstallShield Update Service C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

(verified) InstallShield Update Service C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe

(verified) Kaspersky Anti-Virus C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

(verified) Kaspersky Anti-Virus c:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\kloehk.dll

(verified) Kaspersky Anti-Virus C:\WINDOWS\system32\klogon.dll

(verified) Malwarebytes' Anti-Malware C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe

(verified) Microsoft ActiveSync C:\Programme\Microsoft ActiveSync\wcescomm.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll

(verified) Nero AG NeroCheck C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

(verified) NsWrtMon Application C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

(verified) PhraseExpress C:\Programme\PhraseExpress\phraseexpress.exe

(verified) PwrUpManager C:\WINDOWS\system32\puxpman.exe

(verified) QuickTime C:\Programme\QuickTime\qttask.exe

(verified) scripts.exe C:\Programme\Paragon Software\Paragon Drive Backup 2007\Program\scripts.exe

(verified) SSEreg C:\Programme\Nuance\NaturallySpeaking10\Ereg\Ereg.exe

(verified) startup.exe C:\Dokumente und Einstellungen\svjaksch\Desktop\Virus Removal Tool\setup_9.0.0.722_23.06.2011_14-59\startup.exe

(verified) Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe

(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

(verified) Windows® Search c:\programme\windows desktop search\msnlnamespacemgr.dll

Browser plugins

---------------

(unsigned) Google Earth Plugin C:\Programme\Google\Google Earth\plugin\npgeplugin.dll

(verified) AcroIEHelper Library C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

(verified) AcroIEHelperShim Library C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

(verified) Adobe Acrobat C:\Programme\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

(verified) Adobe Acrobat C:\Programme\Internet Explorer\plugins\nppdf32.dll

(verified) Adobe Acrobat C:\Programme\Mozilla Firefox\plugins\nppdf32.dll

(verified) Adobe IE plugin C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

(verified) Betriebssystem Microsoft® Windows® C:\WINDOWS\system32\mswsock.dll

(verified) BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll

(verified) DivX Web Player C:\Programme\DivX\DivX Web Player\npdivx32.dll

(verified) DivX Web Player C:\Programme\Mozilla Firefox\plugins\npdivx32.dll

(verified) Easy-WebPrint c:\programme\canon\easy-webprint\toolband.dll

(verified) Google Toolbar for Internet Explorer C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll

(verified) Google Update C:\Programme\Google\Update\1.3.21.57\npGoogleUpdate3.dll

(verified) Google Updater C:\Programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

(verified) GoogleToolbarNotifier C:\Programme\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll

(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe

(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll

(verified) Java Deployment Toolkit 6.0.210.7 C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll

(verified) Java Platform SE 6 U21 C:\Programme\Java\jre6\bin\jp2ssv.dll

(verified) Java Platform SE 6 U21 C:\Programme\Java\jre6\bin\new_plugin\npjp2.dll

(verified) Java Platform SE 6 U21 C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

(verified) Kaspersky Anti-Virus C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll

(verified) Kaspersky Anti-Virus C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

(verified) Messenger C:\Programme\Messenger\msmsgs.exe

(verified) Microsoft Support Diagnostic Tool C:\WINDOWS\Downloaded Program Files\MSDCode.DLL

(verified) Microsoft® Windows Media Player Firefox C:\Programme\Mozilla Firefox\plugins\np-mswmp.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll

(verified) nppdf32.DEU C:\Programme\Internet Explorer\plugins\nppdf32.DEU

(verified) nppdf32.DEU C:\Programme\Mozilla Firefox\plugins\nppdf32.DEU

(verified) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

(verified) Picture Manager, Wells and Layout C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPUWALcontrol.dll

(verified) Picture Manager, Wells and Layout C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin2.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin3.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin4.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin5.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin6.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Internet Explorer\plugins\npqtplugin7.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin2.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin3.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin4.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin5.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin6.dll

(verified) QuickTime Plug-in 7.6.2 C:\Programme\Mozilla Firefox\plugins\npqtplugin7.dll

(verified) SDHelper.dll C:\Programme\Spybot - Search & Destroy2\SDHelper.dll

(verified) Shockwave for Director C:\WINDOWS\system32\Adobe\Director\np32dsw.dll

(verified) Silverlight Plug-In C:\Programme\Microsoft Silverlight\4.0.60531.0\npctrl.dll

(verified) TODO: <Product name> C:\Dokumente und Einstellungen\svjaksch\Anwendungsdaten\Mozilla\Firefox\Profiles\vsu4z1th.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll

(verified) TVicHW32 Generic Device Driver for Wind C:\WINDOWS\Downloaded Program Files\tvichw32.sys

(verified) Windows Presentation Foundation C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

(verified) Windows® Internet Explorer C:\WINDOWS\system32\IEFRAME.dll

(verified) Yahoo! activeX Plug-in Bridge C:\Programme\Yahoo!\Common\npyaxmpb.dll

(verified) Yahoo! Toolbar c:\programme\yahoo!\companion\installs\cpn\yt.dll

Scan

----

MD5: d3c0a8e33c9b7be513574f3a78c326b4 C:\CombiPlus\SQLBase\dbnt10sv.exe

MD5: c35178ff22f14e85402e746799d34063 C:\Programme\Adobe\Acrobat 7.0\Distillr\AdistRes.DEU

MD5: 53c740150c082aaf3c7d21c1d6a9ff98 C:\Programme\Firebird\Firebird_2_5\bin\fbserver.exe

MD5: 3e279b6da1d53e2131c50320e2f64c92 C:\Programme\Firebird\Firebird_2_5\bin\icudt30.dll

MD5: 5fbdfd4c47fec1b6ca7e7054d60dd724 C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

MD5: 1b5b3e0c63e446e0faf35b1794826083 C:\Programme\Google\Google Desktop Search\GoogleDesktopAPI2.dll

MD5: 458741176befc2a21b9f07fd3ee25838 C:\Programme\Google\Google Desktop Search\GoogleDesktopCommon.dll

MD5: b0a65d553773c47694ee6ac5b1709f1d C:\Programme\Google\Google Desktop Search\GoogleDesktopDeskbar2.dll

MD5: 4c6963a420deac4e57c9fa26c8930574 C:\Programme\Google\Google Desktop Search\GoogleDesktopHyper.dll

MD5: ef15f3aec239784e016f25ce9aa5a20e C:\Programme\Google\Google Desktop Search\GoogleDesktopResources_de.dll

MD5: 43e6c06cd0f783d61946ab6e72c8607a C:\Programme\Google\Google Desktop Search\GoogleDesktopSSD.dll

MD5: 08818472cad50025f7fb10b6cec14133 C:\Programme\Google\Google Desktop Search\GoogleServices.DLL

MD5: 4ed2ffc8f4cfcb76b48274b84018a182 C:\Programme\Google\Google Desktop Search\GoogleUIEngine.dll

MD5: 5e947691097ba0a9aa4b8e44a4b9feb0 C:\Programme\Google\Google Earth\plugin\npgeplugin.dll

MD5: 6fe23b0abde22c7902633cfcffa1e67d c:\SDII\D\D\EXE.W95\IDS.DLL

MD5: 9019a3a810a81320f8c1dbbaa06c2b96 C:\SDII\D\D\EXE.W95\sid.exe

MD5: 95937048ce5771cc6b5f270099eda889 C:\WINDOWS\system32\cdintf210.dll

MD5: a6da544302c8770fce57747dc3d2bb3f C:\WINDOWS\system32\DRIVERS\OnStor2K.SYS

MD5: e92963057748416371fa2c05be388f49 C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\acpdfui210.dll

MD5: e2c48cd0132d4d1dc7d0df9a6bef686a C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80U.DLL

MD5: 4e8b1e9567b3cd76ca628c9026ae1125 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\MFC80DEU.DLL

No file uploaded.

Scan finished - communication took 1 sec

Total traffic - 0.00 MB sent, 0.09 KB recvd

Scanned 802 files and modules - 4 seconds

==============================================================================

P.S. as I scanned yesterday in the morning the System with spybot, the System shut down at ~15% of the full scan

After running Combofix.exe again, how you adviced, I scanned the System with spybot and now the system shut down at app. ~ 50%

of a full scan.

Have you any idea ?

Bernie

Link to post
Share on other sites

Hmm that is quite odd. Let's run some more scans to give us a better look:

Please do the following:

  • Download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
  • Disconnect from the Internet and close all running programs while scan is running.
  • Make sure all antivirus and other real-time security programs are disabled. See here for directions.
  • Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:
    gmer_screen2-1.gif
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Click the Scan button to begin. (Please be patient: this can take some time.[*]When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.

Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.

---------

Download Rootkit Unhooker and save it to your Desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.

Vista/Windows 7 users right-click and select Run As Administrator.

  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • UNcheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait until the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
    Note: You may get the following warning---just ignore it, click OK and continue. Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?

Link to post
Share on other sites

Hi D-Fred,

here the scan with Gmer:

--------------------------------------------------------

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-30 21:03:17

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 SAMSUNG_SP2514N rev.VF100-41

Running: v6yiqz9r.exe; Driver: C:\DOKUME~1\svjaksch\LOKALE~1\Temp\fgxdikog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA293D48]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAA29464E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAA29547A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAA2959C4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAA29492A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAA292BBA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAA2958AA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAA293938]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAA29577E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAA293AE0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAA295AE4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAA2942D8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAA295814]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xAA297106]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAA2931C4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAA293578]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAA294DAC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAA298288]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA2936C4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA29375C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAA294BBA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAA2971F8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAA292B96]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAA292BA8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xAA2978D6]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xAA293888]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xAA295A5A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xAA2946D0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xAA292D7A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xAA29593A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xAA293F90]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xAA297670]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xAA295B7A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xAA293E86]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xAA2937F4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA29342C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xAA297C10]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xAA293056]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xAA297502]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xAA2932E6]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xAA2925D0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xAA295EDE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xAA295DA4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA296EA0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xAA292948]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xAA29812A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xAA292568]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xAA2951C4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xAA2944F2]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xAA296748]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xAA297300]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xAA297D60]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xAA292ED0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xAA297E52]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xAA297F8C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xAA29702A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xAA294124]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xAA294084]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xAA297AB4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xAA29420E]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A66C116D

INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A66C0FC2

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 12 Bytes [F8, 71, 29, AA, 96, 2B, 29, ...]

.text ntoskrnl.exe!ZwYieldExecution + 376 804E4BD0 16 Bytes [E6, 32, 29, AA, D0, 25, 29, ...]

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [52, 7E, 29, AA, 8C, 7F, 29, ...]

.text ntoskrnl.exe!IoIsOperationSynchronous 804EAFCE 5 Bytes JMP AA286C58 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F45B3 5 Bytes JMP AA286880 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB6B72000, 0x275B27, 0xE8000020]

init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xB75062E0]

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA5E36400, 0x82482, 0xE8000020]

.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA5ED6420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA5ED6420]

.protectÿÿÿÿhardlockunknown last code section [0xA5ED6200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA5ED6200, 0x5105, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[908] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;

? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[908] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;

.text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[908] USER32.dll!AlignRects 7E362A78 4 Bytes [70, 11, 46, 6C] {JO 0x13; INC ESI; INSB }

.text C:\WINDOWS\system32\SearchIndexer.exe[1276] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[4260] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;

? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[4260] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;

.text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe[4260] USER32.dll!AlignRects 7E362A78 4 Bytes [70, 11, 46, 6C] {JO 0x13; INC ESI; INSB }

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

The Scan with RKunhooker failed, after 1h 30 Min the PC shut down.

After Restart Kaspersky found Maleware:

here the lokation:

C:\System\windows32\05BB0BBE.exe

and viruslist.com says:

Trojan-Downloader.Win32.CodecPack.sjt

What do you think ?

Bernie

Link to post
Share on other sites

In the meantime, if you could run the following program I'd appreciate it :):

Do this after the Kaspersky scan, please.

Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

Link to post
Share on other sites

Hi D-Fred,

MBR-Check had found something.

In black window appeared, that the MBR was faked and give the option to change it.

Have a look at the log:

------------------------------------------------------------------

BRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000d

Kernel Drivers (total 148):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x80701000 \WINDOWS\system32\hal.dll

0xF7987000 \WINDOWS\system32\KDCOM.DLL

0xF7897000 \WINDOWS\system32\BOOTVID.dll

0xB82DE000 kl1.sys

0xB82AF000 ACPI.sys

0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB829E000 pci.sys

0xF75F7000 isapnp.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7607000 MountMgr.sys

0xB81DF000 ftdisk.sys

0xF798D000 dmload.sys

0xB81B9000 dmio.sys

0xF770F000 PartMgr.sys

0xF7717000 videX32.sys

0xF771F000 hotcore3.sys

0xF7617000 VolSnap.sys

0xB81A1000 atapi.sys

0xF7627000 disk.sys

0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB8168000 fltmgr.sys

0xB8156000 sr.sys

0xF7727000 xfilt.sys

0xF7647000 PxHelp20.sys

0xB8140000 SymSnap.sys

0xB8129000 KSecDD.sys

0xB809C000 Ntfs.sys

0xB806F000 NDIS.sys

0xF7657000 uagp35.sys

0xB7FB5000 Mup.sys

0xB7C37000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB69FA000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB69E6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB69BE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB693A000 \SystemRoot\system32\DRIVERS\fpcibase.sys

-----------------------------------------------------------------------------------

Bernie

Link to post
Share on other sites

Let's do this:

Please do the following:

  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.