Infected?

View previous topic View next topic Go down

Solved Infected?

Post by holits on Thu Feb 05, 2009 7:30 am

Dear all fur a great website.

Attached you will find my log from Hijack

I would be very if some one can help me.

Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:39, on 05.02.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\SMINST\scheduler.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Natific\Natific M3K\NatificColorTransmitterTrayApplication.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [HPWWANGSAssistant] c:\SWSetup\HPQWWAN\HPWWanGSAssistant.exe /TrayMode
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DBISQL9] "c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SybaseCentral43] "c:\program files\sybase\shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - Startup: Natific M3K.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted IP range: [You must be registered and logged in to see this link.]
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = natific.intra
O17 - HKLM\Software\..\Telephony: DomainName = natific.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = natific.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = natific.intra
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Adaptive Server Anywhere - DatacolorASAService (ASANYs_DatacolorASAService) - iAnywhere Solutions, Inc. - c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Natific M3K (natific_m3k) - Szintézis-NET Kft. - C:\Program Files\Natific\Natific M3K\NatificM3KService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13713 bytes

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by Belahzur on Thu Feb 05, 2009 9:11 am

Hello.
Don't think so, log looks okay to me. What problems are you having?

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then right click JavaRa and select "Run as administrator" to run the program..
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 4:59 am

Hi!

The most problematic issues I have is that I cannot access any antivirus hompages.

Thank you

Holits

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 5:25 am

I have G Data installed, on the one computer I cant download new updates, on a new computer it works fine....

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 10:23 am

Here is log form ComboFix

ComboFix 09-02-04.01 - MAKA 2009-02-06 15:30:00.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2023.889 [GMT 1:00]
ausgeführt von:: c:\users\MAKA\Desktop\ComboFix.exe
AV: G DATA AntiVirus 2008 *On-access scanning disabled* (Outdated)
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf
H:\Autorun.inf
I:\autorun.inf

.
((((((((((((((((((((((( Dateien erstellt von 2009-01-06 bis 2009-02-06 ))))))))))))))))))))))))))))))
.

2009-02-06 15:41 . 2009-02-06 15:41 4,096 --a------ c:\windows\System32\053D9.tmp
2009-02-06 15:06 . 2009-02-06 15:06 4,096 --a------ c:\windows\System32\0CC43.tmp
2009-02-06 12:18 . 2009-02-06 12:18 4,096 --a------ c:\windows\System32\0CBC6.tmp
2009-02-06 11:06 . 2009-02-06 11:06 4,096 --a------ c:\windows\System32\0DC88.tmp
2009-02-06 10:58 . 2009-02-06 10:57 410,984 --a------ c:\windows\System32\deploytk.dll
2009-02-06 10:31 . 2009-02-06 10:31 4,096 --a------ c:\windows\System32\0E52F.tmp
2009-02-06 10:28 . 2009-02-06 10:28 d-------- c:\users\All Users\G DATA
2009-02-06 10:28 . 2009-02-06 10:28 d-------- c:\programdata\G DATA
2009-02-06 10:24 . 2009-02-06 10:24 47,184 --a------ c:\windows\System32\drivers\MiniIcpt.sys
2009-02-06 10:24 . 2009-02-06 10:24 41,928 --a------ c:\windows\System32\drivers\GDTdiIcpt.sys
2009-02-06 10:24 . 2009-02-06 10:24 32,200 --a------ c:\windows\System32\drivers\HookCentre.sys
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Videos
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Searches
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Saved Games
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Pictures
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Music
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Links
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Downloads
2009-02-06 10:23 . 2009-02-06 10:23 dr------- c:\windows\System32\config\systemprofile\Documents
2009-02-06 10:23 . 2007-09-11 03:17 39,880 --a------ c:\windows\System32\drivers\gdwfpcd32.sys
2009-02-06 10:22 . 2009-02-06 10:23 d-------- c:\program files\G DATA AntiVirus
2009-02-06 10:22 . 2009-02-06 10:23 d-------- c:\program files\Common Files\G DATA
2009-02-06 08:14 . 2009-02-06 08:14 4,096 --a------ c:\windows\System32\0F44C.tmp
2009-02-06 07:34 . 2009-02-06 07:34 4,096 --a------ c:\windows\System32\0D364.tmp
2009-02-05 15:56 . 2009-02-05 15:56 4,096 --a------ c:\windows\System32\0CF7E.tmp
2009-02-05 13:21 . 2008-12-03 14:03 151,552 --a------ c:\temp\JavaRa.exe
2009-02-05 08:43 . 2009-02-05 08:43 4,096 --a------ c:\windows\System32\0F556.tmp
2009-02-04 20:16 . 2009-02-04 20:16 4,096 --a------ c:\windows\System32\0C522.tmp
2009-02-04 19:20 . 2009-02-04 19:20 4,096 --a------ c:\windows\System32\0D9E9.tmp
2009-02-04 17:32 . 2009-02-04 17:32 4,096 --a------ c:\windows\System32\0B4DD.tmp
2009-02-04 12:28 . 2006-11-06 11:55 748,344 --a------ c:\temp\Filemon.exe
2009-02-04 10:45 . 2009-02-04 10:45 4,096 --a------ c:\windows\System32\05B68.tmp
2009-02-04 10:27 . 2009-02-04 11:03 d-------- c:\temp\Datacolor
2009-02-04 08:04 . 2009-02-04 08:04 4,096 --a------ c:\windows\System32\0E1D5.tmp
2009-02-04 07:37 . 2009-02-04 07:37 4,096 --a------ c:\windows\System32\0BDC2.tmp
2009-02-03 22:16 . 2009-02-03 22:16 4,096 --a------ c:\windows\System32\0AEA5.tmp
2009-02-03 19:04 . 2009-02-03 19:04 4,096 --a------ c:\windows\System32\0AC08.tmp
2009-02-03 18:17 . 2009-02-03 18:17 6,258,825 --a------ C:\DATACOLOR_TOOLS.zip
2009-02-03 17:29 . 2009-02-03 17:29 d-------- c:\temp\m3k
2009-02-03 16:25 . 2009-02-03 16:25 4,096 --a------ c:\windows\System32\0560B.tmp
2009-02-03 16:00 . 2009-02-03 16:00 0 --a------ c:\windows\nsreg.dat
2009-02-03 14:14 . 2009-02-03 14:14 4,096 --a------ c:\windows\System32\0B0F6.tmp
2009-02-03 10:49 . 2009-02-03 10:49 4,096 --a------ c:\windows\System32\0AE77.tmp
2009-02-03 09:48 . 2009-02-03 09:48 4,096 --a------ c:\windows\System32\0C7E0.tmp
2009-02-02 08:40 . 2009-02-02 08:40 4,096 --a------ c:\windows\System32\0B9CC.tmp
2009-02-01 19:47 . 2009-02-01 19:47 4,096 --a------ c:\windows\System32\0C5BE.tmp
2009-02-01 14:29 . 2009-02-01 14:29 4,096 --a------ c:\windows\System32\0AED4.tmp
2009-02-01 12:13 . 2009-02-01 12:13 4,096 --a------ c:\windows\System32\0BBFE.tmp
2009-01-31 08:13 . 2009-01-31 08:13 4,096 --a------ c:\windows\System32\0201D.tmp
2009-01-30 18:38 . 2009-01-30 18:38 d-------- c:\program files\VisocoSoftware
2009-01-30 18:38 . 2006-02-27 00:59 189,952 --a------ c:\windows\System32\dbexpany.dll
2009-01-30 18:02 . 2009-01-30 18:02 d-------- c:\program files\Natific
2009-01-30 11:56 . 2009-01-30 11:56 4,096 --a------ c:\windows\System32\0B70E.tmp
2009-01-29 18:48 . 2009-01-29 18:48 4,096 --a------ c:\windows\System32\0CCB0.tmp
2009-01-29 17:44 . 2009-01-29 17:44 4,096 --a------ c:\windows\System32\0F17F.tmp
2009-01-29 14:41 . 2009-01-29 14:41 4,096 --a------ c:\windows\System32\01821.tmp
2009-01-29 11:16 . 2009-01-29 11:16 4,096 --a------ c:\windows\System32\0ADDB.tmp
2009-01-29 09:32 . 2009-01-29 09:32 4,096 --a------ c:\windows\System32\0BAF6.tmp
2009-01-28 22:03 . 2009-01-28 22:03 4,096 --a------ c:\windows\System32\0BB23.tmp
2009-01-28 08:12 . 2009-01-28 08:12 4,096 --a------ c:\windows\System32\0D68F.tmp
2009-01-28 06:44 . 2009-01-28 06:44 4,096 --a------ c:\windows\System32\0C927.tmp
2009-01-27 22:57 . 2009-01-27 22:58 4,096 --a------ c:\windows\System32\0DF37.tmp
2009-01-27 19:19 . 2009-01-27 19:19 4,096 --a------ c:\windows\System32\0C428.tmp
2009-01-27 07:50 . 2009-01-27 07:50 4,096 --a------ c:\windows\System32\0C14B.tmp
2009-01-26 20:14 . 2009-01-26 20:14 4,096 --a------ c:\windows\System32\0FE2C.tmp
2009-01-26 16:12 . 2009-01-26 16:12 4,096 --a------ c:\windows\System32\0C061.tmp
2009-01-26 14:43 . 2009-01-26 14:43 4,096 --a------ c:\windows\System32\0B6F0.tmp
2009-01-26 11:40 . 2009-01-26 11:40 4,096 --a------ c:\windows\System32\0C225.tmp
2009-01-26 07:30 . 2009-01-26 07:30 4,096 --a------ c:\windows\System32\0C5CD.tmp
2009-01-26 06:29 . 2009-01-26 06:29 4,096 --a------ c:\windows\System32\0D5A5.tmp
2009-01-24 18:41 . 2009-01-24 18:41 4,096 --a------ c:\windows\System32\0C8D9.tmp
2009-01-24 14:32 . 2009-01-24 14:32 4,096 --a------ c:\windows\System32\0B7D9.tmp
2009-01-24 14:24 . 2009-01-24 14:24 4,096 --a------ c:\windows\System32\0B460.tmp
2009-01-24 14:19 . 2009-01-24 14:19 4,096 --a------ c:\windows\System32\0BFD5.tmp
2009-01-24 08:30 . 2009-01-24 08:30 4,096 --a------ c:\windows\System32\0BB43.tmp
2009-01-23 18:10 . 2009-01-23 18:10 4,096 --a------ c:\windows\System32\0C4B5.tmp
2009-01-23 16:37 . 2009-01-23 16:37 4,096 --a------ c:\windows\System32\0BAF5.tmp
2009-01-23 08:29 . 2009-01-23 08:29 4,096 --a------ c:\windows\System32\0B01C.tmp
2009-01-23 07:56 . 2009-01-23 07:56 4,096 --a------ c:\windows\System32\0BC2D.tmp
2009-01-22 19:25 . 2009-01-22 19:25 4,096 --a------ c:\windows\System32\0B75C.tmp
2009-01-22 17:01 . 2009-01-22 17:01 4,096 --a------ c:\windows\System32\0B615.tmp
2009-01-22 14:37 . 2009-01-22 14:37 4,096 --a------ c:\windows\System32\0A784.tmp
2009-01-22 12:40 . 2009-01-22 12:40 4,096 --a------ c:\windows\System32\0B412.tmp
2009-01-22 04:03 . 2009-01-22 04:03 4,096 --a------ c:\windows\System32\0AC93.tmp
2009-01-22 01:25 . 2009-01-22 01:25 4,096 --a------ c:\windows\System32\0BD45.tmp
2009-01-21 15:34 . 2009-01-21 15:34 4,096 --a------ c:\windows\System32\0C58F.tmp
2009-01-21 12:13 . 2009-01-21 12:13 4,096 --a------ c:\windows\System32\0B79B.tmp
2009-01-21 01:46 . 2009-01-21 01:46 4,096 --a------ c:\windows\System32\0B135.tmp
2009-01-21 00:38 . 2009-01-21 00:38 4,096 --a------ c:\windows\System32\0AF80.tmp
2009-01-20 16:57 . 2009-01-20 16:57 4,096 --a------ c:\windows\System32\0F21B.tmp
2009-01-20 14:24 . 2009-01-20 14:24 4,096 --a------ c:\windows\System32\0F085.tmp
2009-01-20 14:06 . 2009-01-20 14:06 4,096 --a------ c:\windows\System32\0BE6E.tmp
2009-01-20 01:47 . 2009-01-20 01:47 4,096 --a------ c:\windows\System32\0BBA0.tmp
2009-01-19 15:05 . 2009-01-19 15:05 4,096 --a------ c:\windows\System32\0B6EF.tmp
2009-01-19 01:36 . 2009-01-19 01:36 4,096 --a------ c:\windows\System32\0BBBF.tmp
2009-01-18 14:34 . 2009-01-18 14:34 4,096 --a------ c:\windows\System32\0C5E.tmp
2009-01-18 04:57 . 2009-01-18 04:57 d-------- c:\users\MAKA\AppData\Roaming\Notepad++
2009-01-18 04:57 . 2009-01-18 04:57 d-------- c:\program files\Notepad++
2009-01-18 01:41 . 2009-01-18 01:41 4,096 --a------ c:\windows\System32\0B144.tmp
2009-01-17 17:20 . 2009-01-17 17:20 4,096 --a------ c:\windows\System32\0D049.tmp
2009-01-17 12:15 . 2009-01-17 12:15 4,096 --a------ c:\windows\System32\068A1.tmp
2009-01-17 07:41 . 2009-01-17 07:41 d-------- c:\program files\CyberChrome
2009-01-17 07:39 . 2006-12-20 11:55 3,066,968 --a------ c:\windows\System32\hinstd.dll
2009-01-17 07:39 . 2006-12-20 10:00 2,511,360 --a------ c:\windows\System32\haspds_windows.dll
2009-01-17 07:39 . 2006-11-22 10:01 693,760 --a------ c:\windows\System32\drivers\hardlock.sys
2009-01-17 07:39 . 2006-12-20 10:00 671,112 --a------ c:\windows\System32\hdinst_windows.dll
2009-01-17 07:39 . 2006-11-22 10:01 327,168 --a------ c:\windows\System32\drivers\akshasp.sys
2009-01-17 07:39 . 2002-07-26 17:02 153,088 --a------ c:\windows\System32\UNWISE.EXE
2009-01-17 07:39 . 2006-10-16 19:35 104,576 --a------ c:\windows\System32\drivers\aksclass.sys
2009-01-17 07:39 . 2006-11-22 10:01 100,096 --a------ c:\windows\System32\drivers\aksusb.sys
2009-01-17 07:39 . 2006-11-30 11:06 69,632 --a------ c:\windows\System32\hasp_inst_help1.dll
2009-01-17 07:39 . 2005-09-06 17:06 28,672 --a------ c:\windows\System32\hlduinst.exe
2009-01-17 07:39 . 2006-10-16 19:35 7,168 --a------ c:\windows\System32\akscoinst.dll
2009-01-17 02:42 . 2009-01-17 02:42 4,096 --a------ c:\windows\System32\0AC07.tmp
2009-01-16 15:31 . 2009-01-16 15:31 4,096 --a------ c:\windows\System32\0AA13.tmp
2009-01-15 15:41 . 2009-01-15 15:41 4,096 --a------ c:\windows\System32\0DA18.tmp
2009-01-15 15:31 . 2009-01-15 15:31 4,096 --a------ c:\windows\System32\09D28.tmp
2009-01-15 01:39 . 2009-01-15 01:39 4,096 --a------ c:\windows\System32\0B0E7.tmp
2009-01-14 01:47 . 2009-01-14 01:47 4,096 --a------ c:\windows\System32\0B2DA.tmp
2009-01-13 16:51 . 2009-01-13 16:51 4,096 --a------ c:\windows\System32\0BF58.tmp
2009-01-13 13:35 . 2009-01-13 13:35 4,096 --a------ c:\windows\System32\0ADBB.tmp
2009-01-13 06:34 . 2009-01-13 06:34 d-------- c:\program files\FileZilla FTP Client
2009-01-13 04:30 . 2009-01-13 04:30 4,096 --a------ c:\windows\System32\0FDCE.tmp
2009-01-13 03:48 . 2009-01-13 03:48 4,096 --a------ c:\windows\System32\0BF67.tmp
2009-01-12 16:30 . 2009-01-12 16:30 4,096 --a------ c:\windows\System32\0C782.tmp

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 10:24 am

part two of the same file


.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 09:56 --------- d-----w c:\program files\Java
2009-02-06 09:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 23:24 --------- d-----w c:\users\MAKA\AppData\Roaming\Skype
2009-02-05 23:08 --------- d-----w c:\users\MAKA\AppData\Roaming\skypePM
2009-02-05 10:24 --------- d-----w c:\program files\Trend Micro
2009-02-04 16:32 --------- d-----w c:\programdata\Adaptive Server Anywhere 9
2009-02-04 10:27 --------- d-----w c:\users\MAKA\AppData\Roaming\FileZilla
2009-01-15 07:22 --------- d-----w c:\programdata\Microsoft Help
2008-12-28 16:08 --------- d-----w c:\users\MAKA\AppData\Roaming\Roxio
2008-12-27 14:19 --------- d-----w c:\program files\Xcarab
2008-12-26 18:00 --------- d-----w c:\users\MAKA\AppData\Roaming\U3
2008-12-16 19:05 --------- d-----w c:\programdata\Roxio
2008-12-10 16:41 --------- d-----w c:\programdata\Datacolor
2008-12-10 16:39 --------- d-----w c:\program files\Common Files\Datacolor
2008-12-10 16:36 --------- d-----w c:\program files\Common Files\Borland Shared
2008-12-10 16:35 --------- d-----w c:\program files\Datacolor
2008-12-10 14:57 --------- d-----w c:\program files\Sybase
2008-09-08 11:43 174 --sha-w c:\program files\desktop.ini
2008-12-17 22:34 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 22:34 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 22:34 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 22:34 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 22:34 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-01-19 07:34 169,822 --sha-r c:\windows\System32\kqdqpgy.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-04 19:14:55 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2009-02-06 14:38:26 2,484 ----a-w c:\windows\bthservsdp.dat
- 2009-02-04 19:16:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-06 14:40:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-04 19:16:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-06 14:40:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-04 19:19:06 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-04 19:19:06 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-06 14:44:20 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-04 19:16:51 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-06 14:41:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-04 19:16:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 14:41:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-04 19:16:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-06 14:41:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-09-19 13:44:04 15,664 ----a-w c:\windows\System32\drivers\GEARAspiWDM.sys
+ 2006-10-03 18:47:52 109,360 ----a-w c:\windows\System32\GEARAspi.dll
- 2007-10-19 13:59:53 135,168 ----a-w c:\windows\System32\java.exe
+ 2009-02-06 09:57:01 144,792 ----a-w c:\windows\System32\java.exe
- 2007-10-19 13:59:53 135,168 ----a-w c:\windows\System32\javaw.exe
+ 2009-02-06 09:57:01 144,792 ----a-w c:\windows\System32\javaw.exe
- 2007-10-19 13:59:53 139,264 ----a-w c:\windows\System32\javaws.exe
+ 2009-02-06 09:57:01 148,888 ----a-w c:\windows\System32\javaws.exe
- 2009-02-04 19:23:49 162,164 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-06 14:15:21 162,164 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-04 19:23:49 770,460 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-06 14:15:21 770,460 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-07 19:49:09 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-02-06 09:29:30 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-02-04 19:19:46 15,090 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-223047310-760144544-513043358-1003_UserData.bin
+ 2009-02-06 14:12:34 15,786 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-223047310-760144544-513043358-1003_UserData.bin
- 2009-02-04 19:19:44 100,006 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 14:12:29 101,292 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-04 16:35:18 73,584 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 14:12:26 74,866 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-01-26 12:11:57 413,416 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-02-05 22:22:16 415,622 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-01-17 04:13:21 164,313,215 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-06 09:24:19 164,315,546 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-06 09:24:12 65,536 ----a-w c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087\vcomp.dll
.

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 10:24 am

thrid part


-- Snapshot auf jetziges Datum zurückgesetzt --
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DBISQL9"="c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" [2007-02-26 139264]
"SybaseCentral43"="c:\program files\sybase\shared\Sybase Central 4.3\win32\scjview.exe" [2007-02-23 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-05-08 331552]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-11 317128]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-20 404248]
"HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-09-07 4162864]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-07 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-07 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-07 154136]
"AVKTray"="c:\program files\G DATA AntiVirus\AVKTray\AVKTray.exe" [2007-09-24 603720]

c:\users\MAKA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Natific M3K.lnk - c:\users\MAKA\AppData\Roaming\Microsoft\Installer\{095CC82D-8684-4215-BFBC-2267BBCF5B48}\_4AD5F2476D306C03243940.exe [2009-01-30 1150]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 719664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-09-01 192512]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2008-10-06 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 16:19 49152 c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 10:25 am

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{89F4B4FC-A3F6-4727-815E-71F6691F603F}c:\\windows\\sminst\\scheduler.exe"= UDP:c:\windows\sminst\scheduler.exe:Scheduler
"UDP Query User{B0F12F74-20AA-4A41-9EA1-291FFA292D81}c:\\windows\\sminst\\scheduler.exe"= TCP:c:\windows\sminst\scheduler.exe:Scheduler
"{7FA58DDD-9E87-47E5-9CB4-4F59AEFF42AA}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AE5DE5D8-1F97-4F60-8B44-40FA5ED38D4E}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{45436D07-F2EA-422A-9C71-A0D57A0544C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD23F878-003B-43C4-801D-48DD76E18CD5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{11343961-8633-454E-BEE0-EC3FCD37DA64}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{408F45A1-05EA-478E-9839-2F1A5DAA13CE}c:\\windows\\system32\\mstsc.exe"= UDP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"UDP Query User{BC3558C1-D674-4F81-98DC-03EFB09843C3}c:\\windows\\system32\\mstsc.exe"= TCP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"TCP Query User{B542034E-DF6E-41A8-8AD4-26A8F1F8C10D}c:\\windows\\system32\\mstsc.exe"= UDP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"UDP Query User{50C6AEB7-EBAD-4744-A51E-73449B6E9BFC}c:\\windows\\system32\\mstsc.exe"= TCP:c:\windows\system32\mstsc.exe:Remote Desktop Connection
"TCP Query User{53829268-9440-4CC3-AACE-5640E2157D6F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ABB2EECD-0BF6-42D2-936A-78CC5F999B57}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{CB33E0E8-A844-4785-9F4E-9C3F3265A9C6}c:\\windows\\sminst\\scheduler.exe"= UDP:c:\windows\sminst\scheduler.exe:Scheduler
"UDP Query User{A757EE6F-2274-4773-89E5-6B3CBDCA2D39}c:\\windows\\sminst\\scheduler.exe"= TCP:c:\windows\sminst\scheduler.exe:Scheduler
"{5CE9522C-80EA-4AA0-8EFE-2D04EDD58AAF}"= UDP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{274F0483-BCCB-4075-9893-4497E48E42F8}"= TCP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{BA30D2F3-521A-4D9D-A329-C2D7B8BC1AED}"= UDP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{64AF8E38-311D-4849-B418-C487D58236A4}"= TCP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{4D6B543F-A12E-45C4-AF54-90659E5F6E3E}"= UDP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{E09E3055-C502-4ABD-8622-A50DE374D85E}"= TCP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{92923F84-1EDD-4DC0-8398-EFC32F3E65A7}"= UDP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager
"{D6B63CC8-6EBB-492D-B99C-CEF29FF11E2F}"= TCP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager
"TCP Query User{92F1A22B-B3C1-4EE3-89CA-9045BB0F86D0}c:\\program files\\zattoo\\zattood.exe"= UDP:c:\program files\zattoo\zattood.exe:zattood
"UDP Query User{A4845137-A872-4C6B-9B15-848812121AD1}c:\\program files\\zattoo\\zattood.exe"= TCP:c:\program files\zattoo\zattood.exe:zattood
"TCP Query User{2C0DA30A-9D63-4609-A0E5-83948CF0249C}c:\\program files\\zattoo\\zattoo.exe"= UDP:c:\program files\zattoo\zattoo.exe:
"UDP Query User{F318CF33-6483-4940-8EFD-8DBC4D1AE064}c:\\program files\\zattoo\\zattoo.exe"= TCP:c:\program files\zattoo\zattoo.exe:
"TCP Query User{37715433-5051-4B6D-910F-B9AAA599372E}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= UDP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"UDP Query User{E41D8C5C-831D-494C-AB05-87A418E5F507}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= TCP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"TCP Query User{E4393286-17F1-4498-94BF-ADEB99E5904C}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= UDP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"UDP Query User{EC497345-9DAE-4AF3-85F8-579A83965F0F}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= TCP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"TCP Query User{9B8A2827-9D24-41EA-AB01-6F3F531717E7}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbeng9.exe"= UDP:c:\program files\sybase\sql anywhere 9\win32\dbeng9.exe:Adaptive Server Anywhere Database Engine
"UDP Query User{14784D08-70AC-4B6C-B438-788A61C3968F}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbeng9.exe"= TCP:c:\program files\sybase\sql anywhere 9\win32\dbeng9.exe:Adaptive Server Anywhere Database Engine
"TCP Query User{530BCA08-A744-4F96-BF1C-8926C959A419}c:\\program files\\juniper\\netscreen-remote\\vpn.exe"= UDP:c:\program files\juniper\netscreen-remote\vpn.exe:VPN Connection Manager
"UDP Query User{0ED508A9-FA7C-43A6-9DB3-A3B7A867A602}c:\\program files\\juniper\\netscreen-remote\\vpn.exe"= TCP:c:\program files\juniper\netscreen-remote\vpn.exe:VPN Connection Manager
"TCP Query User{CEEB3A62-CDF4-4504-B53F-3835B123E3D0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C650537A-44FA-48AD-A41C-1C9ED0554B24}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{A29BC170-8E4B-46A1-B11C-D6522440F47E}c:\\program files\\zattoo\\zattood.exe"= UDP:c:\program files\zattoo\zattood.exe:zattood
"UDP Query User{86C9F9AE-3480-4449-A746-C7C2827BC1DD}c:\\program files\\zattoo\\zattood.exe"= TCP:c:\program files\zattoo\zattood.exe:zattood
"TCP Query User{FDA04A50-B175-4B85-B3B0-F319FAA9F5F7}c:\\program files\\zattoo\\zattoo.exe"= UDP:c:\program files\zattoo\zattoo.exe:
"UDP Query User{51142281-D2E1-48F1-9DD5-CEEEB128C40E}c:\\program files\\zattoo\\zattoo.exe"= TCP:c:\program files\zattoo\zattoo.exe:
"TCP Query User{BD8924E9-7BF3-4A27-A811-538B9342B44E}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= UDP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"UDP Query User{72FB405B-45AE-4EDD-86A3-97900A05C206}c:\\program files\\sybase\\shared\\sybase central 4.3\\win32\\scjview.exe"= TCP:c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe:Sybase Central
"TCP Query User{A87DF5B8-D8C3-41AC-A968-0E08C26F9DDD}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= UDP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"UDP Query User{36344BC2-1F5C-4DFA-AF52-9ED57E4B25AF}c:\\program files\\sybase\\sql anywhere 9\\win32\\dbisqlg.exe"= TCP:c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe:Adaptive Server Anywhere ISQL
"{4BB6B342-231A-4F6C-9327-AC09164A0E4D}"= UDP:3707:yoske
"{392E9D53-9942-4386-83FC-1D6CAEAFA101}"= UDP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{53210BC1-61FE-43E0-8AF0-F04CAADCE3FF}"= TCP:c:\program files\Juniper\NetScreen-Remote\IreIKE.exe:IreIke
"{568A3679-D1A4-4942-8989-5E20641B05EB}"= UDP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{FB4C6859-C658-4E22-B749-322296AE7524}"= TCP:c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:ViewLog
"{AC6780A0-033A-4C1C-8409-F39E3642E13A}"= UDP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{37C9D1EA-0A5E-4D33-9C4C-270C894EA425}"= TCP:c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:CMonApp
"{F153C857-A8CB-4908-A276-409BEF991ADB}"= UDP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager
"{F518BEBF-C4BB-4FA2-978F-CEC8DA7CF334}"= TCP:c:\program files\Juniper\NetScreen-Remote\vpn.exe:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [2007-03-30 13696]
R1 gdwfpcd;G DATA WFP CD;c:\windows\System32\drivers\gdwfpcd32.sys [2009-02-06 39880]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\System32\drivers\IpSecDrv.sys [2008-10-06 138296]
R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [2007-04-27 5808]
R2 ASANYs_DatacolorASAService;Adaptive Server Anywhere - DatacolorASAService;c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe -hvASANYs_DatacolorASAService --> c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe -hvASANYs_DatacolorASAService [?]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2008-09-05 21504]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2008-09-05 21504]
R2 AVKProxy;G DATA AntiVirus Proxy;c:\program files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2009-02-06 689736]
R2 AVKService;AVK Service;c:\program files\G DATA AntiVirus\AVK\AVKService.exe [2009-02-06 407376]
R2 AVKWCtl;AntiVirus Monitor;c:\program files\G DATA AntiVirus\AVK\AVKWCtl.exe [2009-02-06 1095240]
R2 Crypto;Crypto;c:\windows\System32\drivers\Crypto.sys [2008-10-06 536634]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\System32\drivers\GDTdiIcpt.sys [2009-02-06 41928]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 221184]
R2 natific_m3k;Natific M3K;c:\program files\Natific\Natific M3K\NatificM3KService.exe [2009-01-16 20480]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007-10-19 540448]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2008-09-01 1489688]
R3 DniVapCo;Deterministic Networks CoWAN Miniport (Virtual);c:\windows\System32\drivers\vapco.sys [2008-10-01 27408]
R3 GDMnIcpt;GDMnIcpt;c:\windows\System32\drivers\MiniIcpt.sys [2009-02-06 47184]
R3 HookCentre;HookCentre;c:\windows\System32\drivers\HookCentre.sys [2009-02-06 32200]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\System32\drivers\scrswi.sys [2007-03-26 43904]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (#02);c:\windows\System32\drivers\SWNC8U02.sys [2007-03-12 102272]
R3 SWUMX02;HP hs2300 USB MUX Driver (#02);c:\windows\System32\drivers\swumx02.sys [2007-04-10 72576]
S2 ylxafcwu;System Installer;c:\windows\system32\svchost.exe -k netsvcs [2008-09-05 21504]
S3 DAMDrv;DAMDrv;c:\windows\System32\drivers\DAMDrv.sys [2007-04-23 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\System32\flcdlock.exe [2007-04-30 172131]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-12 33752]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
S4 Datacolor.DataSecurity;Datacolor DataSecurity Service;c:\program files\Datacolor\DataSecurityServiceSetup\Datacolor.DataSecurity.WindowsService.exe [2008-10-30 20480]
S4 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2007-01-05 18944]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ylxafcwu

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20401cb2-a337-11dd-a596-df351c8a7dce}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7457f28f-d1d3-11dd-b189-ec2de8747213}]
\shell\AutoRun\command - H:\LaunchU3.exe -a
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0\bin\jusched.exe

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 10:26 am

last part of the log


.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: sharepointhosting.ch\natific
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\MAKA\AppData\Roaming\Mozilla\Firefox\Profiles\44h6bks2.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\components\AvkWebFilterFF.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-06 15:47:43
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'lsass.exe'(724)
c:\windows\SbHpNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'Explorer.exe'(6100)
c:\program files\Hewlett-Packard\IAM\bin\ItClient.dll
c:\windows\system32\btmmhook.dll
c:\windows\ATL.DLL
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Juniper\NetScreen-Remote\IreIKE.exe
c:\windows\System32\AEADISRV.EXE
c:\program files\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\System32\conime.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Natific\Natific M3K\NatificColorTransmitterTrayApplication.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\System32\taskmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-02-06 15:56:45 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-02-06 14:56:38
ComboFix2.txt 2009-02-04 19:46:39

Vor Suchlauf: 40'163'471'360 bytes free
Nach Suchlauf: 40,162,189,312 bytes free

459 --- E O F --- 2009-01-07 19:45:37

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by Belahzur on Fri Feb 06, 2009 12:20 pm

Hello.
Press Start > Run, type in cmd and press enter.
When the command prompt opens, type in del c:\windows\System32\*.tmp and press enter.

Run this script with Combofix.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\System32\kqdqpgy.dll

NetSvcs::
ylxafcwu

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

DDS::
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - [You must be registered and logged in to see this link.]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


Last edited by Belahzur on Sat Feb 07, 2009 8:42 am; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Fri Feb 06, 2009 12:58 pm

I cant delete all the delete the temp files, not even in safe mood(I have admin rigths)...

strange

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by Belahzur on Fri Feb 06, 2009 1:06 pm

Okay, we'll use another tool on them, just do the CFScript for now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Sat Feb 07, 2009 7:00 am

Thank you, what tool do you mean?

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by Belahzur on Sat Feb 07, 2009 8:43 am

This post:
[You must be registered and logged in to see this link.]

Copy all that is inside the text box into a notepad file, save it as CFScript.txt, and drag and drop onto Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected?

Post by holits on Sat Feb 07, 2009 1:34 pm

First of all thank you for helping me.

ok I tried that, I can still not access the antivirus pages or delete the tmp files.

holits
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-02-05
OS OS : Windows
Points Points : 28630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected?

Post by Belahzur on Sat Feb 07, 2009 1:42 pm

I need to see the new log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected?

Post by Doctor Inferno on Sun Jul 05, 2009 11:12 pm

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum